Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AVKlyo045S.exe

Overview

General Information

Sample name:AVKlyo045S.exe
renamed because original name is a hash value
Original sample name:d484104256e41a509ff52bb9a5bbd7bd63aaf18e0b32b68fe3c4bfa6b81aa267.exe
Analysis ID:1466950
MD5:0dba4bed5bf4e4c327b712f723e714c5
SHA1:b8609db0404983d9a7f2bc4639d93a539bb883a6
SHA256:d484104256e41a509ff52bb9a5bbd7bd63aaf18e0b32b68fe3c4bfa6b81aa267
Tags:exe
Infos:

Detection

XenoRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AVKlyo045S.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\AVKlyo045S.exe" MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
    • AVKlyo045S.exe (PID: 6108 cmdline: C:\Users\user\Desktop\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
      • WerFault.exe (PID: 3800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • AVKlyo045S.exe (PID: 2848 cmdline: C:\Users\user\Desktop\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
      • WerFault.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • AVKlyo045S.exe (PID: 4464 cmdline: C:\Users\user\Desktop\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
      • AVKlyo045S.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe" MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
        • AVKlyo045S.exe (PID: 3160 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
          • schtasks.exe (PID: 6400 cmdline: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 3828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AVKlyo045S.exe (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
        • AVKlyo045S.exe (PID: 6012 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
          • WerFault.exe (PID: 3212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • AVKlyo045S.exe (PID: 3848 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
    • AVKlyo045S.exe (PID: 2340 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
    • AVKlyo045S.exe (PID: 2352 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
    • AVKlyo045S.exe (PID: 1060 cmdline: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe MD5: 0DBA4BED5BF4E4C327B712F723E714C5)
  • cleanup

Malware Configuration

Threatname: XenoRAT

{"C2 url": "91.92.248.167", "Mutex Name": "Wolid_rat_nd8859g", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1458741464.00000000026DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
    00000005.00000002.1457010386.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
      00000001.00000002.1458741464.00000000026E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
        00000016.00000002.2098007355.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
          00000006.00000002.1475423833.0000000002D46000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.AVKlyo045S.exe.400000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
              6.2.AVKlyo045S.exe.2b2d670.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                22.2.AVKlyo045S.exe.2f4e63c.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                  1.2.AVKlyo045S.exe.24cd62c.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                    6.2.AVKlyo045S.exe.2b2d670.0.raw.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentImage: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentProcessId: 3160, ParentProcessName: AVKlyo045S.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, ProcessId: 6400, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentImage: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentProcessId: 3160, ParentProcessName: AVKlyo045S.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, ProcessId: 6400, ProcessName: schtasks.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentImage: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe, ParentProcessId: 3160, ParentProcessName: AVKlyo045S.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F, ProcessId: 6400, ProcessName: schtasks.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpackMalware Configuration Extractor: XenoRAT {"C2 url": "91.92.248.167", "Mutex Name": "Wolid_rat_nd8859g", "Install Folder": "appdata"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeReversingLabs: Detection: 87%
                      Multi AV Scanner detection for submitted file
                      Source: AVKlyo045S.exeReversingLabs: Detection: 87%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: AVKlyo045S.exeJoe Sandbox ML: detected
                      Source: AVKlyo045S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: AVKlyo045S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 4x nop then jmp 009B17B0h5_2_009B0B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 017917B0h11_2_01790B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 017917B0h11_2_01790B54
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 02D117B0h12_2_02D10B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 017317B0h23_2_01730B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 013317B0h24_2_01330B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 4x nop then jmp 02F517B0h25_2_02F50B60

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 91.92.248.167
                      Source: global trafficTCP traffic: 192.168.2.8:49714 -> 91.92.248.167:1280
                      Source: Joe Sandbox ViewIP Address: 91.92.248.167 91.92.248.167
                      Source: Joe Sandbox ViewASN Name: THEZONEBG THEZONEBG
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8678 NtWriteVirtualMemory,1_2_0A3A8678
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A82A0 NtReadVirtualMemory,1_2_0A3A82A0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8820 NtSetContextThread,1_2_0A3A8820
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8458 NtResumeThread,1_2_0A3A8458
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8671 NtWriteVirtualMemory,1_2_0A3A8671
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8262 NtReadVirtualMemory,1_2_0A3A8262
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8819 NtSetContextThread,1_2_0A3A8819
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A8450 NtResumeThread,1_2_0A3A8450
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A81D0 NtReadVirtualMemory,1_2_0A3A81D0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B82A0 NtReadVirtualMemory,6_2_0A8B82A0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8678 NtWriteVirtualMemory,6_2_0A8B8678
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8820 NtSetContextThread,6_2_0A8B8820
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8458 NtResumeThread,6_2_0A8B8458
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8671 NtWriteVirtualMemory,6_2_0A8B8671
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8090 NtReadVirtualMemory,6_2_0A8B8090
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8819 NtSetContextThread,6_2_0A8B8819
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B8450 NtResumeThread,6_2_0A8B8450
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8678 NtWriteVirtualMemory,22_2_066A8678
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A82A0 NtReadVirtualMemory,22_2_066A82A0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8458 NtResumeThread,22_2_066A8458
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8820 NtSetContextThread,22_2_066A8820
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8262 NtReadVirtualMemory,22_2_066A8262
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8671 NtWriteVirtualMemory,22_2_066A8671
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8450 NtResumeThread,22_2_066A8450
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8819 NtSetContextThread,22_2_066A8819
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A8143 NtReadVirtualMemory,22_2_066A8143
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A19C681_2_00A19C68
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A108481_2_00A10848
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1B5F81_2_00A1B5F8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A135111_2_00A13511
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A17EE01_2_00A17EE0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A122001_2_00A12200
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1A7A01_2_00A1A7A0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A18F901_2_00A18F90
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A12B2A1_2_00A12B2A
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A143481_2_00A14348
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A160B11_2_00A160B1
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A168E81_2_00A168E8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A168D81_2_00A168D8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1DC201_2_00A1DC20
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1081F1_2_00A1081F
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A164681_2_00A16468
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A164581_2_00A16458
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A15DE81_2_00A15DE8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1D9C01_2_00A1D9C0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A121711_2_00A12171
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A121531_2_00A12153
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1C5581_2_00A1C558
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A152A81_2_00A152A8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A16AB81_2_00A16AB8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1529A1_2_00A1529A
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A17ED11_2_00A17ED1
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A182D91_2_00A182D9
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A166601_2_00A16660
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A166701_2_00A16670
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1427C1_2_00A1427C
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1D7B81_2_00A1D7B8
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A18F7A1_2_00A18F7A
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A72081_2_0A3A7208
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3AA0981_2_0A3AA098
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A89D01_2_0A3A89D0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A2E001_2_0A3A2E00
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A5F701_2_0A3A5F70
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A5F611_2_0A3A5F61
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3AA0881_2_0A3AA088
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A29081_2_0A3A2908
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A71FC1_2_0A3A71FC
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A2DF01_2_0A3A2DF0
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A89C21_2_0A3A89C2
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 5_2_009B0B605_2_009B0B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F47C586_2_00F47C58
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F408486_2_00F40848
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4B5F86_2_00F4B5F8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F435236_2_00F43523
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F48D086_2_00F48D08
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F422006_2_00F42200
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F443486_2_00F44348
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F42B376_2_00F42B37
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F468E86_2_00F468E8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F460B16_2_00F460B1
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F480636_2_00F48063
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F464686_2_00F46468
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F47C576_2_00F47C57
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F464586_2_00F46458
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4DC206_2_00F4DC20
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F499F36_2_00F499F3
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4D9C06_2_00F4D9C0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4C5586_2_00F4C558
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F416EB6_2_00F416EB
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F452A86_2_00F452A8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4529B6_2_00F4529B
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F466706_2_00F46670
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F466606_2_00F46660
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4A7B36_2_00F4A7B3
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4D7B86_2_00F4D7B8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B72086_2_0A8B7208
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8BA0986_2_0A8BA098
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B89D06_2_0A8B89D0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B5F616_2_0A8B5F61
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B5F706_2_0A8B5F70
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8BA0886_2_0A8BA088
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B89C36_2_0A8B89C3
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B71FC6_2_0A8B71FC
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B29186_2_0A8B2918
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD965F96_2_0DD965F9
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD975B06_2_0DD975B0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9B9686_2_0DD9B968
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD900406_2_0DD90040
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD95C196_2_0DD95C19
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9E8006_2_0DD9E800
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD937976_2_0DD93797
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD953086_2_0DD95308
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9CB386_2_0DD9CB38
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9D2306_2_0DD9D230
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD995F86_2_0DD995F8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9A9606_2_0DD9A960
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD960C06_2_0DD960C0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9BC706_2_0DD9BC70
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD998186_2_0DD99818
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9001D6_2_0DD9001D
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD948086_2_0DD94808
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD947F76_2_0DD947F7
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9A3786_2_0DD9A378
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD9C3686_2_0DD9C368
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD952D76_2_0DD952D7
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD952B76_2_0DD952B7
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD99AA86_2_0DD99AA8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0DD956586_2_0DD95658
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_01790B6011_2_01790B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_0179486011_2_01794860
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_0179366011_2_01793660
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_0179203011_2_01792030
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_01790B5411_2_01790B54
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 11_2_0179365011_2_01793650
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 12_2_02D10B6012_2_02D10B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D351122_2_012D3511
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DB5F822_2_012DB5F8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D9C6822_2_012D9C68
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D084822_2_012D0848
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D7C5822_2_012D7C58
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D2B3122_2_012D2B31
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D434822_2_012D4348
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DA7A022_2_012DA7A0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D220022_2_012D2200
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DB51822_2_012DB518
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D217122_2_012D2171
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DC55822_2_012DC558
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D215322_2_012D2153
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DD9C022_2_012DD9C0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DDC2022_2_012DDC20
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D7C0022_2_012D7C00
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D081F22_2_012D081F
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D646822_2_012D6468
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D645822_2_012D6458
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D60B122_2_012D60B1
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D68E822_2_012D68E8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D68D822_2_012D68D8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DD7B822_2_012DD7B8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D7BE222_2_012D7BE2
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D666022_2_012D6660
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D427C22_2_012D427C
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D667022_2_012D6670
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D52A822_2_012D52A8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D52A022_2_012D52A0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012D82D822_2_012D82D8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A720822_2_066A7208
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066AA09822_2_066AA098
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A89D022_2_066A89D0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A2E0022_2_066A2E00
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A5F6122_2_066A5F61
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A5F7022_2_066A5F70
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066AA08822_2_066AA088
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A71FC22_2_066A71FC
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A2DF222_2_066A2DF2
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A89C222_2_066A89C2
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 23_2_01730B6023_2_01730B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 24_2_01330B6024_2_01330B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 25_2_02F50B6025_2_02F50B60
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 80
                      Source: AVKlyo045S.exe, 00000001.00000002.1458741464.00000000026E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000001.00000002.1458741464.00000000026DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000001.00000002.1458741464.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000001.00000002.1457663905.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000001.00000002.1463739900.0000000004AB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameserver1.exe> vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000001.00000000.1439720840.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameserver1.exe> vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000005.00000002.1457010386.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000005.00000002.1457337074.0000000000A85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameserver1.exe> vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000006.00000002.1475423833.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000006.00000002.1475423833.0000000002D46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000006.00000002.1475423833.0000000002D55000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000006.00000002.1474343405.0000000000D7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000016.00000002.2098007355.0000000002F41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000016.00000002.2098007355.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000016.00000002.2098007355.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe, 00000018.00000002.2090581385.0000000000F77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AVKlyo045S.exe
                      Source: AVKlyo045S.exeBinary or memory string: OriginalFilenameserver1.exe> vs AVKlyo045S.exe
                      Source: AVKlyo045S.exe.5.drBinary or memory string: OriginalFilenameserver1.exe> vs AVKlyo045S.exe
                      Source: AVKlyo045S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: AVKlyo045S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: AVKlyo045S.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6.2.AVKlyo045S.exe.2b2d670.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: 22.2.AVKlyo045S.exe.2f4e63c.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/4@0/1
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AVKlyo045S.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6012
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3828:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2848
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMutant created: \Sessions\1\BaseNamedObjects\Wolid_rat_nd8859g-admin
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6108
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\94868277-6a7e-4c5b-a56d-e92e1dc7c39fJump to behavior
                      Source: AVKlyo045S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: AVKlyo045S.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: AVKlyo045S.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeFile read: C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\AVKlyo045S.exe "C:\Users\user\Desktop\AVKlyo045S.exe"
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exe
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exe
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exe
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe "C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe"
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 80
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 80
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 80
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe "C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /FJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: AVKlyo045S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: AVKlyo045S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: 6.2.AVKlyo045S.exe.2b2d670.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 6.2.AVKlyo045S.exe.2b2d670.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: 22.2.AVKlyo045S.exe.2f4e63c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 22.2.AVKlyo045S.exe.2f4e63c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_00A1AB2B pushad ; iretd 1_2_00A1AB2F
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A4694 push E904A423h; retf 1_2_0A3A4699
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A9885 push esp; retf 1_2_0A3A9889
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A650E push 0163BA48h; iretd 1_2_0A3A6522
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeCode function: 1_2_0A3A45EF push 8BFFFFFFh; retf 1_2_0A3A45F5
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_00F4AB2B pushad ; iretd 6_2_00F4AB2F
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B4694 push E90DCC23h; retf 6_2_0A8B4699
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B9885 push esp; retf 6_2_0A8B9889
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B45EF push 8BFFFFFFh; retf 6_2_0A8B45F5
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 6_2_0A8B651B push 0163BA48h; iretd 6_2_0A8B6522
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_012DAB2B pushad ; iretd 22_2_012DAB2F
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A4694 push E904FD23h; retf 22_2_066A4699
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A4FCD push 00000006h; ret 22_2_066A4FD8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A9885 push esp; retf 22_2_066A9889
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066AB165 push 00000006h; retf 22_2_066AB168
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A651B push 0163BA48h; iretd 22_2_066A6522
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeCode function: 22_2_066A45EF push 8BFFFFFFh; retf 22_2_066A45F5
                      Source: AVKlyo045S.exeStatic PE information: section name: .text entropy: 7.650287897774288
                      Source: AVKlyo045S.exe.5.drStatic PE information: section name: .text entropy: 7.650287897774288
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeFile created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 44C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 4C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 5C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 5D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 6D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 7180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 8180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 9180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: A180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: B280000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: B710000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: C710000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 4C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 5D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 7180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 8180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 9180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 9B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 8680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 9680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: A680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: B780000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: BC10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: CC10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 8680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 9680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 4F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 7AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 9BD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: ABD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 6D70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: BBD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: CBD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 5610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 51F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeWindow / User API: threadDelayed 1244Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeWindow / User API: threadDelayed 8576Jump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exe TID: 3628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exe TID: 6676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 344Thread sleep count: 1244 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59828s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 344Thread sleep count: 8576 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59719s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep count: 38 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -59110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58737s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58579s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58344s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -58110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -57110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56345s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -56110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -55110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -54110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -53985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 1436Thread sleep time: -53868s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 5576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 5304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 5708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59828Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59719Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59610Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59485Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59360Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 59110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58860Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58737Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58579Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58344Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 58110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57860Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57735Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57610Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57485Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57360Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 57110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56860Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56735Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56610Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56485Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56345Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56219Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 56110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55860Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55735Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55610Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55485Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55360Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 55110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54860Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54735Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54610Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54485Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54360Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 54110Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 53985Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 53868Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: AVKlyo045S.exe, 0000000B.00000002.3911956000.00000000013F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeMemory written: C:\Users\user\Desktop\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\Desktop\AVKlyo045S.exe C:\Users\user\Desktop\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe "C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /FJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeQueries volume information: C:\Users\user\Desktop\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeQueries volume information: C:\Users\user\Desktop\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AVKlyo045S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 5.2.AVKlyo045S.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.AVKlyo045S.exe.2b2d670.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f4e63c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.AVKlyo045S.exe.24cd62c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.AVKlyo045S.exe.2b2d670.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f4e63c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f49c90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1457010386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000026E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 6984, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 4464, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 3848, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 5.2.AVKlyo045S.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.AVKlyo045S.exe.2b2d670.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f4e63c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.AVKlyo045S.exe.24cd62c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.AVKlyo045S.exe.2b2d670.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f4e63c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.AVKlyo045S.exe.24cd62c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.AVKlyo045S.exe.2f49c90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1457010386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000026E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1458741464.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1475423833.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2098007355.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 6984, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 4464, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AVKlyo045S.exe PID: 3848, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping111
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory41
                      Virtualization/Sandbox Evasion                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Application Window Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets12
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466950 Sample: AVKlyo045S.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 10 AVKlyo045S.exe 1 2->10         started        14 AVKlyo045S.exe 2->14         started        process3 file4 56 C:\Users\user\AppData\...\AVKlyo045S.exe.log, ASCII 10->56 dropped 68 Injects a PE file into a foreign processes 10->68 16 AVKlyo045S.exe 4 10->16         started        19 AVKlyo045S.exe 10->19         started        21 AVKlyo045S.exe 10->21         started        23 AVKlyo045S.exe 2 14->23         started        25 AVKlyo045S.exe 2 14->25         started        27 AVKlyo045S.exe 2 14->27         started        signatures5 process6 file7 50 C:\Users\user\AppData\...\AVKlyo045S.exe, PE32 16->50 dropped 52 C:\Users\...\AVKlyo045S.exe:Zone.Identifier, ASCII 16->52 dropped 29 AVKlyo045S.exe 16->29         started        32 WerFault.exe 2 19->32         started        34 WerFault.exe 2 21->34         started        process8 signatures9 70 Multi AV Scanner detection for dropped file 29->70 72 Machine Learning detection for dropped file 29->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 29->74 76 Injects a PE file into a foreign processes 29->76 36 AVKlyo045S.exe 5 29->36         started        40 AVKlyo045S.exe 29->40         started        42 AVKlyo045S.exe 2 29->42         started        process10 dnsIp11 58 91.92.248.167, 1280, 49714, 49715 THEZONEBG Bulgaria 36->58 54 C:\Users\user\AppData\Local\...\tmpCEF4.tmp, ASCII 36->54 dropped 44 schtasks.exe 1 36->44         started        46 WerFault.exe 2 40->46         started        file12 process13 process14 48 conhost.exe 44->48         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      AVKlyo045S.exe88%ReversingLabsWin32.Trojan.Leonem
                      AVKlyo045S.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe88%ReversingLabsWin32.Trojan.Leonem

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      91.92.248.1670%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      91.92.248.167true
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      91.92.248.167
                      		unknownBulgaria
                      		34368THEZONEBGtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1466950
                      Start date and time:2024-07-03 15:39:04 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 55s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:27
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:AVKlyo045S.exe
                      renamed because original name is a hash value
                      Original Sample Name:d484104256e41a509ff52bb9a5bbd7bd63aaf18e0b32b68fe3c4bfa6b81aa267.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@28/4@0/1
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 95%
                      • Number of executed functions: 238
                      • Number of non-executed functions: 25
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 1060 because it is empty
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 2340 because it is empty
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 2352 because it is empty
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 3160 because it is empty
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 4464 because it is empty
                      • Execution Graph export aborted for target AVKlyo045S.exe, PID 5576 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: AVKlyo045S.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      09:40:05API Interceptor8159776x Sleep call for process: AVKlyo045S.exe modified
                      15:41:06Task SchedulerRun new task: cms path: C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      91.92.248.167xzMyweCMgr.exeGet hashmaliciousXenoRATBrowse
                        s3e5Mme8rD.exeGet hashmaliciousXenoRATBrowse
                          s36tmQLray.exeGet hashmaliciousXenoRATBrowse
                            6exBrDSJkZ.exeGet hashmaliciousXenoRATBrowse
                              Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse
                                Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse
                                  Y9qoiJLnl8.exeGet hashmaliciousXenoRATBrowse
                                    Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      THEZONEBGInquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                      • 91.92.254.29
                                      Inquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                      • 91.92.254.29
                                      RW-TS-Payment204_A3084_04893_D4084_Y5902_CE3018_S4081_W30981.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                      • 91.92.255.36
                                      4YlwTsmpuZ.rtfGet hashmaliciousUnknownBrowse
                                      • 91.92.254.29
                                      02_07_2024_D#U00f6nemi_MEVDUAT Ekstre Bilgiler.exeGet hashmaliciousAsyncRATBrowse
                                      • 91.92.240.178
                                      JrBo2dgrUX.exeGet hashmaliciousLokibotBrowse
                                      • 91.92.240.69
                                      DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                      • 91.92.254.14
                                      457525.xlsGet hashmaliciousUnknownBrowse
                                      • 91.92.254.14
                                      Scan-Payment-Advice.xlsGet hashmaliciousLokibotBrowse
                                      • 91.92.240.69
                                      dk3M4juckj.exeGet hashmaliciousDanaBotBrowse
                                      • 91.92.246.63

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AVKlyo045S.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\AVKlyo045S.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):522
                                      Entropy (8bit):5.358731107079437
                                      Encrypted:false
                                      SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
                                      MD5:93E4C46884CB6EE7CDCC4AACE78CDFAC
                                      SHA1:29B12D9409BA9AFE4C949F02F7D232233C0B5228
                                      SHA-256:2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
                                      SHA-512:E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                      C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):1047
                                      Entropy (8bit):3.8859609698405357
                                      Encrypted:false
                                      SSDEEP:12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++THAdpdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+Ixvn
                                      MD5:652AAB88377807ABA6C30CA8CDBB6D40
                                      SHA1:961AB1430316FD22349B841939BB8F4D763676A3
                                      SHA-256:C36C1C7F23BC2071388FAA9BFE2D1BAA878E9DBFCEC53F622599B3DC88E85AD7
                                      SHA-512:2232E8C75D4F2F124BCAF10E604734853BF62CE0F25E3AE7526958CF06E6B1DB3F3A47F325BA60DD8F4D54813CE86E128CBD2583F7C1AF06E782B29BFDE4FE71
                                      Malicious:true
                                      Reputation:low
                                      Preview:. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe</Command>. </Exec>.

                                      C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\AVKlyo045S.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):240640
                                      Entropy (8bit):7.615878114216983
                                      Encrypted:false
                                      SSDEEP:6144:BhTnFgUgcego6uIXCHq2MYOITuVYmE9oO8N21Tx6I:/byUTelnK2fZSVYmE9oO8N21TxP
                                      MD5:0DBA4BED5BF4E4C327B712F723E714C5
                                      SHA1:B8609DB0404983D9A7F2BC4639D93A539BB883A6
                                      SHA-256:D484104256E41A509FF52BB9A5BBD7BD63AAF18E0B32B68FE3C4BFA6B81AA267
                                      SHA-512:3E2D21C7F0F4A97CC491D70BEF203E75C91D716706256938D6CB0171CBD8499E902B9D51BE4A0AFC47C602D5AEBF5DB22802C38AAE29D0EBCD9FB29611824653
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....wf................................ ........@.. ....................................`.....................................S.......#............................................................................ ............... ..H............text........ ...................... ..`.rsrc...#...........................@..@.reloc..............................@..B.......................H.........................................................................f..&B.....T.;..H.....M{...Lu.mh...7..\...R.AG..z.%.V....u].%q..I........X....$..1......C.....gv..D.h......!o/t.y....h.!.D......:....t....7.O.!.<XE.Y....1......Tg.zO.y....Vj.xB...[...n.)....ce...Z...~.@..JU..G.x.I....c4].*O......X...3f3.,...I,@6c0T.U...M.w.g.s.2.16..s....`.2f..4..UJ...HiK..9.BkWE0..P...D@.c..(q.4G..:....6g#.L.v.3$.'.L..wj.@._....Q....$...H..y..t....,.{....j....kEY?Qr...=.x

                                      C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\AVKlyo045S.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.615878114216983
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:AVKlyo045S.exe
                                      File size:240'640 bytes
                                      MD5:0dba4bed5bf4e4c327b712f723e714c5
                                      SHA1:b8609db0404983d9a7f2bc4639d93a539bb883a6
                                      SHA256:d484104256e41a509ff52bb9a5bbd7bd63aaf18e0b32b68fe3c4bfa6b81aa267
                                      SHA512:3e2d21c7f0f4a97cc491d70bef203e75c91d716706256938d6cb0171cbd8499e902b9d51be4a0afc47c602d5aebf5db22802c38aae29d0ebcd9fb29611824653
                                      SSDEEP:6144:BhTnFgUgcego6uIXCHq2MYOITuVYmE9oO8N21Tx6I:/byUTelnK2fZSVYmE9oO8N21TxP
                                      TLSH:94345A9C765476DFC86BC472DAA81CA4EA65747B530BC203E46726AD9E0C99BCF040F3
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....wf................................. ........@.. ....................................`................................

                                      File Icon

                                      Icon Hash:34cc34374f29390d

                                      Static PE Info

                                      General

                                      Entrypoint:0x43b2ee
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6677E081 [Sun Jun 23 08:44:49 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3b2980x53.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x1223.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x392f40x39400b4f190336dc70c5a474d674779bbd314False0.8312465884279476data7.650287897774288IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x3c0000x12230x1400a226d904740c252958aacc2ac4803c42False0.34140625data4.528411472952591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x3e0000xc0x20020235e37d0ce43a395e6ac1a8f8c6331False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x3c1300x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.3191489361702128
                                      RT_GROUP_ICON0x3c5980x14data1.1
                                      RT_VERSION0x3c5ac0x3a4data0.40665236051502146
                                      RT_MANIFEST0x3c9500x8d3XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3935369632580788

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 3, 2024 15:41:09.091672897 CEST497141280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:09.096685886 CEST12804971491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:09.096767902 CEST497141280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:13.194657087 CEST12804971491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:13.194787979 CEST497141280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:23.205809116 CEST497151280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:23.211098909 CEST12804971591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:23.211198092 CEST497151280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:24.963444948 CEST12804971591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:24.963587046 CEST497151280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:34.969453096 CEST497161280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:34.974518061 CEST12804971691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:34.974714041 CEST497161280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:36.588385105 CEST12804971691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:36.588470936 CEST497161280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:38.451961994 CEST497171280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:38.456954956 CEST12804971791.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:38.457052946 CEST497171280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:40.102658033 CEST12804971791.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:40.102869987 CEST497171280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:40.898669004 CEST497181280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:40.903585911 CEST12804971891.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:40.903794050 CEST497181280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:42.543181896 CEST12804971891.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:42.543319941 CEST497181280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:52.551651955 CEST497191280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:52.556612968 CEST12804971991.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:52.563154936 CEST497191280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:54.193907976 CEST12804971991.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:54.193993092 CEST497191280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:58.976795912 CEST497201280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:41:58.981811047 CEST12804972091.92.248.167192.168.2.8
                                      Jul 3, 2024 15:41:58.981940031 CEST497201280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:00.611129999 CEST12804972091.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:00.611252069 CEST497201280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:10.606899023 CEST497211280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:10.669348955 CEST12804972191.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:10.669425011 CEST497211280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:12.310199976 CEST12804972191.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:12.313067913 CEST497211280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:18.242381096 CEST497221280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:18.247365952 CEST12804972291.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:18.247452021 CEST497221280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:19.853470087 CEST12804972291.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:19.853646994 CEST497221280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:23.008183956 CEST497231280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:23.013216019 CEST12804972391.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:23.013431072 CEST497231280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:24.637140036 CEST12804972391.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:24.637247086 CEST497231280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:25.242630005 CEST497241280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:25.247734070 CEST12804972491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:25.247824907 CEST497241280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:26.868441105 CEST12804972491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:26.868555069 CEST497241280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:30.023813963 CEST497251280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:30.028753042 CEST12804972591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:30.029138088 CEST497251280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:31.670830011 CEST12804972591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:31.670989037 CEST497251280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:41.664484978 CEST497261280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:41.669553995 CEST12804972691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:41.669677019 CEST497261280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:48.697829962 CEST12804972691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:48.698014021 CEST497261280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:58.709152937 CEST497271280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:42:58.714179039 CEST12804972791.92.248.167192.168.2.8
                                      Jul 3, 2024 15:42:58.714298010 CEST497271280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:12.261990070 CEST12804972791.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:12.262190104 CEST497271280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:20.417140961 CEST497281280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:20.422182083 CEST12804972891.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:20.422266960 CEST497281280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:22.040679932 CEST12804972891.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:22.040766954 CEST497281280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:30.805135012 CEST497291280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:30.810091019 CEST12804972991.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:30.810242891 CEST497291280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:34.837483883 CEST12804972991.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:34.837673903 CEST497291280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:34.945718050 CEST497301280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:34.951765060 CEST12804973091.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:34.951889992 CEST497301280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:36.563587904 CEST12804973091.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:36.563678026 CEST497301280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:39.945493937 CEST497311280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:39.950629950 CEST12804973191.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:39.950715065 CEST497311280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:41.571697950 CEST12804973191.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:41.571861029 CEST497311280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:51.571695089 CEST497321280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:51.577642918 CEST12804973291.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:51.579881907 CEST497321280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:53.198729992 CEST12804973291.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:53.199171066 CEST497321280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:53.697180986 CEST497331280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:53.702334881 CEST12804973391.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:53.702533960 CEST497331280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:55.604541063 CEST12804973391.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:55.604619980 CEST497331280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:55.605134964 CEST12804973391.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:55.605194092 CEST497331280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:55.883152008 CEST497341280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:55.900085926 CEST12804973491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:55.900197983 CEST497341280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:43:57.527151108 CEST12804973491.92.248.167192.168.2.8
                                      Jul 3, 2024 15:43:57.527245998 CEST497341280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:07.529158115 CEST497351280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:07.534145117 CEST12804973591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:44:07.537252903 CEST497351280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:09.150528908 CEST12804973591.92.248.167192.168.2.8
                                      Jul 3, 2024 15:44:09.153158903 CEST497351280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:09.274013042 CEST497361280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:09.279335976 CEST12804973691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:44:09.279814959 CEST497361280192.168.2.891.92.248.167
                                      Jul 3, 2024 15:44:10.921499968 CEST12804973691.92.248.167192.168.2.8
                                      Jul 3, 2024 15:44:10.921583891 CEST497361280192.168.2.891.92.248.167

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:1
                                      Start time:09:40:02
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\AVKlyo045S.exe"
                                      Imagebase:0x170000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000001.00000002.1458741464.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000001.00000002.1458741464.00000000026E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000001.00000002.1458741464.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:09:40:03
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Imagebase:0xb0000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:09:40:03
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Imagebase:0x310000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:09:40:03
                                      Start date:03/07/2024
                                      Path:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\AVKlyo045S.exe
                                      Imagebase:0x430000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.1457010386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:09:40:04
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe"
                                      Imagebase:0x7ff6ee680000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000006.00000002.1475423833.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000006.00000002.1475423833.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000006.00000002.1475423833.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:09:40:04
                                      Start date:03/07/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 80
                                      Imagebase:0x520000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:09:40:04
                                      Start date:03/07/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 80
                                      Imagebase:0x520000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:09:40:05
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0xe30000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:12
                                      Start time:09:40:05
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0x9d0000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:09:40:05
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0x300000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:15
                                      Start time:09:40:05
                                      Start date:03/07/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 80
                                      Imagebase:0x520000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:09:41:05
                                      Start date:03/07/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpCEF4.tmp" /F
                                      Imagebase:0x530000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:09:41:05
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6ee680000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:09:41:06
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0xc70000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000016.00000002.2098007355.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000016.00000002.2098007355.0000000003160000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000016.00000002.2098007355.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:09:41:07
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0xed0000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:09:41:07
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0xa20000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:09:41:07
                                      Start date:03/07/2024
                                      Path:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\XenoManager\AVKlyo045S.exe
                                      Imagebase:0xd90000
                                      File size:240'640 bytes
                                      MD5 hash:0DBA4BED5BF4E4C327B712F723E714C5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:21.8%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:18.6%
                                        Total number of Nodes:183
                                        Total number of Limit Nodes:7
                                        execution_graph 6262 a3aa738 6263 a3aa763 6262->6263 6270 a3ab260 6263->6270 6276 a3ab251 6263->6276 6264 a3aa77f 6282 a3a8819 6264->6282 6286 a3a8820 6264->6286 6265 a3aa89a 6271 a3ab284 6270->6271 6272 a3ab32d 6271->6272 6290 a3a8262 6271->6290 6294 a3a81d0 6271->6294 6298 a3a82a0 6271->6298 6272->6264 6278 a3ab284 6276->6278 6277 a3ab32d 6277->6264 6278->6277 6279 a3a8262 NtReadVirtualMemory 6278->6279 6280 a3a82a0 NtReadVirtualMemory 6278->6280 6281 a3a81d0 NtReadVirtualMemory 6278->6281 6279->6278 6280->6278 6281->6278 6283 a3a8869 NtSetContextThread 6282->6283 6285 a3a88e1 6283->6285 6285->6265 6287 a3a8869 NtSetContextThread 6286->6287 6289 a3a88e1 6287->6289 6289->6265 6291 a3a827a NtReadVirtualMemory 6290->6291 6293 a3a8364 6291->6293 6293->6271 6295 a3a81c6 6294->6295 6295->6294 6296 a3a8325 NtReadVirtualMemory 6295->6296 6297 a3a8364 6296->6297 6297->6271 6299 a3a82ec NtReadVirtualMemory 6298->6299 6301 a3a8364 6299->6301 6301->6271 6302 a3a8c7f 6303 a3a8c83 6302->6303 6310 a3a9b78 6303->6310 6316 a3a9b88 6303->6316 6304 a3a8cd0 6322 a3a8558 6304->6322 6326 a3a8550 6304->6326 6305 a3a8d0e 6312 a3a9bac 6310->6312 6311 a3a9d39 6311->6304 6312->6311 6313 a3a8262 NtReadVirtualMemory 6312->6313 6314 a3a82a0 NtReadVirtualMemory 6312->6314 6315 a3a81d0 NtReadVirtualMemory 6312->6315 6313->6312 6314->6312 6315->6312 6318 a3a9bac 6316->6318 6317 a3a9d39 6317->6304 6318->6317 6319 a3a8262 NtReadVirtualMemory 6318->6319 6320 a3a82a0 NtReadVirtualMemory 6318->6320 6321 a3a81d0 NtReadVirtualMemory 6318->6321 6319->6318 6320->6318 6321->6318 6323 a3a859c VirtualAllocEx 6322->6323 6325 a3a8614 6323->6325 6325->6305 6327 a3a859c VirtualAllocEx 6326->6327 6329 a3a8614 6327->6329 6329->6305 6330 a3a677f 6331 a3a6796 6330->6331 6335 a3a7208 6331->6335 6339 a3a71fc 6331->6339 6337 a3a7298 CreateProcessW 6335->6337 6338 a3a766c 6337->6338 6341 a3a7298 CreateProcessW 6339->6341 6342 a3a766c 6341->6342 6343 a3a6531 6344 a3a655c 6343->6344 6348 a3a77e8 6344->6348 6354 a3a77e3 6344->6354 6345 a3a6578 6350 a3a780c 6348->6350 6349 a3a78b5 6349->6345 6350->6349 6351 a3a8262 NtReadVirtualMemory 6350->6351 6352 a3a82a0 NtReadVirtualMemory 6350->6352 6353 a3a81d0 NtReadVirtualMemory 6350->6353 6351->6350 6352->6350 6353->6350 6356 a3a780c 6354->6356 6355 a3a78b5 6355->6345 6356->6355 6357 a3a8262 NtReadVirtualMemory 6356->6357 6358 a3a82a0 NtReadVirtualMemory 6356->6358 6359 a3a81d0 NtReadVirtualMemory 6356->6359 6357->6356 6358->6356 6359->6356 6360 a3a6937 6361 a3a694f 6360->6361 6369 a3a77e8 3 API calls 6361->6369 6370 a3a77e3 3 API calls 6361->6370 6362 a3a6a5b 6371 a3a8671 6362->6371 6375 a3a8678 6362->6375 6363 a3a6a97 6367 a3a77e8 3 API calls 6363->6367 6368 a3a77e3 3 API calls 6363->6368 6364 a3a6ac6 6367->6364 6368->6364 6369->6362 6370->6362 6372 a3a86c1 NtWriteVirtualMemory 6371->6372 6374 a3a875a 6372->6374 6374->6363 6376 a3a86c1 NtWriteVirtualMemory 6375->6376 6378 a3a875a 6376->6378 6378->6363 6394 a3a8aea 6395 a3a8a61 6394->6395 6399 a3a8458 6395->6399 6403 a3a8450 6395->6403 6396 a3a999f 6400 a3a849c NtResumeThread 6399->6400 6402 a3a84f3 6400->6402 6402->6396 6404 a3a849c NtResumeThread 6403->6404 6406 a3a84f3 6404->6406 6406->6396 6412 a3a6b6d 6413 a3a6b79 6412->6413 6415 a3a8678 NtWriteVirtualMemory 6413->6415 6416 a3a8671 NtWriteVirtualMemory 6413->6416 6414 a3a6c13 6415->6414 6416->6414 6417 a3a611a 6418 a3a6132 6417->6418 6421 a3a8819 NtSetContextThread 6418->6421 6422 a3a8820 NtSetContextThread 6418->6422 6419 a3a61e9 6423 a3a8458 NtResumeThread 6419->6423 6424 a3a8450 NtResumeThread 6419->6424 6420 a3a62d9 6421->6419 6422->6419 6423->6420 6424->6420 6425 a3a6dda 6426 a3a6de6 6425->6426 6429 a3a77e8 3 API calls 6426->6429 6430 a3a77e3 3 API calls 6426->6430 6427 a3a6e33 6431 a3a8558 VirtualAllocEx 6427->6431 6432 a3a8550 VirtualAllocEx 6427->6432 6428 a3a6e71 6429->6427 6430->6427 6431->6428 6432->6428 6433 a3a6e9b 6434 a3a6eb3 6433->6434 6436 a3a8819 NtSetContextThread 6434->6436 6437 a3a8820 NtSetContextThread 6434->6437 6435 a3a6f8a 6436->6435 6437->6435 6438 a3a6358 6439 a3a6364 6438->6439 6441 a3a8458 NtResumeThread 6439->6441 6442 a3a8450 NtResumeThread 6439->6442 6440 a3a63a3 6441->6440 6442->6440 6448 a3aac1c 6449 a3aac28 6448->6449 6458 a3ab260 3 API calls 6449->6458 6459 a3ab251 3 API calls 6449->6459 6450 a3aac44 6460 a3a8458 NtResumeThread 6450->6460 6461 a3a8450 NtResumeThread 6450->6461 6451 a3aad5d 6454 a3ab260 3 API calls 6451->6454 6455 a3ab251 3 API calls 6451->6455 6452 a3aae7c 6456 a3a8558 VirtualAllocEx 6452->6456 6457 a3a8550 VirtualAllocEx 6452->6457 6453 a3aaeba 6454->6452 6455->6452 6456->6453 6457->6453 6458->6450 6459->6450 6460->6451 6461->6451 6482 a3a94ca 6483 a3a94dc 6482->6483 6486 a3a9b78 3 API calls 6483->6486 6487 a3a9b88 3 API calls 6483->6487 6484 a3a954a 6488 a3a9b78 3 API calls 6484->6488 6489 a3a9b88 3 API calls 6484->6489 6485 a3a958e 6486->6484 6487->6484 6488->6485 6489->6485 6495 a3a660e 6496 a3a6623 6495->6496 6498 a3a77e8 3 API calls 6496->6498 6499 a3a77e3 3 API calls 6496->6499 6497 a3a663f 6498->6497 6499->6497 6500 a3a970c 6501 a3a9718 6500->6501 6504 a3a8819 NtSetContextThread 6501->6504 6505 a3a8820 NtSetContextThread 6501->6505 6502 a3a973d 6503 a3a9811 6502->6503 6506 a3a8678 NtWriteVirtualMemory 6502->6506 6507 a3a8671 NtWriteVirtualMemory 6502->6507 6504->6502 6505->6502 6506->6502 6507->6502 6513 a3a9343 6514 a3a938d 6513->6514 6522 a3a9b78 3 API calls 6514->6522 6523 a3a9b88 3 API calls 6514->6523 6515 a3a93a9 6518 a3a8678 NtWriteVirtualMemory 6515->6518 6519 a3a8671 NtWriteVirtualMemory 6515->6519 6516 a3a93e5 6520 a3a9b78 3 API calls 6516->6520 6521 a3a9b88 3 API calls 6516->6521 6517 a3a9414 6518->6516 6519->6516 6520->6517 6521->6517 6522->6515 6523->6515 6524 a3aab06 6525 a3aab51 6524->6525 6528 a3ab260 3 API calls 6525->6528 6529 a3ab251 3 API calls 6525->6529 6526 a3aab6d 6530 a3a8678 NtWriteVirtualMemory 6526->6530 6531 a3a8671 NtWriteVirtualMemory 6526->6531 6527 a3aaba9 6528->6526 6529->6526 6530->6527 6531->6527

                                        Executed Functions

                                        Function 00A1427C Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 a1427c-a1436d 2 a14374-a14391 0->2 3 a1436f 0->3 4 a14399 2->4 3->2 5 a143a0-a143bc 4->5 6 a143c5-a143c6 5->6 7 a143be 5->7 11 a147a5-a147b8 6->11 24 a143cb-a143d7 6->24 7->4 8 a146a1-a146b8 7->8 9 a145e0-a145e4 7->9 10 a14723-a1472f 7->10 7->11 12 a146f3-a146f7 7->12 13 a14676-a14683 7->13 14 a144b9-a144ce 7->14 15 a14579-a1458b 7->15 16 a1463a-a1465a 7->16 17 a1453a-a1455a 7->17 18 a146bd-a146d6 call a14978 7->18 19 a1443e-a14455 7->19 20 a14503-a1450f 7->20 21 a145c4-a145db 7->21 22 a14688-a1469c 7->22 23 a1478b-a147a0 7->23 7->24 25 a1448f-a1449b 7->25 26 a14610-a1461c 7->26 27 a14590-a1459c 7->27 28 a144d3-a144d7 7->28 29 a14757-a14763 7->29 30 a14419-a1441f 7->30 31 a1445a-a14463 7->31 32 a1455f-a14574 7->32 33 a1465f-a14671 7->33 8->5 52 a145f7-a145fe 9->52 53 a145e6-a145f5 9->53 38 a14731 10->38 39 a14736-a14752 10->39 36 a146f9-a14708 12->36 37 a1470a-a14711 12->37 13->5 14->5 15->5 16->5 17->5 56 a146dc-a146ee 18->56 19->5 48 a14511 20->48 49 a14516-a14535 20->49 21->5 22->5 23->5 34 a143d9 24->34 35 a143de-a143f4 24->35 44 a144a2-a144b4 25->44 45 a1449d 25->45 54 a14623 26->54 55 a1461e 26->55 50 a145a3-a145bf 27->50 51 a1459e 27->51 46 a144d9-a144e8 28->46 47 a144ea-a144f1 28->47 40 a14765 29->40 41 a1476a-a14786 29->41 75 a14421 call a14d20 30->75 76 a14421 call a14d62 30->76 42 a14465-a14474 31->42 43 a14476-a1447d 31->43 32->5 33->5 34->35 72 a143f6 35->72 73 a143fb-a14417 35->73 57 a14718-a1471e 36->57 37->57 38->39 39->5 40->41 41->5 58 a14484-a1448a 42->58 43->58 44->5 45->44 59 a144f8-a144fe 46->59 47->59 48->49 49->5 50->5 51->50 62 a14605-a1460b 52->62 53->62 71 a1462d-a14635 54->71 55->54 56->5 57->5 58->5 59->5 60 a14427-a14439 60->5 62->5 71->5 72->73 73->5 75->60 76->60
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: VD.$cw]U$cw]U$cw]U
                                        • API String ID: 0-1336082564
                                        • Opcode ID: 78095d32b7474f9a2b2884c5c5108d444e07babc7c72fbc19ec2a18e57f2200c
                                        • Instruction ID: 8b085dedc0999d3f1bc223710a3c5aa1e081717c978d9a463b985690c7373d4a
                                        • Opcode Fuzzy Hash: 78095d32b7474f9a2b2884c5c5108d444e07babc7c72fbc19ec2a18e57f2200c
                                        • Instruction Fuzzy Hash: 58F16EB0E1430ADFCB04CFA9D48199EFBB2FF89301B24945AD415AB255D734EA82CF94
                                        Function 00A14348 Relevance: 5.3, Strings: 4, Instructions: 314COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 78 a14348-a1436d 79 a14374-a14391 78->79 80 a1436f 78->80 81 a14399 79->81 80->79 82 a143a0-a143bc 81->82 83 a143c5-a143c6 82->83 84 a143be 82->84 88 a147a5-a147b8 83->88 101 a143cb-a143d7 83->101 84->81 85 a146a1-a146b8 84->85 86 a145e0-a145e4 84->86 87 a14723-a1472f 84->87 84->88 89 a146f3-a146f7 84->89 90 a14676-a14683 84->90 91 a144b9-a144ce 84->91 92 a14579-a1458b 84->92 93 a1463a-a1465a 84->93 94 a1453a-a1455a 84->94 95 a146bd-a146d6 call a14978 84->95 96 a1443e-a14455 84->96 97 a14503-a1450f 84->97 98 a145c4-a145db 84->98 99 a14688-a1469c 84->99 100 a1478b-a147a0 84->100 84->101 102 a1448f-a1449b 84->102 103 a14610-a1461c 84->103 104 a14590-a1459c 84->104 105 a144d3-a144d7 84->105 106 a14757-a14763 84->106 107 a14419-a1441f 84->107 108 a1445a-a14463 84->108 109 a1455f-a14574 84->109 110 a1465f-a14671 84->110 85->82 129 a145f7-a145fe 86->129 130 a145e6-a145f5 86->130 115 a14731 87->115 116 a14736-a14752 87->116 113 a146f9-a14708 89->113 114 a1470a-a14711 89->114 90->82 91->82 92->82 93->82 94->82 133 a146dc-a146ee 95->133 96->82 125 a14511 97->125 126 a14516-a14535 97->126 98->82 99->82 100->82 111 a143d9 101->111 112 a143de-a143f4 101->112 121 a144a2-a144b4 102->121 122 a1449d 102->122 131 a14623 103->131 132 a1461e 103->132 127 a145a3-a145bf 104->127 128 a1459e 104->128 123 a144d9-a144e8 105->123 124 a144ea-a144f1 105->124 117 a14765 106->117 118 a1476a-a14786 106->118 152 a14421 call a14d20 107->152 153 a14421 call a14d62 107->153 119 a14465-a14474 108->119 120 a14476-a1447d 108->120 109->82 110->82 111->112 149 a143f6 112->149 150 a143fb-a14417 112->150 134 a14718-a1471e 113->134 114->134 115->116 116->82 117->118 118->82 135 a14484-a1448a 119->135 120->135 121->82 122->121 136 a144f8-a144fe 123->136 124->136 125->126 126->82 127->82 128->127 139 a14605-a1460b 129->139 130->139 148 a1462d-a14635 131->148 132->131 133->82 134->82 135->82 136->82 137 a14427-a14439 137->82 139->82 148->82 149->150 150->82 152->137 153->137
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: VD.$cw]U$cw]U$cw]U
                                        • API String ID: 0-1336082564
                                        • Opcode ID: 2a29d12b5d955ae85eba6209537615ef37e6b1f404de17f5848e49fedc6414c6
                                        • Instruction ID: 631284a3e219d628dd3f411b517dd26e5e69ee3407c0d35642c2479107a2bae6
                                        • Opcode Fuzzy Hash: 2a29d12b5d955ae85eba6209537615ef37e6b1f404de17f5848e49fedc6414c6
                                        • Instruction Fuzzy Hash: 37D13E74E1420ADFCB04CFAAD5818EEFBB2FF89300B64D559D416AB254D7349A82CF94
                                        Function 0A3A7208 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 155 a3a7208-a3a72c2 157 a3a737a-a3a738f 155->157 158 a3a72c8-a3a7303 155->158 159 a3a743f-a3a7443 157->159 160 a3a7395-a3a73db 157->160 172 a3a733b-a3a734c 158->172 173 a3a7305-a3a730d 158->173 161 a3a748d-a3a74de 159->161 162 a3a7445-a3a7487 159->162 178 a3a7419-a3a7424 160->178 179 a3a73dd-a3a73e5 160->179 165 a3a7596-a3a75a8 161->165 166 a3a74e4-a3a751f 161->166 162->161 169 a3a75aa-a3a75c2 165->169 170 a3a75c5-a3a75d7 165->170 199 a3a7521-a3a7529 166->199 200 a3a7557-a3a7568 166->200 169->170 175 a3a75d9-a3a75f1 170->175 176 a3a75f4-a3a766a CreateProcessW 170->176 188 a3a7352-a3a7372 172->188 180 a3a730f-a3a7319 173->180 181 a3a7330-a3a7339 173->181 175->176 182 a3a766c-a3a7672 176->182 183 a3a7673-a3a76b4 176->183 197 a3a742a-a3a7439 178->197 184 a3a7408-a3a7417 179->184 185 a3a73e7-a3a73f1 179->185 186 a3a731b 180->186 187 a3a731d-a3a732c 180->187 181->188 182->183 203 a3a76cb-a3a76e2 183->203 204 a3a76b6-a3a76c5 183->204 184->197 194 a3a73f3 185->194 195 a3a73f5-a3a7404 185->195 186->187 187->187 196 a3a732e 187->196 188->157 194->195 195->195 205 a3a7406 195->205 196->181 197->159 201 a3a752b-a3a7535 199->201 202 a3a754c-a3a7555 199->202 208 a3a756e-a3a758e 200->208 206 a3a7539-a3a7548 201->206 207 a3a7537 201->207 202->208 213 a3a76fb-a3a770b 203->213 214 a3a76e4-a3a76f0 203->214 204->203 205->184 206->206 210 a3a754a 206->210 207->206 208->165 210->202 215 a3a770d-a3a771c 213->215 216 a3a7722-a3a7765 213->216 214->213 215->216 221 a3a7767-a3a776b 216->221 222 a3a7775-a3a7779 216->222 221->222 223 a3a776d 221->223 224 a3a777b-a3a777f 222->224 225 a3a7789-a3a778d 222->225 223->222 224->225 226 a3a7781 224->226 227 a3a778f-a3a7793 225->227 228 a3a779d 225->228 226->225 227->228 229 a3a7795 227->229 230 a3a779e 228->230 229->228 230->230
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0A3A7657
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 7c37db7c85f0dbb7cd1ef108673ed85934b1e909f0a7d8123bb4e8f1a58002a2
                                        • Instruction ID: c92bbc3dfa2c05b8656d12d1baab4e9414fc6a3d484b7d113057e6f6f05d002a
                                        • Opcode Fuzzy Hash: 7c37db7c85f0dbb7cd1ef108673ed85934b1e909f0a7d8123bb4e8f1a58002a2
                                        • Instruction Fuzzy Hash: 3502CE74E11229CFDB64CFA9D885B9DBBB1FF49304F1081AAE418B7290DB349A85CF54
                                        Function 0A3A71FC Relevance: 1.9, APIs: 1, Instructions: 389processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 231 a3a71fc-a3a72c2 233 a3a737a-a3a738f 231->233 234 a3a72c8-a3a7303 231->234 235 a3a743f-a3a7443 233->235 236 a3a7395-a3a73db 233->236 248 a3a733b-a3a734c 234->248 249 a3a7305-a3a730d 234->249 237 a3a748d-a3a74de 235->237 238 a3a7445-a3a7487 235->238 254 a3a7419-a3a7424 236->254 255 a3a73dd-a3a73e5 236->255 241 a3a7596-a3a75a8 237->241 242 a3a74e4-a3a751f 237->242 238->237 245 a3a75aa-a3a75c2 241->245 246 a3a75c5-a3a75d7 241->246 275 a3a7521-a3a7529 242->275 276 a3a7557-a3a7568 242->276 245->246 251 a3a75d9-a3a75f1 246->251 252 a3a75f4-a3a766a CreateProcessW 246->252 264 a3a7352-a3a7372 248->264 256 a3a730f-a3a7319 249->256 257 a3a7330-a3a7339 249->257 251->252 258 a3a766c-a3a7672 252->258 259 a3a7673-a3a76b4 252->259 273 a3a742a-a3a7439 254->273 260 a3a7408-a3a7417 255->260 261 a3a73e7-a3a73f1 255->261 262 a3a731b 256->262 263 a3a731d-a3a732c 256->263 257->264 258->259 279 a3a76cb-a3a76e2 259->279 280 a3a76b6-a3a76c5 259->280 260->273 270 a3a73f3 261->270 271 a3a73f5-a3a7404 261->271 262->263 263->263 272 a3a732e 263->272 264->233 270->271 271->271 281 a3a7406 271->281 272->257 273->235 277 a3a752b-a3a7535 275->277 278 a3a754c-a3a7555 275->278 284 a3a756e-a3a758e 276->284 282 a3a7539-a3a7548 277->282 283 a3a7537 277->283 278->284 289 a3a76fb-a3a770b 279->289 290 a3a76e4-a3a76f0 279->290 280->279 281->260 282->282 286 a3a754a 282->286 283->282 284->241 286->278 291 a3a770d-a3a771c 289->291 292 a3a7722-a3a7765 289->292 290->289 291->292 297 a3a7767-a3a776b 292->297 298 a3a7775-a3a7779 292->298 297->298 299 a3a776d 297->299 300 a3a777b-a3a777f 298->300 301 a3a7789-a3a778d 298->301 299->298 300->301 302 a3a7781 300->302 303 a3a778f-a3a7793 301->303 304 a3a779d 301->304 302->301 303->304 305 a3a7795 303->305 306 a3a779e 304->306 305->304 306->306
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0A3A7657
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 79b1901bb07daf8cab6c96c261b3dd85e189dac2a1b78b855027aaaab9e1eff5
                                        • Instruction ID: d2fafa03dea8c1b54e60e2f2c8ba370922fea529dbba7e8ea4205e0c72616f32
                                        • Opcode Fuzzy Hash: 79b1901bb07daf8cab6c96c261b3dd85e189dac2a1b78b855027aaaab9e1eff5
                                        • Instruction Fuzzy Hash: B8F1D074E11229CFDB24CFA9D884B9DBBB1FF49304F1081AAE418B7290DB349985CF54
                                        Function 0A3A81D0 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 307 a3a81d0 308 a3a81d1-a3a81d8 307->308 309 a3a81d9-a3a81f4 308->309 310 a3a822e-a3a8238 308->310 309->310 312 a3a823a-a3a8241 310->312 313 a3a828f-a3a831e 310->313 312->307 316 a3a8325-a3a8362 NtReadVirtualMemory 313->316 317 a3a836b-a3a83bd 316->317 318 a3a8364-a3a836a 316->318 318->317
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9907a83f5689c07d9af3c7b1e3730a267596d3ccf3a37d54a2ee5353666a1209
                                        • Instruction ID: 4b2c9b5c677ce82d615351850ca8deb8370224c14a69367fab5df8ebd6c30c6a
                                        • Opcode Fuzzy Hash: 9907a83f5689c07d9af3c7b1e3730a267596d3ccf3a37d54a2ee5353666a1209
                                        • Instruction Fuzzy Hash: 255113B9C093989FDB11CFA9D890ADEBFB0FF1A310F04405AE454B7252D7345906CB65
                                        Function 0A3A8262 Relevance: 1.6, APIs: 1, Instructions: 143nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 323 a3a8262-a3a8278 324 a3a827a-a3a82cf 323->324 325 a3a82d0-a3a8362 NtReadVirtualMemory 323->325 324->325 328 a3a836b-a3a83bd 325->328 329 a3a8364-a3a836a 325->329 329->328
                                        APIs
                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A3A8352
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryReadVirtual
                                        • String ID:
                                        • API String ID: 2834387570-0
                                        • Opcode ID: 0b46029304e5a1dd3520da8044252c870d0c4444c1d3054ff23d2da62b90731d
                                        • Instruction ID: 81aa3ebe7be6a1f2f17ad20e70643cf51e5a69eaa834afc05854d9d88a7e52b2
                                        • Opcode Fuzzy Hash: 0b46029304e5a1dd3520da8044252c870d0c4444c1d3054ff23d2da62b90731d
                                        • Instruction Fuzzy Hash: 174102B9C092989FCF11CFA5D880AEEBFB0EF1A310F14945AE854BB251D7349906CF65
                                        Function 0A3A8671 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 334 a3a8671-a3a86e0 336 a3a86e2-a3a86f4 334->336 337 a3a86f7-a3a8758 NtWriteVirtualMemory 334->337 336->337 339 a3a875a-a3a8760 337->339 340 a3a8761-a3a87b3 337->340 339->340
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A3A8748
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3527976591-0
                                        • Opcode ID: 3fc794fcd7fb529ccf794515792efa956ca414e7d910497f6751dae828552c8c
                                        • Instruction ID: c856f4e84fcf8f3125c12badc9dd886ac49c6787e0ad431f45b96f81db7f7055
                                        • Opcode Fuzzy Hash: 3fc794fcd7fb529ccf794515792efa956ca414e7d910497f6751dae828552c8c
                                        • Instruction Fuzzy Hash: F541A9B5D012589FDF00CFA9D984ADEBBF1FB49310F24942AE818B7250C779AA45CB54
                                        Function 0A3A8678 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 345 a3a8678-a3a86e0 347 a3a86e2-a3a86f4 345->347 348 a3a86f7-a3a8758 NtWriteVirtualMemory 345->348 347->348 350 a3a875a-a3a8760 348->350 351 a3a8761-a3a87b3 348->351 350->351
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A3A8748
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3527976591-0
                                        • Opcode ID: b40aef83a2596038e90828a7b3303c66e7cd8bec938a76ba505b8f3a654c0311
                                        • Instruction ID: da9620026f43b686b68efc64cc3f78ade8d7a6e90cf023d4c7f3bfae676d0dc4
                                        • Opcode Fuzzy Hash: b40aef83a2596038e90828a7b3303c66e7cd8bec938a76ba505b8f3a654c0311
                                        • Instruction Fuzzy Hash: BE41BAB5D012589FDF00CFA9D984ADEFBF1BB49310F20942AE818B7250C339AA41CF64
                                        Function 0A3A82A0 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 356 a3a82a0-a3a8362 NtReadVirtualMemory 359 a3a836b-a3a83bd 356->359 360 a3a8364-a3a836a 356->360 360->359
                                        APIs
                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A3A8352
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryReadVirtual
                                        • String ID:
                                        • API String ID: 2834387570-0
                                        • Opcode ID: ca1131573dddfe653d558667b58fb004916eb4b71dbe80961e339d9bb44b9fc0
                                        • Instruction ID: c8b8952f4b80f4c696254f9ff9360278ded4d4f5bd5c35a94dce1cee521d4a7a
                                        • Opcode Fuzzy Hash: ca1131573dddfe653d558667b58fb004916eb4b71dbe80961e339d9bb44b9fc0
                                        • Instruction Fuzzy Hash: 2E41A9B9D042589FCF10CFAAD884AEEFBB5BB49310F14942AE815B7240C735A945CF68
                                        Function 0A3A8819 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 383 a3a8819-a3a8880 385 a3a8882-a3a8894 383->385 386 a3a8897-a3a88df NtSetContextThread 383->386 385->386 388 a3a88e8-a3a8934 386->388 389 a3a88e1-a3a88e7 386->389 389->388
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 0A3A88CF
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 1076ca1850730bd00efc47c32cb8625850f0d604694f2ad92eed7144c0595a09
                                        • Instruction ID: 33c2869a93ad45c91df242b0e7c07710b6b840d71068140ebd94fcae9616506e
                                        • Opcode Fuzzy Hash: 1076ca1850730bd00efc47c32cb8625850f0d604694f2ad92eed7144c0595a09
                                        • Instruction Fuzzy Hash: 4541ABB5D012589FDB14CFA9D484AEEBBF5FF48314F14842AE414B7240D7789946CF94
                                        Function 0A3A8820 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 394 a3a8820-a3a8880 396 a3a8882-a3a8894 394->396 397 a3a8897-a3a88df NtSetContextThread 394->397 396->397 399 a3a88e8-a3a8934 397->399 400 a3a88e1-a3a88e7 397->400 400->399
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 0A3A88CF
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 56a03987006b2626e6e323ae9ff33936728f1f9306b39e7881a1237fc26f8015
                                        • Instruction ID: e3eb67a109faeec587ae7c3bcffd3cc4451fc954d7cfa69315bffdf1dd19fe3e
                                        • Opcode Fuzzy Hash: 56a03987006b2626e6e323ae9ff33936728f1f9306b39e7881a1237fc26f8015
                                        • Instruction Fuzzy Hash: CA31BAB5D012589FDB14CFAAD884AEEFBF5BF48314F14842AE418B7240D778A945CF94
                                        Function 0A3A8450 Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 405 a3a8450-a3a84f1 NtResumeThread 408 a3a84fa-a3a853e 405->408 409 a3a84f3-a3a84f9 405->409 409->408
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 0A3A84E1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 391689fe6545ce8c02e0affae8dcdad43e8aa5bc275ded037a472c45ed89541c
                                        • Instruction ID: 8ebc3eefc097ae0141630772820c15ee14a5638044c5918648d834da177646fc
                                        • Opcode Fuzzy Hash: 391689fe6545ce8c02e0affae8dcdad43e8aa5bc275ded037a472c45ed89541c
                                        • Instruction Fuzzy Hash: 5C31C8B4D012189FDB10CFA9E880ADEFBF5FB49310F10842AE815B7200C779A906CF98
                                        Function 0A3A8458 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 414 a3a8458-a3a84f1 NtResumeThread 417 a3a84fa-a3a853e 414->417 418 a3a84f3-a3a84f9 414->418 418->417
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 0A3A84E1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 1b02df57410cee541f1cc3293be7e71248dfa82d79b28852f4b6e9eb67cd6918
                                        • Instruction ID: 156382ec8d336b899d287c3eee4a0721682ae8f98a760deb75205b989c015b0e
                                        • Opcode Fuzzy Hash: 1b02df57410cee541f1cc3293be7e71248dfa82d79b28852f4b6e9eb67cd6918
                                        • Instruction Fuzzy Hash: DD31A6B5D012189FDB10CFA9D884A9EFBF5BB49310F10942AE815B7200C775A901CFA8
                                        Function 00A1B5F8 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s]q
                                        • API String ID: 0-1442821580
                                        • Opcode ID: b877406e8c05d2532fb44b01191861a8ae4459b8398cd8baa91ffe6b6a5e5ee7
                                        • Instruction ID: 1648411eafd2b19cbd4a609984fb2ff610dc6329e7c90a1c0e783f16ff3c8c3b
                                        • Opcode Fuzzy Hash: b877406e8c05d2532fb44b01191861a8ae4459b8398cd8baa91ffe6b6a5e5ee7
                                        • Instruction Fuzzy Hash: FAC12974E11209DFCB08CF99C9809EEFBB2FF98340F248599D415AB254D735A982CFA4
                                        Function 00A19C68 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K|@"
                                        • API String ID: 0-363044853
                                        • Opcode ID: 571c701bd7c355a8c0deb0b5d5d5b7113d063be1580c87f6a4ceff6a13bb2610
                                        • Instruction ID: 9b338f1adb9abe8eda31f64685c3eb0ed316b1dc4d5047001cc01bf972f394fc
                                        • Opcode Fuzzy Hash: 571c701bd7c355a8c0deb0b5d5d5b7113d063be1580c87f6a4ceff6a13bb2610
                                        • Instruction Fuzzy Hash: 9C512770E05219CFDB08CFA9D9506EEFBF2BF88300F24D16AD459A7254D7349A41CB69
                                        Function 00A12171 Relevance: .3, Instructions: 279COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d8f8264d3b84a96c4053b8ec5d437e0bf8cb980156fda0b5a32b20a88b4c0db
                                        • Instruction ID: d828048ac06e4ba24d5a520d6fa8f5a2fefbabb1795f5b5d5a5907a025f417bf
                                        • Opcode Fuzzy Hash: 2d8f8264d3b84a96c4053b8ec5d437e0bf8cb980156fda0b5a32b20a88b4c0db
                                        • Instruction Fuzzy Hash: 6BC135B4E05259CFDB08CFA9C884ADEBBF2FF89304F20816AD405AB355D7359A42CB55
                                        Function 00A12153 Relevance: .3, Instructions: 273COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed0d5b55b4dddc11d51207f4ff4597d30be35af36c8949df792ed7eceecd86ab
                                        • Instruction ID: 61b433d4ddf10ff7c5fa4d11f792a9a842bdddba32b1050fd9b670be43654f94
                                        • Opcode Fuzzy Hash: ed0d5b55b4dddc11d51207f4ff4597d30be35af36c8949df792ed7eceecd86ab
                                        • Instruction Fuzzy Hash: 31C124B4E05259CFDB08CFA9C884AEEBBF2FF89300F20816AD405AB355D7359A41CB55
                                        Function 00A12200 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bf6fb376af1fff9977bc0b571d4c61d8f58d154b8bffb0197659cf96eb2ee41
                                        • Instruction ID: d0ae92503a02e8495f40171e75e6e031080476f47577184441d6cc8f3db7e351
                                        • Opcode Fuzzy Hash: 2bf6fb376af1fff9977bc0b571d4c61d8f58d154b8bffb0197659cf96eb2ee41
                                        • Instruction Fuzzy Hash: 44B1CEB4E05219CFDB48CFA9C980AEEBBF2FF89300F20952AD515AB354D7359A41CB54
                                        Function 00A18F7A Relevance: .2, Instructions: 239COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab64ea9aa691d38cc079289bd6b931a80129b3c48a951a4d43ec9b2a4c57e92b
                                        • Instruction ID: ff8bdcc3c21f470c8f5ab70ecf3888dd31d1b15c229d62c5bd8d7c9be41a7125
                                        • Opcode Fuzzy Hash: ab64ea9aa691d38cc079289bd6b931a80129b3c48a951a4d43ec9b2a4c57e92b
                                        • Instruction Fuzzy Hash: 18A1DEB4E04219DFCB08CFA9C9949EEBBF2FF89300F24952AD516BB254E7359941CB14
                                        Function 00A18F90 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40d58ed9bcd9712240568c82b3ea0eca90ecafe3d1e698b6425abdd04e133956
                                        • Instruction ID: 0cb28fcd7d2d8479f65a731dc0cbc378c2969807332e4a18034569b6c5dcaacb
                                        • Opcode Fuzzy Hash: 40d58ed9bcd9712240568c82b3ea0eca90ecafe3d1e698b6425abdd04e133956
                                        • Instruction Fuzzy Hash: FCA1CEB4E04219CBCB08CFA9C9949EEBBF2FB89300F24952AD516BB354E7359941CB54
                                        Function 00A17ED1 Relevance: .2, Instructions: 227COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e562015673a44092da08f093b638bd1c12e609d6383d619e0f1692aaee766723
                                        • Instruction ID: 7ba50efce0911000790d4036549757008cce546b841c0e855b3b060dbc9ae858
                                        • Opcode Fuzzy Hash: e562015673a44092da08f093b638bd1c12e609d6383d619e0f1692aaee766723
                                        • Instruction Fuzzy Hash: 52A11474E00219DFDB04DFA9D88499EBBF2FF89301F14812AE815AB365EB349946CF51
                                        Function 00A17EE0 Relevance: .2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ab9f2e635e08736423db069b417b15467fa26728566d4e57ab814007f946f35
                                        • Instruction ID: cd1a1996416e83879058b2529fc1c6955930265004f8d792dbe467c7078ca458
                                        • Opcode Fuzzy Hash: 5ab9f2e635e08736423db069b417b15467fa26728566d4e57ab814007f946f35
                                        • Instruction Fuzzy Hash: E0A10174E00219DFDB04DFA9D8849DEBBF2FF89301F248129E815AB255EB349946CF50
                                        Function 00A12B2A Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d84c95d9d36cd5d99ad2a044d7ae02e0ee6481c9e29e393325190b2f2b668f52
                                        • Instruction ID: a3ba7458fa8c03fca2d010e0d11270191659730caf6acc57a0af0f0fb48c981b
                                        • Opcode Fuzzy Hash: d84c95d9d36cd5d99ad2a044d7ae02e0ee6481c9e29e393325190b2f2b668f52
                                        • Instruction Fuzzy Hash: 48511A70E0821A8FDB08CFAAC5406AEFBF2FF89300F24D46AD415A7255D7348A518FA5
                                        Function 0A3AA098 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4176e691d43abb6dfdce8fe961ede072fddda1d26ce771ff45bd1b567798dd4
                                        • Instruction ID: ed64f9aa24da0a708dae652f700e994170849cd379f5583769d2a37054e7b593
                                        • Opcode Fuzzy Hash: e4176e691d43abb6dfdce8fe961ede072fddda1d26ce771ff45bd1b567798dd4
                                        • Instruction Fuzzy Hash: ED51C475E152298BDB68CF69D8846DDFBB6FB89310F10C0AAD908A7314DB309E81CF40
                                        Function 00A13511 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1bc4d2014e214dba1c0c0e017189fb8ce7ebe43721bb22249b762debfc113d7
                                        • Instruction ID: cbd9ec2bf3bd4930c2b11dc95b8ec1779b696183ddf8646cc78ae21d01e9e7aa
                                        • Opcode Fuzzy Hash: c1bc4d2014e214dba1c0c0e017189fb8ce7ebe43721bb22249b762debfc113d7
                                        • Instruction Fuzzy Hash: 46511A75E05258CFDB58CFAAC9846DEBBB2FF88310F1480AAD409AB354DB345A85CF50
                                        Function 0A3A89D0 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e2fbdb56bf36b09fe844c6d55de24b1268240638e7ae7cfec5d1a334851fbf2c
                                        • Instruction ID: add66def9eced51755cb2ee8f03254bcd9e60019cce5e48e4b8abc8c726566b1
                                        • Opcode Fuzzy Hash: e2fbdb56bf36b09fe844c6d55de24b1268240638e7ae7cfec5d1a334851fbf2c
                                        • Instruction Fuzzy Hash: 4241FE75E152699FDB58CF6AD8406DDFBF6FBD9300F14C0AAC408A7254DB319A418F40
                                        Function 00A1A7A0 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e60a377d701ac5d2f782895e4c5f4fad7597d281a926945721c373bb1e02b62b
                                        • Instruction ID: 61902f9f3ce0effb4bbfae77d08ff396a09658940795e61847bdf9497ca56513
                                        • Opcode Fuzzy Hash: e60a377d701ac5d2f782895e4c5f4fad7597d281a926945721c373bb1e02b62b
                                        • Instruction Fuzzy Hash: 113118B1E056588BDB18CFABD8407DEBBF3AFC9310F14C06AD408A6264DB340A46CF50
                                        Function 00A1081F Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6641fc21fc337604b6f3f3662c9aae13c3a66bff35da3c86db4346905bf411a
                                        • Instruction ID: 674a1785b4ce8dfd5f3d0a65a018fc5157eb88ca544abce61c3ef1de197f2727
                                        • Opcode Fuzzy Hash: c6641fc21fc337604b6f3f3662c9aae13c3a66bff35da3c86db4346905bf411a
                                        • Instruction Fuzzy Hash: 30212F71E057558FDB19CF6B8C446DAFBF3AFC9300F08C0BAC458AA265EB3405468B55
                                        Function 00A10848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a954e28089af6bc4db828d3487ca2350c33170cec13f894a3f41043f31bef7ea
                                        • Instruction ID: 30d7b7da935e80d8524e750195ea7d919d3e6c689d7c6cc0b19fac657f840bf8
                                        • Opcode Fuzzy Hash: a954e28089af6bc4db828d3487ca2350c33170cec13f894a3f41043f31bef7ea
                                        • Instruction Fuzzy Hash: 8021BD71E006198BEB18CF6B9C406DEFAF7BFC9300F04C176D518A6228EB7445468E54
                                        Function 0A3A8550 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 365 a3a8550-a3a8612 VirtualAllocEx 368 a3a861b-a3a8665 365->368 369 a3a8614-a3a861a 365->369 369->368
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A3A8602
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 0170d0f49a2fa5f1f9283b3db506ee7cf49068d7444e1f0b829421a30fdd95b9
                                        • Instruction ID: 0ea332cf8d353d849bd334b29e7530a062ea53ba2b8a3fdc8c7042407c89d906
                                        • Opcode Fuzzy Hash: 0170d0f49a2fa5f1f9283b3db506ee7cf49068d7444e1f0b829421a30fdd95b9
                                        • Instruction Fuzzy Hash: 48419AB5D052589FDF10CFA9D984ADEFBB1FB49310F14942AE828B7210D735A902CF98
                                        Function 0A3A8558 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 374 a3a8558-a3a8612 VirtualAllocEx 377 a3a861b-a3a8665 374->377 378 a3a8614-a3a861a 374->378 378->377
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A3A8602
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: d656adadc46ce2cec93ece8fcd6c3b18f3a2f6675d572fbacdfeb2385f38af51
                                        • Instruction ID: d5252ecf3413919d89a2376d132f1c3bf78506a3f5f87a43cde7ab92d1d432cc
                                        • Opcode Fuzzy Hash: d656adadc46ce2cec93ece8fcd6c3b18f3a2f6675d572fbacdfeb2385f38af51
                                        • Instruction Fuzzy Hash: 1531A8B9D002589FDF10CFA9D880ADEFBB5FB49310F10942AE828B7210D735A901CF68
                                        Function 00A12E62 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: qCy+
                                        • API String ID: 0-3529117827
                                        • Opcode ID: 36f3a6ba7edc12cfe4fc72f4aa00c34ef3f0a6e7de047c59c193a138a429b72e
                                        • Instruction ID: 82565142a62e478aef13588148f6a16a2bcd1d063f64157ea667a80de1c33072
                                        • Opcode Fuzzy Hash: 36f3a6ba7edc12cfe4fc72f4aa00c34ef3f0a6e7de047c59c193a138a429b72e
                                        • Instruction Fuzzy Hash: 1431F9B4E042499FCB04CFA9C540AAEBBF2FF89300F2594AAD414EB355D334DA559F91
                                        Function 00A19E61 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 889133e872adae691a6874971dc3db4912c8f209c97534e31a289a72409dcfab
                                        • Instruction ID: 60c0a2767bc660613011a592e9e56c60993c0eac36dd048c46e5d42f549e34a1
                                        • Opcode Fuzzy Hash: 889133e872adae691a6874971dc3db4912c8f209c97534e31a289a72409dcfab
                                        • Instruction Fuzzy Hash: 4231E5B4E05209DFCB44CFA9D4809AEBBF1BB89300F50946AD815E7765D3349A42CF51
                                        Function 00A14D62 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25766547e72c57abd87843d05347d9a9341c77a18bbcad20e6e25f92b08fbaab
                                        • Instruction ID: 45cc28da2b8a5a0ee31bdbebc8f72ed133760ad7e079efa6abd1a7f59dc0a611
                                        • Opcode Fuzzy Hash: 25766547e72c57abd87843d05347d9a9341c77a18bbcad20e6e25f92b08fbaab
                                        • Instruction Fuzzy Hash: E531F8B4E042099FCB44CFA9D480AAEFBB2FB49300F14C5AAD415A7355D7349A458F95
                                        Function 00A10CC4 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 598ff5fed828da9003552c69fdbd45b56fd5b91ff8b04a093311e10b722785b4
                                        • Instruction ID: 14f2afb2e435b151ea0783e28877e3a2296a909906f1b679d7b3f79758ac18a1
                                        • Opcode Fuzzy Hash: 598ff5fed828da9003552c69fdbd45b56fd5b91ff8b04a093311e10b722785b4
                                        • Instruction Fuzzy Hash: 31419C74A02228CFDB64DF65C990B99BBB2BB89300F1092D9E949A7351DB309EC5CF45
                                        Function 00A14D20 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 239626a3b77c0dec739e69e2ec3f0864bb2725008ea6ab05ea7a533407782ad9
                                        • Instruction ID: db097e500819837de9bade3a1f2c2acc80b382eb74efd40f8f92fd26bfa79cff
                                        • Opcode Fuzzy Hash: 239626a3b77c0dec739e69e2ec3f0864bb2725008ea6ab05ea7a533407782ad9
                                        • Instruction Fuzzy Hash: B73106B4E042099FCB44CF99D4546EEBBB2FB89300F24C5AAC415A7251D7349A85CF94
                                        Function 00A19FE8 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b67b1930d94528db64cf188908fcadfd68420ed2d2eac788386ef8178473be64
                                        • Instruction ID: 585a861b8d5bbaab5e1dd2ebde86eb51ac179db46d00134f5926b4c196594f1a
                                        • Opcode Fuzzy Hash: b67b1930d94528db64cf188908fcadfd68420ed2d2eac788386ef8178473be64
                                        • Instruction Fuzzy Hash: 503109B0E092099FCB04CFA9C54069EBBF2FF99300F60D5AAD414E7315D3349A499F92
                                        Function 00A12D58 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567609362373d5ce6cfd6ecc0e3f99c85471fe000fc3ee06eff3542e0f50728d
                                        • Instruction ID: d4c40890ce66b7b2a19ea053d525a81c7f8dc92a5d29e16ca8165b23799e94cf
                                        • Opcode Fuzzy Hash: 567609362373d5ce6cfd6ecc0e3f99c85471fe000fc3ee06eff3542e0f50728d
                                        • Instruction Fuzzy Hash: D431A6B4E042499FCB44CFA9D580AAEBBF2BF49300F5481AAD814E7365E7749A46CF50
                                        Function 00A14978 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97737a3911f693b751acc5ea66614ed689d1f4af633134aa7809d08ea1375967
                                        • Instruction ID: f873364968f245fc83caf631b7c147b37f5fd000c5bcc69c8b7608636c8ed8cb
                                        • Opcode Fuzzy Hash: 97737a3911f693b751acc5ea66614ed689d1f4af633134aa7809d08ea1375967
                                        • Instruction Fuzzy Hash: 93312B70E09209DFDB08CFA9C9819AEFBF1BF89340F25D5AAC409AB215D3349A41DB51
                                        Function 00A12D68 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99f38c61cc5c5eb6dbb181570aa868123ef99870a8c1ea0ee9b364d341623dbe
                                        • Instruction ID: 016c698a9d8434f1565500611b767b28e3aa1bae62803718c4bb067a64e842ce
                                        • Opcode Fuzzy Hash: 99f38c61cc5c5eb6dbb181570aa868123ef99870a8c1ea0ee9b364d341623dbe
                                        • Instruction Fuzzy Hash: D431A2B4E002099FCB44CFA9D580AAEFBF2FF88301F10916AD919A7364E7749A41CF50
                                        Function 00A14A90 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a632f3c8d2f14a116edad34be1fb1dd4032193a68ad6af9943f4cd97d7582ab7
                                        • Instruction ID: f1d5a85c84c7d570da5142f40a0d02b74bc1d19a3f62149da81e5a53a105c50c
                                        • Opcode Fuzzy Hash: a632f3c8d2f14a116edad34be1fb1dd4032193a68ad6af9943f4cd97d7582ab7
                                        • Instruction Fuzzy Hash: 82210374E05208AFDB04DFA9C984A9EBFF2FF89300F25C5AAD519A7265D7309A50DB00
                                        Function 00A1BCE8 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6c22115db9077308a9f406f6a79571f22bd01b685a839e70c95483f6febf06f
                                        • Instruction ID: 76479f43eefcaa880d9985d9cd6192e705d43cf557ea0f0895e1bf9a795da4ec
                                        • Opcode Fuzzy Hash: c6c22115db9077308a9f406f6a79571f22bd01b685a839e70c95483f6febf06f
                                        • Instruction Fuzzy Hash: 5521E879E14208DFDB48DFA9D585A9EFBF2FF88300F24C0A6D419AB264D7709A41DB10
                                        Function 00A14AA0 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca6cdcaa2624d22b37a391abdf6cd0532301772692b2476489d47591a9ba360e
                                        • Instruction ID: c56510e0655745f06368e9f81699831fc19093b93fe71ef137539884ccdedb80
                                        • Opcode Fuzzy Hash: ca6cdcaa2624d22b37a391abdf6cd0532301772692b2476489d47591a9ba360e
                                        • Instruction Fuzzy Hash: 7E210474E04208AFDB08DFA9C584AAEFBF2FF88300F25C4A59519A7264D730DA50DB44
                                        Function 00A10F50 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4346dfc07e709ef41657585aac672cb1dc778425b3881f81d9efa944d0383b3b
                                        • Instruction ID: e33243175ef6b4698daf23707f64e01621952fa65515767faa25a68acfc7030a
                                        • Opcode Fuzzy Hash: 4346dfc07e709ef41657585aac672cb1dc778425b3881f81d9efa944d0383b3b
                                        • Instruction Fuzzy Hash: D1217C74901268CFDB65DF65D840BDDBBB2BB88300F1085EAD50EBA660DB704EC59F91
                                        Function 00A11F25 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4fe7eef1602b1caceb4921f080937657b5ad3d2cb2689854c34b57d76e5acd1c
                                        • Instruction ID: 761ad9a642f87f0855f71d1c7091c0f29846b1eed0e2b8ee812d8a30c63bcbdb
                                        • Opcode Fuzzy Hash: 4fe7eef1602b1caceb4921f080937657b5ad3d2cb2689854c34b57d76e5acd1c
                                        • Instruction Fuzzy Hash: 2101D674A00259DFCB58EFA8D980B9CB7B2FF89200F10849AD00DBB254DB309E85CF25
                                        Function 00A12F88 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ee0b70f12b7da7fcbde8974ec04c0e981abee37f578d866d7a34c618d7c8ef6
                                        • Instruction ID: 3cc93da89a6cdd2a9dc758b450c2f4dbb3ef7e4cf7accf18b3495b34ecc5ccfa
                                        • Opcode Fuzzy Hash: 8ee0b70f12b7da7fcbde8974ec04c0e981abee37f578d866d7a34c618d7c8ef6
                                        • Instruction Fuzzy Hash: 31F067B0908308DFCB01EFB8D800AAEBBB0FF06300F0086EAD81497311E3308A55DB90
                                        Function 00A109A5 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00cfa5869ad871444801d04bb0ea9289ab1755a27a5b4c9a43a5e2f3cf4649b8
                                        • Instruction ID: 651ad31770b443d2e42d85ab06428920d7c03162ce0d78efa990a00d56cfa1b4
                                        • Opcode Fuzzy Hash: 00cfa5869ad871444801d04bb0ea9289ab1755a27a5b4c9a43a5e2f3cf4649b8
                                        • Instruction Fuzzy Hash: 71F0DA70A052198BDB68DB35C890AEA7272FF95300F5084E9D48967244CEB69EC1DF41
                                        Function 00A12F98 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2934b3d612040f9e6c2dfbd6ba014f331f9facee23de2d35288f38617c406ef4
                                        • Instruction ID: e5ff446a62f54407e720a36f941aa3a40cd64749e7a4a7ef047748c33a6b8d5f
                                        • Opcode Fuzzy Hash: 2934b3d612040f9e6c2dfbd6ba014f331f9facee23de2d35288f38617c406ef4
                                        • Instruction Fuzzy Hash: 7BF0C9B4D04319DFCB04DFA8D944AAEBBB1FF09301F1085AAD818A3310D7719A55DF84
                                        Function 00A19E70 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: deefa24e58eee4ef04c1fdb3f9118d996d244572e5c6c4a7e2bce2a390fdb0aa
                                        • Instruction ID: f98e03663d817a97aa6b9fef7c42cebae33053da0bf83a70d6981fb5bc518144
                                        • Opcode Fuzzy Hash: deefa24e58eee4ef04c1fdb3f9118d996d244572e5c6c4a7e2bce2a390fdb0aa
                                        • Instruction Fuzzy Hash: B2F092B1D00209DFDB58DFAEC9416AEBBF1BF48300F50856AD428E3220E7745A81CF95
                                        Function 00A18BD4 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b06b0e75bfad45f90a720028d3294b4e8269d80d2ce31559692a23b2b42f7ec
                                        • Instruction ID: 105aeac9471adf8d3b902124634951cf9e85229193d0173adcfc4539de4fa484
                                        • Opcode Fuzzy Hash: 7b06b0e75bfad45f90a720028d3294b4e8269d80d2ce31559692a23b2b42f7ec
                                        • Instruction Fuzzy Hash: F2F0F835A05265DFDB14CBA8DD84B99BBB3FF4A200F0894D89409E7224E7315E40DF16
                                        Function 00A18E1F Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f97ced055740365f52961726b26e4dcd0b1110ad95f5acd01e37a6762d24c26
                                        • Instruction ID: 152c117e902037343b4a72698e1373ac18774bae651047297ca6edeb0760a10c
                                        • Opcode Fuzzy Hash: 9f97ced055740365f52961726b26e4dcd0b1110ad95f5acd01e37a6762d24c26
                                        • Instruction Fuzzy Hash: 40E0EC74E161189FDB24CF68C981B89B7F2FF84300F2496E5D118AB349D7309A41DF11
                                        Function 00A137FD Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 903a72844c1a2ff22d6829c84286231ce4b800a0886c713d0e92a69323777125
                                        • Instruction ID: 6d1f6c4726e5641fe892db07b7474d7d91b0b750bab5f97d8f770ad8587034b4
                                        • Opcode Fuzzy Hash: 903a72844c1a2ff22d6829c84286231ce4b800a0886c713d0e92a69323777125
                                        • Instruction Fuzzy Hash: 4EE0EC38601344CFC754CF64C6448897BB2FF49716F600498E40A9B264CB35DEC1CF00
                                        Function 00A114F0 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 210ea7b9698fc3c49c13f0a591ae3cfb9656ef0f8d95199d47aeaf70fd49ed90
                                        • Instruction ID: ad372055f39b62fbd8242df7b1c40e41d706324b956482db3967cf1e14943a97
                                        • Opcode Fuzzy Hash: 210ea7b9698fc3c49c13f0a591ae3cfb9656ef0f8d95199d47aeaf70fd49ed90
                                        • Instruction Fuzzy Hash: DFD05230C6420A9BCB4ACFA8E8409C8BBF0FB88300F10AA55D005EB214E3B09A809F80
                                        Function 00A1B03D Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0503a75b6eb32eac721801a5900011a59c0662b39834392d351e3c2204a78c9e
                                        • Instruction ID: 41b946b0647c08c3275b561f1a45fac55fd3def9107e419acbc6bbbba95230bd
                                        • Opcode Fuzzy Hash: 0503a75b6eb32eac721801a5900011a59c0662b39834392d351e3c2204a78c9e
                                        • Instruction Fuzzy Hash: 62D09275902364CFC718CF24DA94A997B72FF09306F1181A9E40A6B321CB36DA91CF00

                                        Non-executed Functions

                                        Function 0A3A2E00 Relevance: 4.0, Strings: 3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0w?$0w?$/.]/
                                        • API String ID: 0-1051212873
                                        • Opcode ID: 13e833af45b830cedb86ced51dfe5c1e47ba62bcd34b06b3ac5d5bddfe10dc5a
                                        • Instruction ID: 37d446ddf56cfe25d65f2ab01c27cfde033df34656e87ef39f86810566fe244d
                                        • Opcode Fuzzy Hash: 13e833af45b830cedb86ced51dfe5c1e47ba62bcd34b06b3ac5d5bddfe10dc5a
                                        • Instruction Fuzzy Hash: E8C15974A14229DFDB54DFA9C880A9EFBF2FF88304F14C569D055AB25AD730A842CF94
                                        Function 0A3A2908 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0w?$/.]/
                                        • API String ID: 0-342866015
                                        • Opcode ID: d0de4276afe92076f6488ea4e68822b13423b582ed9855e4f7bdc531e628f08a
                                        • Instruction ID: 2c2f98a8bdd34a16f8400eb6a137b80fe56f09aa11e487831a70b5b59a0da20a
                                        • Opcode Fuzzy Hash: d0de4276afe92076f6488ea4e68822b13423b582ed9855e4f7bdc531e628f08a
                                        • Instruction Fuzzy Hash: 75B1B63071432ACBEB3C1FB594047BB76B6EFD4640F25882ED862D65A9CF34C841AB56
                                        Function 0A3A2DF0 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0w?$/.]/
                                        • API String ID: 0-342866015
                                        • Opcode ID: 2d8ad3eb05e01ed81553f8035fe0d7ead773de0cc7fe8c190c7cefe6abc04037
                                        • Instruction ID: 43d640ae9a2743b2a2e6bd1821726d2daa488ee8da3e04f05fd76d3e30959595
                                        • Opcode Fuzzy Hash: 2d8ad3eb05e01ed81553f8035fe0d7ead773de0cc7fe8c190c7cefe6abc04037
                                        • Instruction Fuzzy Hash: 95B16B74A14229DFDB14DFA9C484A9EFBF2FF88304F24C5A9D055AB21AD7309842CF94
                                        Function 00A1D9C0 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: j1B$j1B
                                        • API String ID: 0-3175622706
                                        • Opcode ID: 75f1ce0a6b10ec932627f515bfe9525332f77d76a36beaf7e7acc6ec05915d8a
                                        • Instruction ID: 6f1288466b72cea2e7cd80cdc536910f469e89c0b009b932f71d534bfcbbf946
                                        • Opcode Fuzzy Hash: 75f1ce0a6b10ec932627f515bfe9525332f77d76a36beaf7e7acc6ec05915d8a
                                        • Instruction Fuzzy Hash: 8F61E570E19609DBCB08CFAAD5809DEFBF6FF89350F24942AE415B7214D3349A418B64
                                        Function 00A16468 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Dp0$ Dp0
                                        • API String ID: 0-3409692448
                                        • Opcode ID: cd55fda344b0d09fbfb2a0901611a92a8c6a83e62a462473fafe112c2f028454
                                        • Instruction ID: 99be66367d2103d0baf010f6c1df8185bd0b74a8f8ec5d97abaab626c5b007f6
                                        • Opcode Fuzzy Hash: cd55fda344b0d09fbfb2a0901611a92a8c6a83e62a462473fafe112c2f028454
                                        • Instruction Fuzzy Hash: AF41A2B1E0460ADFCB04CFAAD5815EEFBF2AB88310F64D16AC415A7254D7349A858F94
                                        Function 00A16660 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: IyB/
                                        • API String ID: 0-4125526954
                                        • Opcode ID: da3f077a29fb535c0215e66c898799e3c687099cadf2cd5f1bb7a77aed3b60d2
                                        • Instruction ID: 02ca0893fe6440960754a25463241ef93481e2b3fc9d6167f2d8f9c85b37505f
                                        • Opcode Fuzzy Hash: da3f077a29fb535c0215e66c898799e3c687099cadf2cd5f1bb7a77aed3b60d2
                                        • Instruction Fuzzy Hash: B561E574E0560A8FCB08CFA9C9809EEFBF2EF89350F24956AD415F7224D3309945CB65
                                        Function 00A16670 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: IyB/
                                        • API String ID: 0-4125526954
                                        • Opcode ID: 156ee3a66f80d837bc50b94de1f3da34a360b5196fbf15910e509efa2e73b0f7
                                        • Instruction ID: f324c0be82626071605c51066774df85537edb91691d2e1ecb16d58334d21f82
                                        • Opcode Fuzzy Hash: 156ee3a66f80d837bc50b94de1f3da34a360b5196fbf15910e509efa2e73b0f7
                                        • Instruction Fuzzy Hash: 9D71D474E05609DFCB08CFAAC9809EEFBF2FB89350F24952AD415F7224D73099458B64
                                        Function 00A16458 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Dp0
                                        • API String ID: 0-4278393956
                                        • Opcode ID: bb10cbf5e9da441fc744abe3e0bfe72d28f78530ff0b04932d7a108824e84e47
                                        • Instruction ID: b1400a4816c67b664b764f52d1b121967cb4b61e62f0c9078952c82df7fcb72d
                                        • Opcode Fuzzy Hash: bb10cbf5e9da441fc744abe3e0bfe72d28f78530ff0b04932d7a108824e84e47
                                        • Instruction Fuzzy Hash: 1B41D4B0E0464A9FDB04CFAAC5815EEFBF2AF89310F24C06AC415E7254D7349A86CF94
                                        Function 00A182D9 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: w?.
                                        • API String ID: 0-2957672795
                                        • Opcode ID: 07ba41e7b59ba11d0032e4c9f7ff65ce116687f93d689bb95d81698202ffd998
                                        • Instruction ID: 9795c498056af2118df10fa7a1171f175c6d67601e59377fb96c28bf12e0c9eb
                                        • Opcode Fuzzy Hash: 07ba41e7b59ba11d0032e4c9f7ff65ce116687f93d689bb95d81698202ffd998
                                        • Instruction Fuzzy Hash: D021E671E056189BEB58CF6AD84079EFBF3BFC9300F14C0AAD458A7264DB344A858F51
                                        Function 00A152A8 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a9b06f8a112b0f4a40d11cdfd0a488b4b1188b0f85e59292e593d64f1ad6749
                                        • Instruction ID: 44f5f6d266bb6e25f0fabf615ac8d701f8d10be8d479b32bff8ef78d2185106e
                                        • Opcode Fuzzy Hash: 8a9b06f8a112b0f4a40d11cdfd0a488b4b1188b0f85e59292e593d64f1ad6749
                                        • Instruction Fuzzy Hash: 7A81D074E11619CFCB44CFA9D5849DEBBF2FB88310F24955AE415AB320D334AA82CF91
                                        Function 00A1529A Relevance: .2, Instructions: 181COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfead80229e8982d22d28465b35b24c46e0fa9ae22daf3da44214d0b63786d3e
                                        • Instruction ID: 27aac4033ae752f99506b29b90db78ebd6dbd678dcf39cfda9b5e0837f793dc2
                                        • Opcode Fuzzy Hash: bfead80229e8982d22d28465b35b24c46e0fa9ae22daf3da44214d0b63786d3e
                                        • Instruction Fuzzy Hash: 4681EF74E14659CFCB44CFA9D5809DEBBF2FF88310F24856AD415AB220D334AA42CF91
                                        Function 00A1C558 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36fddb46990a89d46f7baaf303be6238b8b50a8c65798a6175de48f3c0f65492
                                        • Instruction ID: 074c55aeb10374d480783c701f62b55eaef8acd72c783f75e09b51c6a476b20c
                                        • Opcode Fuzzy Hash: 36fddb46990a89d46f7baaf303be6238b8b50a8c65798a6175de48f3c0f65492
                                        • Instruction Fuzzy Hash: 9A71C074E50219CFCB44CFAAC58499EFBF2FB88320F249569E419AB210D334AA42CF50
                                        Function 00A160B1 Relevance: .2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df69afd230bdbe4533967d5308d0f064e7b056eac5cd650344f01d6f0ea85be9
                                        • Instruction ID: 9bec810c8a65d56c6626c59f413763c4a9fec7f737258dae8224985ffce026a5
                                        • Opcode Fuzzy Hash: df69afd230bdbe4533967d5308d0f064e7b056eac5cd650344f01d6f0ea85be9
                                        • Instruction Fuzzy Hash: 2A612AB5E0420AEFCB14CFA6D5815EEFBB2BF89300F24816AD455E7255D3349A82CF54
                                        Function 00A15DE8 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 683a9ec0bf980321fe0a446f1102225cf0b035542973759a1e12367fed6db3f0
                                        • Instruction ID: 34f93d1a464f75b55ad83a925873e16c5ae434a5b8703caf2927fff7675da2c9
                                        • Opcode Fuzzy Hash: 683a9ec0bf980321fe0a446f1102225cf0b035542973759a1e12367fed6db3f0
                                        • Instruction Fuzzy Hash: 0A510674E15619CFCB04CFA9C5808DEFBF2BF89310B248466E415A7255D3309E82CBA5
                                        Function 00A1DC20 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6389cbb972b6dfe18387e4b4eb9ac313c60caedcb265b9c75657759638a60de9
                                        • Instruction ID: bf4fcd1b4cc9aecf9c044839094dae5253de0b0d699fdf56b26b8ee7e3cc63c7
                                        • Opcode Fuzzy Hash: 6389cbb972b6dfe18387e4b4eb9ac313c60caedcb265b9c75657759638a60de9
                                        • Instruction Fuzzy Hash: FD51E5B0E0520A9FCB48CFA9C5815EEFBF2EF89310F24D56AC415A7214E7349A81CB94
                                        Function 00A168D8 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c9f5d6919dd077e50987011fa00c07210a9fa852a2e9553fd36452fe5f461d8
                                        • Instruction ID: 9458d1227f92bad5f43eb1d49292f599210fea8ae8ef806fabe5fb12b9d6244d
                                        • Opcode Fuzzy Hash: 3c9f5d6919dd077e50987011fa00c07210a9fa852a2e9553fd36452fe5f461d8
                                        • Instruction Fuzzy Hash: 6941D7B1E0520A9FCB44CFA9C5815EEFBF2BF89300F24C16AC415EB254D3349A45CBA9
                                        Function 00A168E8 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c79fed0984d5bdb3ebfa38193e333617a95f935b463ff3cdcc3227315114b312
                                        • Instruction ID: fbd100bb2f7124f8839de03b57c4afa091c6e4a5c0b5d006fde19719a9803396
                                        • Opcode Fuzzy Hash: c79fed0984d5bdb3ebfa38193e333617a95f935b463ff3cdcc3227315114b312
                                        • Instruction Fuzzy Hash: 4E41C5B1E0520ADBCB44CFA9C5815EEFBB2BF88300F24C56AC415FB254D7349A818B99
                                        Function 0A3A5F70 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70e22f79dd2db7dcc81985f661669812a57962c909a62b153228bb68cb3a5587
                                        • Instruction ID: 466db12c689ddeb3782a23efdae53627573d01c237feae9cc9da8784d61e0879
                                        • Opcode Fuzzy Hash: 70e22f79dd2db7dcc81985f661669812a57962c909a62b153228bb68cb3a5587
                                        • Instruction Fuzzy Hash: E741B771E055299BDB68CF6AC8807DEFBB6BB99300F14C1AAD418E7254EB305A858F50
                                        Function 00A1D7B8 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13452f397462cbbaf94031eb020575f22af06338ee3b4cedc6904185f89c8737
                                        • Instruction ID: 3a026a1e91ce842e4ced945a97d164d7444fc5ffc5a80948e03fba6806f58ad7
                                        • Opcode Fuzzy Hash: 13452f397462cbbaf94031eb020575f22af06338ee3b4cedc6904185f89c8737
                                        • Instruction Fuzzy Hash: FF41C7B1E0420A9FDF44CFAAC4805EEFBF2BB88300F24C169D415B7254E7349A858F94
                                        Function 0A3A5F61 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f372ad29866d969f469e80016e0474977693157bc2e585f32f22a19e1ae4de4f
                                        • Instruction ID: 84231e69bec382c6a06ab7fd588021e2db28634485565eb58ec52b2fded0423a
                                        • Opcode Fuzzy Hash: f372ad29866d969f469e80016e0474977693157bc2e585f32f22a19e1ae4de4f
                                        • Instruction Fuzzy Hash: 9D319A71E016699BDB58CF6AC8406DDBBB3BB89300F14C0BAD81CA7254DB304A858F54
                                        Function 00A16AB8 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1458312450.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b87d2313249d323730cf0de73efb76da7e2b32c8f25e1964232214e834a5d17
                                        • Instruction ID: 3ebb83c2ada799e8ac1e12a9a3d9f7d622caa6fbfdef4eb876316f137d1aa7e6
                                        • Opcode Fuzzy Hash: 5b87d2313249d323730cf0de73efb76da7e2b32c8f25e1964232214e834a5d17
                                        • Instruction Fuzzy Hash: DC21E4B1E056189BEB18CFAAD9446DEBBF2BF89300F24D57AD404AB265DB304946CB44
                                        Function 0A3A89C2 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 256c12908e2c48b1c9aa0d0811ce4f7c701812f0d4e176012a53ccf3fa031f31
                                        • Instruction ID: f22918414b2ea7584a2b47eb70543bbe1964b7c5967ddac9dc8ec8bd7ab6f481
                                        • Opcode Fuzzy Hash: 256c12908e2c48b1c9aa0d0811ce4f7c701812f0d4e176012a53ccf3fa031f31
                                        • Instruction Fuzzy Hash: CD21B371E146559BDB5CCF6BDC406DEBBF7ABC4300F14C1BAD818A6214DB3445429F51
                                        Function 0A3AA088 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1466530192.000000000A3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_a3a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 389e7430e3d5eaa501c8ca06f82c09e6caced9d535da42cdb62d5424fed70ed5
                                        • Instruction ID: 3e5b5e76509f666750478186e5432169d084f10eecda90ee84948b88defdc4eb
                                        • Opcode Fuzzy Hash: 389e7430e3d5eaa501c8ca06f82c09e6caced9d535da42cdb62d5424fed70ed5
                                        • Instruction Fuzzy Hash: 9F21EA71E146299BEB5CCF6BCD4069EBBF3ABC5304F14C0BAD418A6215DB3049468F40

                                        Executed Functions

                                        Function 009B0B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7934217261ec653571435758875aa7a1ab52e06f0d531c2a047dd150512a833
                                        • Instruction ID: a0f18396b6368afa1cff5e5052335734ae92e8dca4df2b31264182b9047a84b4
                                        • Opcode Fuzzy Hash: e7934217261ec653571435758875aa7a1ab52e06f0d531c2a047dd150512a833
                                        • Instruction Fuzzy Hash: 7B82A174900229CFCB24DFA8D994BDDB7B5FF89314F1086AAD409AB265D730AE85CF50
                                        Function 009B0684 Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b98ea948889762be4a3e443767601249c7fdb946c274ae50f6cd5e5a0ef1c05
                                        • Instruction ID: 73811c7512ed1f7f9206f9a0a10e55787aa5a6064298f2acb4c566f3007f811f
                                        • Opcode Fuzzy Hash: 7b98ea948889762be4a3e443767601249c7fdb946c274ae50f6cd5e5a0ef1c05
                                        • Instruction Fuzzy Hash: 03318070905349AFDB02EB78E854B9D7BF1FBC5704F1086E9C0459B266E7705A09CB81
                                        Function 009B0A49 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb4e0ae4110912bf834ff8134d9360621fd304f052af11834a1e6385fa58ecf7
                                        • Instruction ID: 0805b3afb986d51ed548f9db3c1e4562a2ad872bdfe768c8864936339337bb08
                                        • Opcode Fuzzy Hash: bb4e0ae4110912bf834ff8134d9360621fd304f052af11834a1e6385fa58ecf7
                                        • Instruction Fuzzy Hash: 0B213D31E052499FCF01DFA9D8509DEBFB1EF89700F4581AAD454BB2A2D730A946CF94
                                        Function 009B0848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 368571513b41306be7045e0ea47e4945bb4628a45ec02755d64321a71de14b81
                                        • Instruction ID: 458b8bcfc9e4ed1d0411e797f32f7aa920d4354a27da8f3cc27ddd8dc20b8817
                                        • Opcode Fuzzy Hash: 368571513b41306be7045e0ea47e4945bb4628a45ec02755d64321a71de14b81
                                        • Instruction Fuzzy Hash: A9115E74901709EFDB01EFA8E944B9D77F1FBC8704F108AA8D0059B269EBB05A09DF81
                                        Function 009B1870 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80c6871b8a8e820e6a0f91e1f0e9fc4214b2166809cc51bdb111d3f16e709857
                                        • Instruction ID: 8dbeeb428624a3d1b81a445588ba3a51e99eb65c2f77349dad83194940743308
                                        • Opcode Fuzzy Hash: 80c6871b8a8e820e6a0f91e1f0e9fc4214b2166809cc51bdb111d3f16e709857
                                        • Instruction Fuzzy Hash: 2CF08CB4D08289CFCF01CFA6D9247EEBBF0AB8A310F10506AC015B7251D778490ACFA0
                                        Function 009B09DF Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 186a70f3d7b7b223257be028418d8e2bc5f2df4108f2685c0bd09ca3da7ed746
                                        • Instruction ID: d45807b60d7127e73f4b92e29e08499a094a92de4f8638738118646eaba46c27
                                        • Opcode Fuzzy Hash: 186a70f3d7b7b223257be028418d8e2bc5f2df4108f2685c0bd09ca3da7ed746
                                        • Instruction Fuzzy Hash: 6401F670D09249DFCB46DFB8C954A9EBFB0BF46200F1446EEC455E7291E7708A44DB81
                                        Function 009B09F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1457285329.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_9b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 806a47bdfca183bd425ebec7cf7136330f61d28e1d347e37ed39484e226f82ab
                                        • Instruction ID: 6fb44fcd63b70f230e49ef866dd4d079e863012a516e51aa699102bc13a83e2a
                                        • Opcode Fuzzy Hash: 806a47bdfca183bd425ebec7cf7136330f61d28e1d347e37ed39484e226f82ab
                                        • Instruction Fuzzy Hash: 5BF0B270D04209DFCB45EFA8D944AAEBBB4FF45300F104AAAC415A7350EB709A44DB80

                                        Execution Graph

                                        Execution Coverage:26.3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:155
                                        Total number of Limit Nodes:2
                                        execution_graph 8367 dd92a2c 8368 dd929f7 8367->8368 8368->8367 8369 dd92a07 8368->8369 8370 dd99c70 VirtualProtect 8368->8370 8370->8369 8176 dd9b380 8177 dd9b3a2 8176->8177 8218 a8b6e9b 8177->8218 8223 a8b611a 8177->8223 8231 a8b6dda 8177->8231 8239 a8b6358 8177->8239 8244 a8b677f 8177->8244 8249 a8b660e 8177->8249 8254 a8b6b6d 8177->8254 8259 a8b6531 8177->8259 8264 a8b6937 8177->8264 8275 a8b6cd4 8177->8275 8280 a8b6c34 8177->8280 8178 dd9b4e9 8180 a8b8aab NtResumeThread NtResumeThread 8178->8180 8181 a8b94ca NtReadVirtualMemory NtReadVirtualMemory 8178->8181 8182 a8b8aea NtResumeThread NtResumeThread 8178->8182 8183 a8b8a8f NtResumeThread NtResumeThread 8178->8183 8184 a8b966c NtWriteVirtualMemory NtWriteVirtualMemory 8178->8184 8185 a8b980c NtWriteVirtualMemory NtWriteVirtualMemory 8178->8185 8186 a8b970c NtWriteVirtualMemory NtWriteVirtualMemory NtSetContextThread NtSetContextThread 8178->8186 8187 a8b89c3 NtResumeThread NtResumeThread 8178->8187 8188 a8b9346 NtReadVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory NtWriteVirtualMemory 8178->8188 8189 a8b913a NtResumeThread NtResumeThread 8178->8189 8190 a8b8c7f NtReadVirtualMemory NtReadVirtualMemory VirtualAllocEx VirtualAllocEx 8178->8190 8191 a8b8f5f NtReadVirtualMemory NtReadVirtualMemory 8178->8191 8192 a8b89d0 NtResumeThread NtResumeThread 8178->8192 8193 a8b8d37 NtSetContextThread NtSetContextThread 8178->8193 8194 a8b9156 NtResumeThread NtResumeThread 8178->8194 8179 dd9b54e 8195 a8bab0a NtReadVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory NtWriteVirtualMemory 8179->8195 8196 a8babca NtSetContextThread NtSetContextThread 8179->8196 8197 a8ba738 NtReadVirtualMemory NtReadVirtualMemory NtSetContextThread NtSetContextThread 8179->8197 8198 a8ba088 NtResumeThread NtResumeThread 8179->8198 8199 a8ba098 NtResumeThread NtResumeThread 8179->8199 8200 a8ba488 NtReadVirtualMemory NtReadVirtualMemory 8179->8200 8201 dd9b5b3 8179->8201 8202 a8ba54d NtWriteVirtualMemory NtWriteVirtualMemory 8179->8202 8203 a8bac1c 6 API calls 8179->8203 8204 a8ba157 NtResumeThread NtResumeThread 8179->8204 8205 a8ba8f5 NtReadVirtualMemory NtReadVirtualMemory 8179->8205 8206 a8ba614 NtWriteVirtualMemory NtWriteVirtualMemory 8179->8206 8180->8179 8181->8179 8182->8179 8183->8179 8184->8179 8185->8179 8186->8179 8187->8179 8188->8179 8189->8179 8190->8179 8191->8179 8192->8179 8193->8179 8194->8179 8195->8201 8196->8201 8197->8201 8198->8201 8199->8201 8200->8201 8202->8201 8203->8201 8204->8201 8205->8201 8206->8201 8219 a8b6eb3 8218->8219 8285 a8b8819 8219->8285 8289 a8b8820 8219->8289 8220 a8b6f8a 8224 a8b6132 8223->8224 8227 a8b8819 NtSetContextThread 8224->8227 8228 a8b8820 NtSetContextThread 8224->8228 8225 a8b61e9 8293 a8b8458 8225->8293 8297 a8b8450 8225->8297 8226 a8b62d9 8227->8225 8228->8225 8232 a8b6de6 8231->8232 8301 a8b77db 8232->8301 8306 a8b77e8 8232->8306 8233 a8b6e33 8311 a8b8558 8233->8311 8315 a8b8550 8233->8315 8234 a8b6e71 8240 a8b6364 8239->8240 8242 a8b8458 NtResumeThread 8240->8242 8243 a8b8450 NtResumeThread 8240->8243 8241 a8b63a3 8242->8241 8243->8241 8245 a8b6796 8244->8245 8327 a8b7208 8245->8327 8331 a8b71fc 8245->8331 8250 a8b6623 8249->8250 8252 a8b77db 2 API calls 8250->8252 8253 a8b77e8 2 API calls 8250->8253 8251 a8b663f 8252->8251 8253->8251 8255 a8b6b79 8254->8255 8335 a8b8678 8255->8335 8339 a8b8671 8255->8339 8256 a8b6c13 8260 a8b655c 8259->8260 8262 a8b77db 2 API calls 8260->8262 8263 a8b77e8 2 API calls 8260->8263 8261 a8b6578 8262->8261 8263->8261 8265 a8b694f 8264->8265 8269 a8b77db 2 API calls 8265->8269 8270 a8b77e8 2 API calls 8265->8270 8266 a8b6a5b 8271 a8b8678 NtWriteVirtualMemory 8266->8271 8272 a8b8671 NtWriteVirtualMemory 8266->8272 8267 a8b6a97 8273 a8b77db 2 API calls 8267->8273 8274 a8b77e8 2 API calls 8267->8274 8268 a8b6ac6 8269->8266 8270->8266 8271->8267 8272->8267 8273->8268 8274->8268 8276 a8b6ce0 8275->8276 8278 a8b77db 2 API calls 8276->8278 8279 a8b77e8 2 API calls 8276->8279 8277 a8b6cfc 8278->8277 8279->8277 8281 a8b6c40 8280->8281 8283 a8b8678 NtWriteVirtualMemory 8281->8283 8284 a8b8671 NtWriteVirtualMemory 8281->8284 8282 a8b6cb3 8283->8282 8284->8282 8286 a8b8869 NtSetContextThread 8285->8286 8288 a8b88e1 8286->8288 8288->8220 8290 a8b8869 NtSetContextThread 8289->8290 8292 a8b88e1 8290->8292 8292->8220 8294 a8b849c NtResumeThread 8293->8294 8296 a8b84f3 8294->8296 8296->8226 8298 a8b849c NtResumeThread 8297->8298 8300 a8b84f3 8298->8300 8300->8226 8303 a8b77e8 8301->8303 8302 a8b79ba 8302->8233 8303->8302 8319 a8b82a0 8303->8319 8323 a8b8090 8303->8323 8308 a8b780c 8306->8308 8307 a8b79ba 8307->8233 8308->8307 8309 a8b82a0 NtReadVirtualMemory 8308->8309 8310 a8b8090 NtReadVirtualMemory 8308->8310 8309->8308 8310->8308 8312 a8b859c VirtualAllocEx 8311->8312 8314 a8b8614 8312->8314 8314->8234 8316 a8b859c VirtualAllocEx 8315->8316 8318 a8b8614 8316->8318 8318->8234 8320 a8b82ec NtReadVirtualMemory 8319->8320 8322 a8b8364 8320->8322 8322->8303 8324 a8b8095 NtReadVirtualMemory 8323->8324 8326 a8b8364 8324->8326 8326->8303 8329 a8b7298 CreateProcessW 8327->8329 8330 a8b766c 8329->8330 8333 a8b7298 CreateProcessW 8331->8333 8334 a8b766c 8333->8334 8336 a8b86c1 NtWriteVirtualMemory 8335->8336 8338 a8b875a 8336->8338 8338->8256 8340 a8b86c1 NtWriteVirtualMemory 8339->8340 8342 a8b875a 8340->8342 8342->8256 8343 dd90040 8344 dd90070 8343->8344 8346 dd90188 8344->8346 8347 dd943a8 8344->8347 8348 dd943b0 8347->8348 8353 dd9469c 8348->8353 8357 dd946db 8348->8357 8361 dd946f8 8348->8361 8349 dd943ce 8354 dd946eb VirtualProtect 8353->8354 8356 dd947b1 8354->8356 8356->8349 8358 dd946f8 VirtualProtect 8357->8358 8360 dd947b1 8358->8360 8360->8349 8362 dd94745 VirtualProtect 8361->8362 8363 dd947b1 8362->8363 8363->8349 8364 dd90504 8366 dd99c70 VirtualProtect 8364->8366 8365 dd90520 8366->8365 8377 dd90ba6 8378 dd90bab 8377->8378 8380 dd99c70 VirtualProtect 8378->8380 8379 dd90bc3 8380->8379

                                        Executed Functions

                                        Function 0A8B7208 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 397processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 a8b7208-a8b72c2 2 a8b737a-a8b738f 0->2 3 a8b72c8-a8b7303 0->3 4 a8b743f-a8b7443 2->4 5 a8b7395-a8b73db 2->5 17 a8b733b-a8b734c 3->17 18 a8b7305-a8b730d 3->18 6 a8b748d-a8b74de 4->6 7 a8b7445-a8b7487 4->7 25 a8b7419-a8b7424 5->25 26 a8b73dd-a8b73e5 5->26 10 a8b7596-a8b75a8 6->10 11 a8b74e4-a8b751f 6->11 7->6 14 a8b75aa-a8b75c2 10->14 15 a8b75c5-a8b75d7 10->15 37 a8b7521-a8b7529 11->37 38 a8b7557-a8b7568 11->38 14->15 20 a8b75d9-a8b75f1 15->20 21 a8b75f4-a8b766a CreateProcessW 15->21 33 a8b7352-a8b7372 17->33 27 a8b730f-a8b7319 18->27 28 a8b7330-a8b7339 18->28 20->21 22 a8b766c-a8b7672 21->22 23 a8b7673-a8b76b4 21->23 22->23 48 a8b76cb-a8b76e2 23->48 49 a8b76b6-a8b76c5 23->49 45 a8b742a-a8b7439 25->45 29 a8b7408-a8b7417 26->29 30 a8b73e7-a8b73f1 26->30 31 a8b731b 27->31 32 a8b731d-a8b732c 27->32 28->33 29->45 42 a8b73f3 30->42 43 a8b73f5-a8b7404 30->43 31->32 32->32 44 a8b732e 32->44 33->2 46 a8b752b-a8b7535 37->46 47 a8b754c-a8b7555 37->47 53 a8b756e-a8b758e 38->53 42->43 43->43 50 a8b7406 43->50 44->28 45->4 51 a8b7539-a8b7548 46->51 52 a8b7537 46->52 47->53 58 a8b76fb-a8b770b 48->58 59 a8b76e4-a8b76f0 48->59 49->48 50->29 51->51 55 a8b754a 51->55 52->51 53->10 55->47 60 a8b770d-a8b771c 58->60 61 a8b7722-a8b7765 58->61 59->58 60->61 66 a8b7767-a8b776b 61->66 67 a8b7775-a8b7779 61->67 66->67 68 a8b776d 66->68 69 a8b777b-a8b777f 67->69 70 a8b7789-a8b778d 67->70 68->67 69->70 73 a8b7781 69->73 71 a8b778f-a8b7793 70->71 72 a8b779d 70->72 71->72 74 a8b7795 71->74 75 a8b779e 72->75 73->70 74->72 75->75
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0A8B7657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: u'&J$u'&J
                                        • API String ID: 963392458-2908061298
                                        • Opcode ID: 104de0b9db26835bec0a467413e674621c5c8c458f298d875ede4bf05e903891
                                        • Instruction ID: d4b63d42fee99de2ac45c4a77765054cc979368864a49dcd36dc373a7ac4c486
                                        • Opcode Fuzzy Hash: 104de0b9db26835bec0a467413e674621c5c8c458f298d875ede4bf05e903891
                                        • Instruction Fuzzy Hash: E902BF74E15229CFDB24CFA9D880BDDBBB1BF49304F1081AAE819A7350DB349A85CF54
                                        Function 0A8B71FC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 76 a8b71fc-a8b72c2 78 a8b737a-a8b738f 76->78 79 a8b72c8-a8b7303 76->79 80 a8b743f-a8b7443 78->80 81 a8b7395-a8b73db 78->81 93 a8b733b-a8b734c 79->93 94 a8b7305-a8b730d 79->94 82 a8b748d-a8b74de 80->82 83 a8b7445-a8b7487 80->83 101 a8b7419-a8b7424 81->101 102 a8b73dd-a8b73e5 81->102 86 a8b7596-a8b75a8 82->86 87 a8b74e4-a8b751f 82->87 83->82 90 a8b75aa-a8b75c2 86->90 91 a8b75c5-a8b75d7 86->91 113 a8b7521-a8b7529 87->113 114 a8b7557-a8b7568 87->114 90->91 96 a8b75d9-a8b75f1 91->96 97 a8b75f4-a8b766a CreateProcessW 91->97 109 a8b7352-a8b7372 93->109 103 a8b730f-a8b7319 94->103 104 a8b7330-a8b7339 94->104 96->97 98 a8b766c-a8b7672 97->98 99 a8b7673-a8b76b4 97->99 98->99 124 a8b76cb-a8b76e2 99->124 125 a8b76b6-a8b76c5 99->125 121 a8b742a-a8b7439 101->121 105 a8b7408-a8b7417 102->105 106 a8b73e7-a8b73f1 102->106 107 a8b731b 103->107 108 a8b731d-a8b732c 103->108 104->109 105->121 118 a8b73f3 106->118 119 a8b73f5-a8b7404 106->119 107->108 108->108 120 a8b732e 108->120 109->78 122 a8b752b-a8b7535 113->122 123 a8b754c-a8b7555 113->123 129 a8b756e-a8b758e 114->129 118->119 119->119 126 a8b7406 119->126 120->104 121->80 127 a8b7539-a8b7548 122->127 128 a8b7537 122->128 123->129 134 a8b76fb-a8b770b 124->134 135 a8b76e4-a8b76f0 124->135 125->124 126->105 127->127 131 a8b754a 127->131 128->127 129->86 131->123 136 a8b770d-a8b771c 134->136 137 a8b7722-a8b7765 134->137 135->134 136->137 142 a8b7767-a8b776b 137->142 143 a8b7775-a8b7779 137->143 142->143 144 a8b776d 142->144 145 a8b777b-a8b777f 143->145 146 a8b7789-a8b778d 143->146 144->143 145->146 149 a8b7781 145->149 147 a8b778f-a8b7793 146->147 148 a8b779d 146->148 147->148 150 a8b7795 147->150 151 a8b779e 148->151 149->146 150->148 151->151
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0A8B7657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: u'&J$u'&J
                                        • API String ID: 963392458-2908061298
                                        • Opcode ID: af939e470093b5b5508a706c49770ef7a6c685231c8cb7142d14f52bb89319f0
                                        • Instruction ID: abe839fcda8672080f8ba681169026dab28f28b88cb02c06c9f5ae739486d209
                                        • Opcode Fuzzy Hash: af939e470093b5b5508a706c49770ef7a6c685231c8cb7142d14f52bb89319f0
                                        • Instruction Fuzzy Hash: 15F1CF70D152298FEB24CFA9D880BDDBBB1BF49304F1081AAE819B7390DB349985CF54
                                        Function 00F44348 Relevance: 5.3, Strings: 4, Instructions: 314COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 152 f44348-f4436d 153 f44374-f44391 152->153 154 f4436f 152->154 155 f44399 153->155 154->153 156 f443a0-f443bc 155->156 157 f443c5-f443c6 156->157 158 f443be 156->158 167 f447a5-f447b8 157->167 158->155 158->157 159 f44676-f44683 158->159 160 f446f3-f446f7 158->160 161 f446bd-f446d6 call f4498b 158->161 162 f4443e-f44455 158->162 163 f444b9-f444ce 158->163 164 f44579-f4458b 158->164 165 f4463a-f4465a 158->165 166 f4453a-f4455a 158->166 158->167 168 f445e0-f445e4 158->168 169 f446a1-f446b8 158->169 170 f44723-f4472f 158->170 171 f44757-f44763 158->171 172 f44610-f4461c 158->172 173 f44590-f4459c 158->173 174 f444d3-f444d7 158->174 175 f4455f-f44574 158->175 176 f4465f-f44671 158->176 177 f44419-f44439 158->177 178 f4445a-f44463 158->178 179 f445c4-f445db 158->179 180 f44503-f4450f 158->180 181 f4448f-f4449b 158->181 182 f44688-f4469c 158->182 183 f4478b-f447a0 158->183 184 f443cb-f443d7 158->184 159->156 197 f446f9-f44708 160->197 198 f4470a-f44711 160->198 211 f446dc-f446ee 161->211 162->156 163->156 164->156 165->156 166->156 191 f445e6-f445f5 168->191 192 f445f7-f445fe 168->192 169->156 199 f44736-f44752 170->199 200 f44731 170->200 201 f44765 171->201 202 f4476a-f44786 171->202 193 f44623 172->193 194 f4461e 172->194 189 f445a3-f445bf 173->189 190 f4459e 173->190 185 f444d9-f444e8 174->185 186 f444ea-f444f1 174->186 175->156 176->156 177->156 203 f44465-f44474 178->203 204 f44476-f4447d 178->204 179->156 187 f44516-f44535 180->187 188 f44511 180->188 205 f444a2-f444b4 181->205 206 f4449d 181->206 182->156 183->156 195 f443de-f443f4 184->195 196 f443d9 184->196 207 f444f8-f444fe 185->207 186->207 187->156 188->187 189->156 190->189 209 f44605-f4460b 191->209 192->209 218 f4462d-f44635 193->218 194->193 223 f443f6 195->223 224 f443fb-f44417 195->224 196->195 212 f44718-f4471e 197->212 198->212 199->156 200->199 201->202 202->156 214 f44484-f4448a 203->214 204->214 205->156 206->205 207->156 209->156 211->156 212->156 214->156 218->156 223->224 224->156
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: VD.$cw]U$cw]U$cw]U
                                        • API String ID: 0-1336082564
                                        • Opcode ID: d7580ed2c1d18f97ad06c388527dbaf86ef0f082b59d135ad1339d280d8df26b
                                        • Instruction ID: 5499bce87760b4796201ee992288ec6fd7b9f51830cc17e31fdb243a59d31ea6
                                        • Opcode Fuzzy Hash: d7580ed2c1d18f97ad06c388527dbaf86ef0f082b59d135ad1339d280d8df26b
                                        • Instruction Fuzzy Hash: 0BD14175E1020ADFCB04CFA5D481AAEFBB2FF89300B20D55AD815BB254D734AA42DF94
                                        Function 0A8B8090 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 a8b8090-a8b8158 239 a8b815a-a8b8198 227->239 240 a8b81ac-a8b81d8 227->240 250 a8b819a-a8b81a8 239->250 251 a8b81ed-a8b81f4 239->251 245 a8b81da-a8b81eb 240->245 246 a8b822e-a8b8278 240->246 245->251 257 a8b827a-a8b82cf 246->257 258 a8b82d0-a8b8362 NtReadVirtualMemory 246->258 250->240 251->246 257->258 261 a8b836b-a8b83bd 258->261 262 a8b8364-a8b836a 258->262 262->261
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: u'&J
                                        • API String ID: 0-359724157
                                        • Opcode ID: aac0bf2ce6ad84055a8694c448c97fc5ee7765641b59f8f5aee4d785ca6c7f79
                                        • Instruction ID: 5f33363077b3b4f935a0ba0dcb506f1cc97907f743c240571c8ae2bee95683c1
                                        • Opcode Fuzzy Hash: aac0bf2ce6ad84055a8694c448c97fc5ee7765641b59f8f5aee4d785ca6c7f79
                                        • Instruction Fuzzy Hash: 46A1B37181D3D89FEB02DFB8D8A07DD7FB0AF46214F05149BC484EB292D6344859CBA6
                                        Function 0A8B8678 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 267 a8b8678-a8b86e0 269 a8b86e2-a8b86f4 267->269 270 a8b86f7-a8b8758 NtWriteVirtualMemory 267->270 269->270 272 a8b875a-a8b8760 270->272 273 a8b8761-a8b87b3 270->273 272->273
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A8B8748
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID: u'&J
                                        • API String ID: 3527976591-359724157
                                        • Opcode ID: 32195d6701cd20adbc35367301e40df053b2794979095e87255615e4d04e1dcf
                                        • Instruction ID: 3cd9b862c22cadbd2153c1024b9bc5d999109b3b4674a66f07961b1850e2d012
                                        • Opcode Fuzzy Hash: 32195d6701cd20adbc35367301e40df053b2794979095e87255615e4d04e1dcf
                                        • Instruction Fuzzy Hash: EF41DAB4D012489FCF00CFA9D984ADEFBF1BB09310F20902AE814B7200C338AA41CF68
                                        Function 0A8B8671 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 278 a8b8671-a8b86e0 280 a8b86e2-a8b86f4 278->280 281 a8b86f7-a8b8758 NtWriteVirtualMemory 278->281 280->281 283 a8b875a-a8b8760 281->283 284 a8b8761-a8b87b3 281->284 283->284
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A8B8748
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID: u'&J
                                        • API String ID: 3527976591-359724157
                                        • Opcode ID: e72652b10f5dd564853aebe5a47301bf0572481f2e54d076eecddc8ea6d6b96a
                                        • Instruction ID: d6acbeb4653e4b9bffadfdeba9f95165c296e0cf012497f3d840f789d725c489
                                        • Opcode Fuzzy Hash: e72652b10f5dd564853aebe5a47301bf0572481f2e54d076eecddc8ea6d6b96a
                                        • Instruction Fuzzy Hash: A941BAB5D052589FDF00CFA9D984AEEFBF1BB09314F24942AE814B7250D338AA45CF58
                                        Function 0A8B82A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 289 a8b82a0-a8b8362 NtReadVirtualMemory 292 a8b836b-a8b83bd 289->292 293 a8b8364-a8b836a 289->293 293->292
                                        APIs
                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A8B8352
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryReadVirtual
                                        • String ID: u'&J
                                        • API String ID: 2834387570-359724157
                                        • Opcode ID: 0a9bc9ddd04d1dc31955316db4b808bb98b6a2abe9f9e63d3f567250ac10f1ad
                                        • Instruction ID: 3ca28cc31ca98c5d72807fad0b2d867991acc066aa7ac689536f10d9e3ae48d6
                                        • Opcode Fuzzy Hash: 0a9bc9ddd04d1dc31955316db4b808bb98b6a2abe9f9e63d3f567250ac10f1ad
                                        • Instruction Fuzzy Hash: 624199B5D04258DFCF10CFAAD880AEEFBB5BB49310F14942AE815B7250D739A945CF68
                                        Function 0A8B8819 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 333 a8b8819-a8b8880 335 a8b8882-a8b8894 333->335 336 a8b8897-a8b88df NtSetContextThread 333->336 335->336 338 a8b88e8-a8b8934 336->338 339 a8b88e1-a8b88e7 336->339 339->338
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 0A8B88CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID: u'&J
                                        • API String ID: 1591575202-359724157
                                        • Opcode ID: 8733f8798b25f365a924c07673e2928fab9a61de94824fa01087530d8dda469f
                                        • Instruction ID: 345c8752f2e97be668fe36956cf82458ed6ae3f77e47d29b24b8b7cdc25a08d0
                                        • Opcode Fuzzy Hash: 8733f8798b25f365a924c07673e2928fab9a61de94824fa01087530d8dda469f
                                        • Instruction Fuzzy Hash: 6B41D9B5D112589FDB10CFA9D884AEEFBF4BF48310F24842AE418B7240D738A986CF54
                                        Function 0A8B8820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 344 a8b8820-a8b8880 346 a8b8882-a8b8894 344->346 347 a8b8897-a8b88df NtSetContextThread 344->347 346->347 349 a8b88e8-a8b8934 347->349 350 a8b88e1-a8b88e7 347->350 350->349
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 0A8B88CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID: u'&J
                                        • API String ID: 1591575202-359724157
                                        • Opcode ID: c60e320d0717c48f87f36eb0df7e4e7803c243b668dbe90e8003345fe847e775
                                        • Instruction ID: a6d8204f040595d9b55cba5328b578620286320b8b679e9ce759e57e9ee8b26e
                                        • Opcode Fuzzy Hash: c60e320d0717c48f87f36eb0df7e4e7803c243b668dbe90e8003345fe847e775
                                        • Instruction Fuzzy Hash: 8331CBB5D152589FDB10CFAAD884AEEFBF4BF48310F14802AE414B7240D738A945CF54
                                        Function 0A8B8450 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 0A8B84E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: u'&J
                                        • API String ID: 947044025-359724157
                                        • Opcode ID: 556fe929633179edd5e4f109bae0f9922e81db4d49452ee747f9001637525549
                                        • Instruction ID: 87e48c37e5f5e088ba3de1288bd99751b6cf7a85f537432de9679806204c485f
                                        • Opcode Fuzzy Hash: 556fe929633179edd5e4f109bae0f9922e81db4d49452ee747f9001637525549
                                        • Instruction Fuzzy Hash: C331D8B9D012089FCB10CFA9D980ADEFBF5BB08310F10842AE815B7300C774A942CF98
                                        Function 0A8B8458 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 0A8B84E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: u'&J
                                        • API String ID: 947044025-359724157
                                        • Opcode ID: c88eeb1a4f6876d31094f46a6dde3c237203d1caaff4268efe06801b11e56160
                                        • Instruction ID: d048030d19360f9112ef0f150fd597cf495465cbb91fd38ac22726f09ed2d4f2
                                        • Opcode Fuzzy Hash: c88eeb1a4f6876d31094f46a6dde3c237203d1caaff4268efe06801b11e56160
                                        • Instruction Fuzzy Hash: 8131B8B5D052189FDB10CFA9E880ADEFBF5BB49310F10942AE815B7300C779A945CFA8
                                        Function 00F47C58 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4d$|E
                                        • API String ID: 0-4163207443
                                        • Opcode ID: 14e049db2facb10b458f615edfc1a042d2693ce518d60e421e9b48b3bb7901e5
                                        • Instruction ID: f0a840a578f02268a610f4944dc9c060471094750691986005790d59416d0475
                                        • Opcode Fuzzy Hash: 14e049db2facb10b458f615edfc1a042d2693ce518d60e421e9b48b3bb7901e5
                                        • Instruction Fuzzy Hash: 61A116B4E00218CFDB14DFA9D98499DBBF2FF89301F20812AE819AB355DB309906DF50
                                        Function 00F47C57 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4d$|E
                                        • API String ID: 0-4163207443
                                        • Opcode ID: a85b6836f3f2f572abecbb9a3526e1cccca53eec8df578fe9567bfa07c381d14
                                        • Instruction ID: d62134eaca4efd932f81291e207d165ad8ea51a3642f94258410e3bf08119b9a
                                        • Opcode Fuzzy Hash: a85b6836f3f2f572abecbb9a3526e1cccca53eec8df578fe9567bfa07c381d14
                                        • Instruction Fuzzy Hash: 58A116B4E00218CFDB14DFA9D98499DBBF2FF89301F10816AE819AB365DB349906DF50
                                        Function 00F4B5F8 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s]q
                                        • API String ID: 0-1442821580
                                        • Opcode ID: 801b2015091391ac485e4c8262350273cccadb262545f2616c259832e4fe32d7
                                        • Instruction ID: acdbbb84ea17fef8ad6086534459ba08c56ca8ea06a3c11d9464dac5e5d4cf7d
                                        • Opcode Fuzzy Hash: 801b2015091391ac485e4c8262350273cccadb262545f2616c259832e4fe32d7
                                        • Instruction Fuzzy Hash: B4C14871E01209DFCB08CF95C5809AEFBB2FF88340B25859AD805AB365D735E946DF94
                                        Function 00F499F3 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K|@"
                                        • API String ID: 0-363044853
                                        • Opcode ID: 10f92c3d14db849c5d788763b509e3c5efcc73ccd6d077a9415928431db63992
                                        • Instruction ID: 20730cf9be09764136aec6f0f59918b4dbfe15259e5e91a2383524516dc17168
                                        • Opcode Fuzzy Hash: 10f92c3d14db849c5d788763b509e3c5efcc73ccd6d077a9415928431db63992
                                        • Instruction Fuzzy Hash: 65512771E042198FDB08CFAAC9406AEFBF2FF88300F24C56AD819B7254D7788A419F55
                                        Function 00F42200 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4788aa75d3dacdc412618c4c46c723377d5bab9db920d9a0507821bdbf3512b3
                                        • Instruction ID: a3e9021a45efacad50d029b4fd57229d8df41e691d51fa954981388dfdd63f82
                                        • Opcode Fuzzy Hash: 4788aa75d3dacdc412618c4c46c723377d5bab9db920d9a0507821bdbf3512b3
                                        • Instruction Fuzzy Hash: 0EB1E7B5E052198FDB44CFA9C980A9EBBF2FF89300F60812AE815BB354D7759A01DF54
                                        Function 00F48D08 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8778ef2e38f85d49992dd9e7ce2b8f3477fa1d8dfa8fa09ead432a8f1a470ccc
                                        • Instruction ID: 2b6929f10bed7637b6f1ef83e032cae713819cf89ddbad5188848d6f9a3f5483
                                        • Opcode Fuzzy Hash: 8778ef2e38f85d49992dd9e7ce2b8f3477fa1d8dfa8fa09ead432a8f1a470ccc
                                        • Instruction Fuzzy Hash: F9A1C1B4E052198FCB08CFE9D984A9EBBF2FB89340F20952AD815BB354DB355906DB14
                                        Function 00F42B37 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48d5ffe60ae89ed4cda73acd461f88ebbcd5f0ab133c056b598c1c5599c378f3
                                        • Instruction ID: b4b8d02597e76ff65fc71a8e70e8a144348b4ef1b26330608de8887f9867fb24
                                        • Opcode Fuzzy Hash: 48d5ffe60ae89ed4cda73acd461f88ebbcd5f0ab133c056b598c1c5599c378f3
                                        • Instruction Fuzzy Hash: 3C510871E142098FDB48CFAAC540AAEFFF2EFC9300F64D46AD915A7254D7348A419F94
                                        Function 00F43523 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1ac5bd0fe6e3bbc20f3d1a6da8c696f00b385ba2a7cc5a54a6614f37175709d
                                        • Instruction ID: 42f9eed1f28fe28d3500b73fa36527e0a92f0605d413cb8a0f6d5aff0c3144f6
                                        • Opcode Fuzzy Hash: b1ac5bd0fe6e3bbc20f3d1a6da8c696f00b385ba2a7cc5a54a6614f37175709d
                                        • Instruction Fuzzy Hash: 9251C5B5E112198FDB58CF96C9847DEBBB2BF88310F1481AAD809AB354DB345A85CF40
                                        Function 00F40848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f3b0377dbf3562a2ad6f64292692d2e8fac5b7114d45db653c36e7936ae78c3
                                        • Instruction ID: 408ac5e7f71f9f66945d3c061852ac83485f6f0103c22c15a2c41905c5f5c81e
                                        • Opcode Fuzzy Hash: 3f3b0377dbf3562a2ad6f64292692d2e8fac5b7114d45db653c36e7936ae78c3
                                        • Instruction Fuzzy Hash: 3221BDB1E006198BEB18CF6B9C406DEFAF7BFC9300F04C176D918A6268EB3445469E54
                                        Function 00F4A7B3 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7739c2340fd79f16c5a954ab7ed7f4326210a5cdc712881134611506be1633fd
                                        • Instruction ID: 506b0960c435479f9afc0d7d3f282526c1007f30bcecc8a56e5836e2918a287d
                                        • Opcode Fuzzy Hash: 7739c2340fd79f16c5a954ab7ed7f4326210a5cdc712881134611506be1633fd
                                        • Instruction Fuzzy Hash: 372173B1E006188BEB18CFABD94479EFBF3AFC9310F14C16AD418A6268DB755946CF50
                                        Function 0DD9469C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 298 dd9469c-dd947af VirtualProtect 302 dd947b8-dd947f4 298->302 303 dd947b1-dd947b7 298->303 303->302
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0DD9479F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481925672.000000000DD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_dd90000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: u'&J
                                        • API String ID: 544645111-359724157
                                        • Opcode ID: 44082e80b21a3833b10aaa2cfb35ea41c332b75c6fd5ce473217a64a00051746
                                        • Instruction ID: 7a17ec360d086dbbe8694e7d23e2da033c6c90d83a94988aa80866ea93e5dd3a
                                        • Opcode Fuzzy Hash: 44082e80b21a3833b10aaa2cfb35ea41c332b75c6fd5ce473217a64a00051746
                                        • Instruction Fuzzy Hash: 8941DCB9D052589FCF10CFA9D880ADEFBF1AB09310F24906AE814B7311D375A945CF65
                                        Function 0DD946DB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 307 dd946db-dd947af VirtualProtect 310 dd947b8-dd947f4 307->310 311 dd947b1-dd947b7 307->311 311->310
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0DD9479F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481925672.000000000DD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_dd90000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: u'&J
                                        • API String ID: 544645111-359724157
                                        • Opcode ID: 4ed28fc0510d5a001da02b90da4afd075d4da3dd1ea841d662a5d681db12dbb8
                                        • Instruction ID: cd879ba97435ba82ebab7b46383bd646dd9e5de830aa60ebc621b1f53d5776f2
                                        • Opcode Fuzzy Hash: 4ed28fc0510d5a001da02b90da4afd075d4da3dd1ea841d662a5d681db12dbb8
                                        • Instruction Fuzzy Hash: 8841ABB9D052589FCF11CFA9D880ADEFBF1AB0A310F24906AE814B7251D335A945CF65
                                        Function 0A8B8558 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 315 a8b8558-a8b8612 VirtualAllocEx 318 a8b861b-a8b8665 315->318 319 a8b8614-a8b861a 315->319 319->318
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A8B8602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID: u'&J
                                        • API String ID: 4275171209-359724157
                                        • Opcode ID: 5745a822ba8b597c83f6cf37aea3051a3d75c3e2c7ec7abfc5c23b7e9d9f8fa4
                                        • Instruction ID: 7f9495ec27f32cf2e88d7cd3438c3d20ec509e3a34f4716a978ceeb25c9df4e5
                                        • Opcode Fuzzy Hash: 5745a822ba8b597c83f6cf37aea3051a3d75c3e2c7ec7abfc5c23b7e9d9f8fa4
                                        • Instruction Fuzzy Hash: BF31A7B9D042589FCF10CFA9D884ADEFBB5BB49310F10942AE824B7310D735A901CF68
                                        Function 0A8B8550 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 324 a8b8550-a8b8612 VirtualAllocEx 327 a8b861b-a8b8665 324->327 328 a8b8614-a8b861a 324->328 328->327
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A8B8602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481716310.000000000A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a8b0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID: u'&J
                                        • API String ID: 4275171209-359724157
                                        • Opcode ID: 7aab17c45d32a766814e32c53d0918372e2583c0bdfdc13b4a4411be94a1263f
                                        • Instruction ID: af8ced65852e932d6273cc25f0ac2ed82c06e021cd2418bab4a26cec74b09d30
                                        • Opcode Fuzzy Hash: 7aab17c45d32a766814e32c53d0918372e2583c0bdfdc13b4a4411be94a1263f
                                        • Instruction Fuzzy Hash: 5D3195B9D042589FDF10CFA9D984ADEFBB5BB09310F10942AE824BB310D735A905CF68
                                        Function 0DD946F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 355 dd946f8-dd947af VirtualProtect 357 dd947b8-dd947f4 355->357 358 dd947b1-dd947b7 355->358 358->357
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0DD9479F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481925672.000000000DD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_dd90000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: u'&J
                                        • API String ID: 544645111-359724157
                                        • Opcode ID: 9c8b19bb007dfb4517f8f13e90248cc1a70c87841bd5a653a829075aefd2d710
                                        • Instruction ID: 181c5dbe5670582459131e56cffee852840f28e116196491b70e9c627d9be005
                                        • Opcode Fuzzy Hash: 9c8b19bb007dfb4517f8f13e90248cc1a70c87841bd5a653a829075aefd2d710
                                        • Instruction Fuzzy Hash: A23179B9D052589FCF10CFA9D484ADEFBF5BB09310F24902AE814B7210D775A945CFA4
                                        Function 0DD99C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 362 dd99c70-dd99d27 VirtualProtect 364 dd99d29-dd99d2f 362->364 365 dd99d30-dd99d6c 362->365 364->365
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0DD99D17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1481925672.000000000DD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_dd90000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: u'&J
                                        • API String ID: 544645111-359724157
                                        • Opcode ID: 8c83b7617acb145646044f710cfdbc5ab9525a58d0d3599fce906371f0eaff5d
                                        • Instruction ID: ef9abc5e2dbcfc717c79a2a0c7ef3221ff3380b3a853d3052dcccd2ddac9eb9c
                                        • Opcode Fuzzy Hash: 8c83b7617acb145646044f710cfdbc5ab9525a58d0d3599fce906371f0eaff5d
                                        • Instruction Fuzzy Hash: 593179B9D042589FCF14CFAAE484ADEFBF5BB09310F24902AE814B7210D775A945CF64
                                        Function 00F42E73 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: qCy+
                                        • API String ID: 0-3529117827
                                        • Opcode ID: 51d92e98d0d36f529807a6fbbebe47768a64044051bc5390f37f66da86079e42
                                        • Instruction ID: 36cc70d52f776f607c7dfce8fa74233028fd28d6f42620b0f46d6e5bd79bfe4b
                                        • Opcode Fuzzy Hash: 51d92e98d0d36f529807a6fbbebe47768a64044051bc5390f37f66da86079e42
                                        • Instruction Fuzzy Hash: 5531C974E04609DFCB48CFAAC580AAEFBF2BF89310F64D5A9D414A7314D3349A459F51
                                        Function 00F49BE8 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40f34ec1a6a769f0e770692d1f6354cc241626bfcead78a53568a9760653c2da
                                        • Instruction ID: 9d0e7fabda29ac22428d0b710befe4c621d285e096a49bb8f52468b273860f93
                                        • Opcode Fuzzy Hash: 40f34ec1a6a769f0e770692d1f6354cc241626bfcead78a53568a9760653c2da
                                        • Instruction Fuzzy Hash: 1631C7B5E0420ADFCB44CFAAD480AAEBBF1FB89310F50956AD819E7314D7749A41DF50
                                        Function 00F40CC4 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa717958f11444af8d958dc9631efded5253402a0792e4db9c5fc68398095949
                                        • Instruction ID: 87537e230eefde3f33f93f772257055f9ee616633ac898b1a651deadc2d0e766
                                        • Opcode Fuzzy Hash: fa717958f11444af8d958dc9631efded5253402a0792e4db9c5fc68398095949
                                        • Instruction Fuzzy Hash: 7341CE74A02228CFDB64CF25C990B99BBB2BF89310F1092D9D90DA7350DB309E85DF05
                                        Function 00F49D60 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ec43805bd3ca7d2f3a5c07c3b9898c1ac139d5b2c3da02971969b5fde787416
                                        • Instruction ID: 3b7ffa7626f9ed952a30a3aea14d2392b0b47948a41a57f34153d0d25ae82483
                                        • Opcode Fuzzy Hash: 9ec43805bd3ca7d2f3a5c07c3b9898c1ac139d5b2c3da02971969b5fde787416
                                        • Instruction Fuzzy Hash: AB310B70E082499FCB04CFA9C540A9EFFF2BF89300F2495AAD818A7355D7749A45DB91
                                        Function 00F42D68 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e21740f7a581e4a2c177cde34da0516d004911cd100f1b11babbe29774db0155
                                        • Instruction ID: bee6c82c1b99dec9b6ac83f22a7e754b8ddf0049e13b76fa67b11c674562d56f
                                        • Opcode Fuzzy Hash: e21740f7a581e4a2c177cde34da0516d004911cd100f1b11babbe29774db0155
                                        • Instruction Fuzzy Hash: 8431A5B4E002099FCB84CFA9C580AAEFBF2BF88301F50816AD919A7364D7749A41CF50
                                        Function 00F44A90 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9fe3c7d3cb4a4880396caa4b07ec2c917b2e23fea0c41b0bcad016ae2693dcbd
                                        • Instruction ID: 921c660acba2c7336d6b26b341271b8ceaf728c1e996f3be3151c405b6c73a0b
                                        • Opcode Fuzzy Hash: 9fe3c7d3cb4a4880396caa4b07ec2c917b2e23fea0c41b0bcad016ae2693dcbd
                                        • Instruction Fuzzy Hash: 3D210575E05208AFDB04DFA9C585A9EBFF2EF89300F24C5AAD519A7364D6349A14DB00
                                        Function 00F4498B Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 440f8921e4549c21ac4a64e0873d4319cfd109bfbcae92bf24e47aed29192632
                                        • Instruction ID: f9f1e1c4d14dde1a41a1bddbd2ec3c8e09b8d7baf493212dfb21d116cbfd84e2
                                        • Opcode Fuzzy Hash: 440f8921e4549c21ac4a64e0873d4319cfd109bfbcae92bf24e47aed29192632
                                        • Instruction Fuzzy Hash: 6B21EB71E05609DFDB48CFA9C580AAEFBF1FB89300F24C5AA9405B7214D3349A41EB55
                                        Function 00F4BCE8 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dafa112381370db652e2af1f005165b8c71543be834b6c2d9dfb4a51a1ffd31d
                                        • Instruction ID: a0b864d1c04f72b44eb362b1f4f9f93f9324e813492921edcee568d9f74d7265
                                        • Opcode Fuzzy Hash: dafa112381370db652e2af1f005165b8c71543be834b6c2d9dfb4a51a1ffd31d
                                        • Instruction Fuzzy Hash: F421E775E04209DFCB44DFA9D585A9EBBF2FF89300F24C0A69819AB265D770DA01DB00
                                        Function 00F44AA0 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa5d3497e19432a9c5cecf7c80d4dcd3f16741c9f82d9eb45bbb53e84b0b8be9
                                        • Instruction ID: 13aa19123bcd96a7a38c83e0823eb137f0684416a83d3fa4ef5e53c3a8e7a640
                                        • Opcode Fuzzy Hash: fa5d3497e19432a9c5cecf7c80d4dcd3f16741c9f82d9eb45bbb53e84b0b8be9
                                        • Instruction Fuzzy Hash: B9210775E04208AFDB04DFA9C585A6DFBF2FF88300F14C4A69919A7364D730EA10DB44
                                        Function 00F40F50 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fc4cdb8a291d06edd3122a10a0fd0c2268ab678ff162772a0601e89e4344085
                                        • Instruction ID: 8c3afeb8c5ed2a223241dc4a73406f3d11b721713f3dd1362e7d0f8343b59728
                                        • Opcode Fuzzy Hash: 6fc4cdb8a291d06edd3122a10a0fd0c2268ab678ff162772a0601e89e4344085
                                        • Instruction Fuzzy Hash: A6216974901268CFDB65DF65D840BDDBBB2BB88700F1085EAD50EBA260DB704EC5AF91
                                        Function 00F41F25 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c31faf6ad8de02e0fa576af3f51e336b87826c701aa0768c8b1279b05c1e2e5
                                        • Instruction ID: 779c925164cbb9147f23ccb0f8d02317de3fa5b1dc4cfd2361e21b913d5413dc
                                        • Opcode Fuzzy Hash: 1c31faf6ad8de02e0fa576af3f51e336b87826c701aa0768c8b1279b05c1e2e5
                                        • Instruction Fuzzy Hash: 4401D674A00259CFCB58EBA5D990B9DBBB2FF88200F50859AD40DBB251CB309E85CF24
                                        Function 00F42F88 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c8b767854882fea03d5ada5b6c2d48bb300c7ee906cfb7bf143c7d04cbb2f52
                                        • Instruction ID: b43a04f7b41acf7dfc1fa811b92253b3b9dc152f66f8093f8e5ee94d8d62246b
                                        • Opcode Fuzzy Hash: 7c8b767854882fea03d5ada5b6c2d48bb300c7ee906cfb7bf143c7d04cbb2f52
                                        • Instruction Fuzzy Hash: CCF0F4B0905349DFCB05DFA8D900AADBBB0FB0A304F1046EBD818A7352D3714A49DB90
                                        Function 00F409A5 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a0b6950d03a47f8329ab56044e1fbafffc8dde0829bdf86bdafca62be37d9cd
                                        • Instruction ID: 0787713884695520d9fa3e07a53a41449e2e28f1bf64ff248e6edfc1b95f060f
                                        • Opcode Fuzzy Hash: 6a0b6950d03a47f8329ab56044e1fbafffc8dde0829bdf86bdafca62be37d9cd
                                        • Instruction Fuzzy Hash: 9AF0DA74A05219CBDB68DB31C9907EA7272FF94300F5044E9D9896B244CEB59EC1EF41
                                        Function 00F41D89 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4beed83ced48127cb5379d8463426802e984d8631ee2ffd1c13dc0edbef6d754
                                        • Instruction ID: 4f96a376970a622197b8482e28ecd88bc29b20326670201e37906ed82da0e9dc
                                        • Opcode Fuzzy Hash: 4beed83ced48127cb5379d8463426802e984d8631ee2ffd1c13dc0edbef6d754
                                        • Instruction Fuzzy Hash: 22F0DA70D026188BEB54DFA9C95178DBBF2FB88300F20D5A9D41CA7354D6304A418F50
                                        Function 00F42F98 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce1d57bb031add7cc0665bb052bbe3c58637b5939abddfb679e22baf7bd2bd56
                                        • Instruction ID: dcd7e77c85c47d77330884776dbe73a69faeecd2380e0dd277c134ebe518010a
                                        • Opcode Fuzzy Hash: ce1d57bb031add7cc0665bb052bbe3c58637b5939abddfb679e22baf7bd2bd56
                                        • Instruction Fuzzy Hash: 3FF039B0D00318DFCB04DFA8D800AAEBBB1FB09301F5085AAE818A3310D3709A44DF80
                                        Function 00F4894C Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ab291c687ce98036020934e2f8497a4c27080d117638e240f8d5d6e10894a5d
                                        • Instruction ID: b7b1756f03edb683eda45807bea5a5452adbe6d2ac971af1774f83f79d023d2b
                                        • Opcode Fuzzy Hash: 9ab291c687ce98036020934e2f8497a4c27080d117638e240f8d5d6e10894a5d
                                        • Instruction Fuzzy Hash: DFF058B1A04264DFCB10CBA5CD84B48BBB3BB8A200F0880DA9409A7260D7308E41DF12
                                        Function 00F437FD Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f5725d6345fcec6e9985ef2b80d6b913dab8a6fe865519865d74bf0844b2a6b
                                        • Instruction ID: 027344807c20cac991cfbc680aae5b95d302ec1bfee95af3acd752cb63fd0bde
                                        • Opcode Fuzzy Hash: 5f5725d6345fcec6e9985ef2b80d6b913dab8a6fe865519865d74bf0844b2a6b
                                        • Instruction Fuzzy Hash: ADE0B639602744CFC755CB61C6449497B72FF49316B604499E40A9B264CB35DA81CF00
                                        Function 00F48B97 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7513aca51d0bd40f930273470e5d1a8c8c4a9d55fd02544d9aae47af8784492a
                                        • Instruction ID: dec086ce1c153f7ad466f2904c45ae0e52610fc5cbada32d1ea1bb24d6af7cdd
                                        • Opcode Fuzzy Hash: 7513aca51d0bd40f930273470e5d1a8c8c4a9d55fd02544d9aae47af8784492a
                                        • Instruction Fuzzy Hash: FFE0EC74E051189FDB24DF64C991B4DBBF2BFC5310F2496E5D508AB358D7309A419F10
                                        Function 00F414F0 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11e7666fb600c477dfa743677289ca30d49bcbbac79944e7c2d313c1369e28b5
                                        • Instruction ID: 8068cd1d3f1ec7c91c6a0a085a7dda7c20ab969b575e8b24ae195ae9a056d40e
                                        • Opcode Fuzzy Hash: 11e7666fb600c477dfa743677289ca30d49bcbbac79944e7c2d313c1369e28b5
                                        • Instruction Fuzzy Hash: 98D05E30C102099FCB05CFA4D9409C8BBF0FB88300F009B56D009E7214E3B096859F40
                                        Function 00F4B03D Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7eb88c07d9ff734f519a116b9c84a5727571af035674a9f7b53cb174992941bb
                                        • Instruction ID: e9cc1d77a57786eb2fa799fe935dd6eff0d1885571dbef8210a4123dd86452bd
                                        • Opcode Fuzzy Hash: 7eb88c07d9ff734f519a116b9c84a5727571af035674a9f7b53cb174992941bb
                                        • Instruction Fuzzy Hash: 37D09275502354CFC719CF21DA94A997B72FF09302F1191ABE80A6B321CB36DA85CF00

                                        Non-executed Functions

                                        Function 00F425AB Relevance: 12.7, Strings: 10, Instructions: 232COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: *($*($*($*($*($*($*($8T$:+$P
                                        • API String ID: 0-2735395481
                                        • Opcode ID: 47d8e835b4b53266aaae9a47a1544412f1663d6492a6c5ce5855b7a7daa406c0
                                        • Instruction ID: 2db3c5b53655aacdd740d1bcded2fcca93ff20e03d65813ed1da93c8c617d3ea
                                        • Opcode Fuzzy Hash: 47d8e835b4b53266aaae9a47a1544412f1663d6492a6c5ce5855b7a7daa406c0
                                        • Instruction Fuzzy Hash: F2A1FC70E112199FDF44DFA9D840A9DBBB2FF88710F10966AE419BB355DB30A946CF80
                                        Function 00F494DB Relevance: 5.2, Strings: 4, Instructions: 194COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1475024997.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_f40000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0j$@k$\i$\i
                                        • API String ID: 0-3733338638
                                        • Opcode ID: 1ec31c1401fabdb93800dc0064268e1d902a4b126326b36f3a0bb96b708299d0
                                        • Instruction ID: 15aa04ef495fff76d4a9853a3ffb1fe572fbdce1e011b1bfcd0d7869076f5221
                                        • Opcode Fuzzy Hash: 1ec31c1401fabdb93800dc0064268e1d902a4b126326b36f3a0bb96b708299d0
                                        • Instruction Fuzzy Hash: 80818374A002099FDF04DFA8D580ACEBBF2FF88710F209266D519BB255DB71AD468F91

                                        Executed Functions

                                        Function 01790B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 353b67c917226e33030fca6515bf46770dda243ff04196ba8d6b7a096f72fbbc
                                        • Instruction ID: c61a715b629147287754831cd8e59ebcc75d1e0cabb833837b66ab1d445ab8e3
                                        • Opcode Fuzzy Hash: 353b67c917226e33030fca6515bf46770dda243ff04196ba8d6b7a096f72fbbc
                                        • Instruction Fuzzy Hash: 30829074A00229CFDB24DFA9D884BDDBBB5BF49314F1082E6D409AB265D770AE85CF50
                                        Function 01793660 Relevance: .6, Instructions: 640COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f9c6b69b29bf4e2a49bb868068de9a74eaac49ad756681f7dd84b93067b6eb4
                                        • Instruction ID: cd63c7757c65360a3f080b72b3f33b4912f2ffc7b040a208df78400b4783abf2
                                        • Opcode Fuzzy Hash: 0f9c6b69b29bf4e2a49bb868068de9a74eaac49ad756681f7dd84b93067b6eb4
                                        • Instruction Fuzzy Hash: E9629D74A01229CFDB24CF69C984B99BBF1BF4A310F5082E5D449AB365D730AE85CF51
                                        Function 01793650 Relevance: .4, Instructions: 439COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8337e9a1276aed28347e7440d068df97550e295d95d2a5c0861a89bcd417466e
                                        • Instruction ID: 77e9bc52614fef5f281f32ac103006e3ef601fafbbff80f31d8de61e343d59c6
                                        • Opcode Fuzzy Hash: 8337e9a1276aed28347e7440d068df97550e295d95d2a5c0861a89bcd417466e
                                        • Instruction Fuzzy Hash: 01229D74A01229CFDB24CF69C984B99BBF1BF8A310F5082E5D449AB365D730AE85CF51
                                        Function 01790B54 Relevance: .4, Instructions: 409COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da42b4a28aa5006b9d6b825a18f11822b25188b0c957046d4486ccb3fc030339
                                        • Instruction ID: aac8387c10069400930e5bc57388c22799c81c4e4968d5e3cba524650a0b2842
                                        • Opcode Fuzzy Hash: da42b4a28aa5006b9d6b825a18f11822b25188b0c957046d4486ccb3fc030339
                                        • Instruction Fuzzy Hash: 9612B3B4A00229CFDB24CFA9D884BDDBBB5FF49314F5082E6D419AB265D7309A85CF50
                                        Function 01792030 Relevance: .3, Instructions: 335COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca3132af63f75b3516dd5052038a45841af46d904e777dabb7823df97f71eed4
                                        • Instruction ID: 99d18acdc49f84bcf4921e6627d3bce817d75c6c395fd8fce2a036d58c19e6c1
                                        • Opcode Fuzzy Hash: ca3132af63f75b3516dd5052038a45841af46d904e777dabb7823df97f71eed4
                                        • Instruction Fuzzy Hash: BBE1F174A00209CFDB18DFA9D584A9EBBF2FF89310F2085A9D405AB365DB35AD46CF50
                                        Function 01794860 Relevance: .2, Instructions: 231COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 198b08660cdee3bcab9635f3e7a6d163e02235ae2b39d46f8c21ef11d1cd7301
                                        • Instruction ID: 4ecad15d57d0f2db0b2a211b75af9a921c24956a0c0bbec37aef49d9b9026433
                                        • Opcode Fuzzy Hash: 198b08660cdee3bcab9635f3e7a6d163e02235ae2b39d46f8c21ef11d1cd7301
                                        • Instruction Fuzzy Hash: 6FB18C75E003198FDB14CFA9D584ADDFBF2BF89310F2591A9D409AB261D730AA86CF40
                                        Function 0179280D Relevance: .5, Instructions: 466COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8c9c6c89d02b91be443ac240b10d2476d5eccea8cee9dcedaf8fa5a17448b13
                                        • Instruction ID: b61279fde99e642bbb5bd326f1d46145f1368d891ddceef9d0c28b5f19975dda
                                        • Opcode Fuzzy Hash: d8c9c6c89d02b91be443ac240b10d2476d5eccea8cee9dcedaf8fa5a17448b13
                                        • Instruction Fuzzy Hash: 166138B0C093889FDF16DFA9D850ADDBFF1AF4A310F14809AE844AB252D7745949CF64
                                        Function 01792875 Relevance: .4, Instructions: 435COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d76b00ce28e7f9e80f9dd5a8cc743ea659952db444be2542c56a0427f09105b
                                        • Instruction ID: 68dbb8cb6b9fd0e6626a2da0ceafcf4b4a2b4f11411c4de65751153e3bc29a54
                                        • Opcode Fuzzy Hash: 4d76b00ce28e7f9e80f9dd5a8cc743ea659952db444be2542c56a0427f09105b
                                        • Instruction Fuzzy Hash: 2151F1B0D052889FDF11DFA9D890AEEFFF1AF4A300F24906AE804AB252D7749945CF54
                                        Function 01792EB0 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2c5ce27afb82c91df14a7acfb3c43b0cb87a2a3e2e427665f7eb99bf2305070
                                        • Instruction ID: 70e4d1f67082fcffaff19decdb37fa4633fdec9130774e73d2929ac5aa461bc7
                                        • Opcode Fuzzy Hash: f2c5ce27afb82c91df14a7acfb3c43b0cb87a2a3e2e427665f7eb99bf2305070
                                        • Instruction Fuzzy Hash: D6717E319093D5AFDB07DBB8D8605D9BFB1AF86610B0A41C7C080DF2A3D731994AC7A6
                                        Function 01794248 Relevance: .3, Instructions: 307COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45ce17bc5b15e8af274ee6fb4a538d6f404d129018a5bf5eff3e798a1fed5d85
                                        • Instruction ID: 336ba288bf632f99cfad3ef14cc18825e0dc6801f022d859a9754dc7c299676d
                                        • Opcode Fuzzy Hash: 45ce17bc5b15e8af274ee6fb4a538d6f404d129018a5bf5eff3e798a1fed5d85
                                        • Instruction Fuzzy Hash: 8EE19074E04218CFDB14CFA9D984A9DFBF5BF49314F1482A6D819AB369D730A94ACF40
                                        Function 01792EC5 Relevance: .3, Instructions: 292COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a379c12cb151b2ca7f6709504050d1da0f174c8fc3a1421e828c9b04c31761bf
                                        • Instruction ID: 4dd9c16be517a205d76fa50445d4061571e7d1c516f0d766c889fddc5a8431a3
                                        • Opcode Fuzzy Hash: a379c12cb151b2ca7f6709504050d1da0f174c8fc3a1421e828c9b04c31761bf
                                        • Instruction Fuzzy Hash: 8B519E31909395AFDB02EF78D8609DDBFF1BF86210B0641D7C4949B263D3309949CBAA
                                        Function 01795240 Relevance: .3, Instructions: 288COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e172d2f2a0051a0e523b13ed8adfb2caf9c069958e32b850646bae3a0ef79e2
                                        • Instruction ID: 405ee16e1e70f82a7b2aac40c0f3e84a952a23c101ce6dfca4385a9dfdca7eb0
                                        • Opcode Fuzzy Hash: 0e172d2f2a0051a0e523b13ed8adfb2caf9c069958e32b850646bae3a0ef79e2
                                        • Instruction Fuzzy Hash: 4ED1B074A00259CFDB14CFA8D584ADDFBF2BF89314F1582A5E409AB369D770A989CF40
                                        Function 01795230 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3154c6d657831add3b2f877fc4abe6eea187e893b937f947b08667f1e5cf6fd3
                                        • Instruction ID: 11128f7c7d2037a0d1ff62f9659ef747e027348e002b8929a4e1bd6d835a1cff
                                        • Opcode Fuzzy Hash: 3154c6d657831add3b2f877fc4abe6eea187e893b937f947b08667f1e5cf6fd3
                                        • Instruction Fuzzy Hash: ADC1A178A00259CFDB14CFA8D984A9DFBF1BF89310F158295D409AB36AD770AD89CF50
                                        Function 017920A4 Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f50245904f78c45806cf0dbdde6277639395349097dc9798856351c5457f1d8b
                                        • Instruction ID: 7d4a82b090a526770e5bd8a9214d0ae9f0476da4cb7c31ca14896bafd45a1ef0
                                        • Opcode Fuzzy Hash: f50245904f78c45806cf0dbdde6277639395349097dc9798856351c5457f1d8b
                                        • Instruction Fuzzy Hash: E491F574A00209CFDB19DFB8D594A9DBBB2FF89300F2081A9D405AB365DB35AD86CF54
                                        Function 0179120B Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 800876d4ca10ef546a9cbe7cd647887976332ae4705dc75d88558116a370fd5c
                                        • Instruction ID: d62915c89a811dc59c78506f16c8cdc9346e870eaccc12919153eb9e5ac2f687
                                        • Opcode Fuzzy Hash: 800876d4ca10ef546a9cbe7cd647887976332ae4705dc75d88558116a370fd5c
                                        • Instruction Fuzzy Hash: BAA1A2B4A00229CFCB24CF99D884BD9B7B1FF89314F5081E6D419AB365E730AA85CF50
                                        Function 017931E8 Relevance: .2, Instructions: 167COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d3ead24c76c5edb4bffef31ae3b96eadae0cc111e6ddae4fe6c36e9b57943b5
                                        • Instruction ID: 8ac20f5343f70cdb9508ca851b3c5127d26381434ab85660a9e1141c25558e32
                                        • Opcode Fuzzy Hash: 5d3ead24c76c5edb4bffef31ae3b96eadae0cc111e6ddae4fe6c36e9b57943b5
                                        • Instruction Fuzzy Hash: 0161BE74E04218CFDB18CFA9D884AEDFBB2FF89310F1481A9E415AB365D730A946CB50
                                        Function 01792AD0 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58ea63b2e0ae5f35ccfeccc0e45bd4fcd21d147ac6bb3e4bc505afa4b40ea518
                                        • Instruction ID: 6102b8fac1dcae7daecf88c3abea2fefef11c2ee0e6afb144d4c116981f2b949
                                        • Opcode Fuzzy Hash: 58ea63b2e0ae5f35ccfeccc0e45bd4fcd21d147ac6bb3e4bc505afa4b40ea518
                                        • Instruction Fuzzy Hash: 8E41CBB4D052489FDF10DFAAD880AEEFBF1AF49300F24902AE818BB250DB749945CF54
                                        Function 017931D8 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7714f60a444cab2a09306434833fcc238d476fa66234bc990074caa16fee319
                                        • Instruction ID: 2f126c9c50f9a0a2a8a0f35eb076e4826ddfff2cc50364b9f7c467db06608e8a
                                        • Opcode Fuzzy Hash: d7714f60a444cab2a09306434833fcc238d476fa66234bc990074caa16fee319
                                        • Instruction Fuzzy Hash: BD51BD75A04218CFDF18CFA8D884AEDFBB2FF89310F148169E505AB325D771A94ACB50
                                        Function 017931A0 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e130e7cc3c888bbd20702239bc71ab5907f3d13fa9aa3ad0d05fdb567eef81c2
                                        • Instruction ID: e27b1982a8871b3f6e83ce6d1d4be71deb0777c647171df0b584dfabe979536c
                                        • Opcode Fuzzy Hash: e130e7cc3c888bbd20702239bc71ab5907f3d13fa9aa3ad0d05fdb567eef81c2
                                        • Instruction Fuzzy Hash: 9741BE75A05218DFCF09CFA8E8849EDFBB1FF4A311F1481AAE405AB365D734A949CB50
                                        Function 01794851 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b00ebe66cea81a92952f4b2c6f71d0641f339a8f096bb2ecdeb2ccc1255b773
                                        • Instruction ID: 93f3ed276ece82ba6d44d5c84be762f2e5ad8de9600807b334f8eccd36e5143a
                                        • Opcode Fuzzy Hash: 3b00ebe66cea81a92952f4b2c6f71d0641f339a8f096bb2ecdeb2ccc1255b773
                                        • Instruction Fuzzy Hash: 1041D170E003198FDB14CFA9D584ADDFBF2BF89310F208199D459AB225D730AA86CB80
                                        Function 01791F08 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6a123fda8baa429c8bb484a371683892b4ee0608845407f8a061d60e52b0f0d
                                        • Instruction ID: 5cc5995b973274a6964595d1e2c43644888cf014ecdc930185f723340b8133e7
                                        • Opcode Fuzzy Hash: e6a123fda8baa429c8bb484a371683892b4ee0608845407f8a061d60e52b0f0d
                                        • Instruction Fuzzy Hash: 5B319F3490424A9FCF01DFA8D8449DDBFB2FF49720F4182DAD595AB292C7349946CB91
                                        Function 017940D8 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f241ffa36a6737e26e6058956426fcded860c726295752f6748666bbf9dc2a7
                                        • Instruction ID: b0e54ee7346f059075f89b64351b41b1e862281f1bc491168fc7311a71003c02
                                        • Opcode Fuzzy Hash: 9f241ffa36a6737e26e6058956426fcded860c726295752f6748666bbf9dc2a7
                                        • Instruction Fuzzy Hash: 603169B4E4424A9FCF12DFA8D5409DDFFF2FF4A220B148296C444AB316D730AA46CB65
                                        Function 017942ED Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7130c92382db6c7a1ae3f531d29d7cd10fd8541c72d42423e50449bd01ee0af6
                                        • Instruction ID: 0e85a14d18ae6b8d1984b2aa1dec11b4dcf76446db772b25c22e752be79c1395
                                        • Opcode Fuzzy Hash: 7130c92382db6c7a1ae3f531d29d7cd10fd8541c72d42423e50449bd01ee0af6
                                        • Instruction Fuzzy Hash: FA318B74E00209CFDB04DFA9D584ADDBBF5BF89314F1081A6D416AB359D730AA4ACF54
                                        Function 01793419 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a054306929d12a1d6238e5bb0bba0dbe6eef9b1d7cde5c773835e7f02c4efb99
                                        • Instruction ID: ca04137d96dca88a750034917f4bc63a417e417738309cee1c0a6ff090dd75b8
                                        • Opcode Fuzzy Hash: a054306929d12a1d6238e5bb0bba0dbe6eef9b1d7cde5c773835e7f02c4efb99
                                        • Instruction Fuzzy Hash: 24312770A0020AEFCB15DFA8D580A9DFBF1BF85320F2483A9D414AB266D7309E45DB81
                                        Function 01794731 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c05c36bd0e886906d98f39a7f55409c5254bffcab8f6478fd42514a89bb3e42f
                                        • Instruction ID: d7e939442d6bcc36e2cba9e96a1b41953b1bf5ddfba23d5392d4cdc6a62b350e
                                        • Opcode Fuzzy Hash: c05c36bd0e886906d98f39a7f55409c5254bffcab8f6478fd42514a89bb3e42f
                                        • Instruction Fuzzy Hash: 653129B4E0025E9FCF05DFA8D9509EEFBF2BF89210B048596D455BB352C730A906CB65
                                        Function 017907E0 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3fec2ddd5f90509d98e86a874a2ed10cca95def647030dbcc8f02fe94805f355
                                        • Instruction ID: 6ec201ff22b6ac0c985940a6d4b06bdcfc75598885944328ff0739e80e9c1fba
                                        • Opcode Fuzzy Hash: 3fec2ddd5f90509d98e86a874a2ed10cca95def647030dbcc8f02fe94805f355
                                        • Instruction Fuzzy Hash: 46219134900209DFEF12DF74E988A99BBF6FB85724F1046A5D0045F266DB749E89CB81
                                        Function 01793531 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89d0ff2cce0cc76b1c5b118c29e22b513a8c5634a567b2e5f9c3497f24ca825a
                                        • Instruction ID: c2b06e4b81c33e9f594a5f6c9f83215b131f3459955e3d92816f87f882343978
                                        • Opcode Fuzzy Hash: 89d0ff2cce0cc76b1c5b118c29e22b513a8c5634a567b2e5f9c3497f24ca825a
                                        • Instruction Fuzzy Hash: 603145B4E0021A9FCF04DFA8D8809EEBBB1FF89310F518566E411BB265D730AD45CBA4
                                        Function 01790A49 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b081461a91840de481fbffd0588a6924beccd750a59e65727cf96f523736517
                                        • Instruction ID: bd6f9fe87cc02864c25a585542dd2ac417c94e18f07b86d44a1e1fa33fb48d99
                                        • Opcode Fuzzy Hash: 5b081461a91840de481fbffd0588a6924beccd750a59e65727cf96f523736517
                                        • Instruction Fuzzy Hash: DA215974E002499FCF01DBADD440ADDFBB5FF89310F8582A6D554BB261DB30A946CB94
                                        Function 01794129 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5c68347420e726d21d80062856618ac640c87b3ffbefa940cbf875ad80b4478
                                        • Instruction ID: d5a8f8597c737474f58ce07f4cd47a912071e0909421561e6fe4180b7ac43e59
                                        • Opcode Fuzzy Hash: d5c68347420e726d21d80062856618ac640c87b3ffbefa940cbf875ad80b4478
                                        • Instruction Fuzzy Hash: 9C212674E0025A9FDF05DFA8D5509DEBBB2EF89210F0082AAD455BB255D730A906CBA1
                                        Function 01795124 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3ec2cc460b0fad66c2e2a31baf12c541c13b92c0d25caba7843100ed048f5f0
                                        • Instruction ID: 943dd6726a49ccd9f612943cc62cec3e4dfc0833f748d8f9bb74db5b51090673
                                        • Opcode Fuzzy Hash: f3ec2cc460b0fad66c2e2a31baf12c541c13b92c0d25caba7843100ed048f5f0
                                        • Instruction Fuzzy Hash: E0210575E0025A9FCF05DFA8D9809DDBBB1FF89310F0082AAD554BB255D730AA46CB94
                                        Function 017956BF Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d3013f50a4b76e564b5a1e210327381e7d1610cfc4a4d487b8da373b204922e
                                        • Instruction ID: 419f64f319dadf8e54b4013b0d70f24073c28429e8c96775295ebc23b82f5658
                                        • Opcode Fuzzy Hash: 9d3013f50a4b76e564b5a1e210327381e7d1610cfc4a4d487b8da373b204922e
                                        • Instruction Fuzzy Hash: AE213630D0024E9FCF06DFA8D4549DDBBB5EF49710F4081AAD451BB2A1EB30A906CBA4
                                        Function 01790839 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: efbef756158d92d3fa02deb37c7716d3d5730c049c45d9efc657a337619018da
                                        • Instruction ID: 4b398b59c3aa61bba696958b4cd7c95b01ffef2e59b631fb63ad2a1134a33a02
                                        • Opcode Fuzzy Hash: efbef756158d92d3fa02deb37c7716d3d5730c049c45d9efc657a337619018da
                                        • Instruction Fuzzy Hash: C3214F34900209AFDF10DF69E548B89BBF1FB85704F1086A9C4059F266EB756E859B81
                                        Function 01790848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5bdf5cbafd299963021c2c52ac15c7820eda07c4ec54148778cf527dddd8895
                                        • Instruction ID: 527cdb677fba1b3ce3e008a910c7dc772e27401fd2de22c2b2c8ecc9ef25fa01
                                        • Opcode Fuzzy Hash: d5bdf5cbafd299963021c2c52ac15c7820eda07c4ec54148778cf527dddd8895
                                        • Instruction Fuzzy Hash: 54114F34900209AFDF00DF65E548B8DB7F1FB85704F1086A5C4059B265EBB46E859F81
                                        Function 0173D149 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3912819458.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_173d000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ef38152e722efa53be43ec3a1b94efbc4ed19d349b96fa41bc412c632fd3e06
                                        • Instruction ID: 235191bff01c6fe8e76d28baf59052bf7ebc8e7db07127c8dff320bdc44f2f2f
                                        • Opcode Fuzzy Hash: 0ef38152e722efa53be43ec3a1b94efbc4ed19d349b96fa41bc412c632fd3e06
                                        • Instruction Fuzzy Hash: 2B01A7B1504340ABF7309A95CC84767FBD8DFC1624F58855AED094E293C3759844CAB2
                                        Function 01792020 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e917b33c551cb30c3ea912edcb515e7b494684d0a7f3633be931cf50cff04b4
                                        • Instruction ID: bc4a79c0481c776646f89a41dd61e1a748838cfcd4c4d4f4d340b7af6a257e64
                                        • Opcode Fuzzy Hash: 0e917b33c551cb30c3ea912edcb515e7b494684d0a7f3633be931cf50cff04b4
                                        • Instruction Fuzzy Hash: FA01A471D00209EBEF15EA74D4156EFFBF6AB88310F14893AD442A7251EE71190ACAD2
                                        Function 01791870 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc1441c8a62e068d092bcbe1fc16e6e2222ded4b94aba04aa8c347417ed4317
                                        • Instruction ID: 6397960170fe321c77a6e236d9bea0251f9a09dd3453309a461cb47331c17b64
                                        • Opcode Fuzzy Hash: 5bc1441c8a62e068d092bcbe1fc16e6e2222ded4b94aba04aa8c347417ed4317
                                        • Instruction Fuzzy Hash: F7F08C75D0824A8BDF14CBAAE444BEEFBF4AB49330F44506AD515B7201D7384619DFA0
                                        Function 017909DF Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c05219c48894da11e4ed78c1a35692bcb8e12bc3196b6fa12784c2e686f9bbf1
                                        • Instruction ID: 51ad60dfd5001063e3bef0d9d972dc75027dc191f56a3e8869b5a597b68ae52c
                                        • Opcode Fuzzy Hash: c05219c48894da11e4ed78c1a35692bcb8e12bc3196b6fa12784c2e686f9bbf1
                                        • Instruction Fuzzy Hash: F7012870C08249DFCF06DFA8D454AADBFB4AF02214F1445EAD441E7292EB309A45DB81
                                        Function 0173D148 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3912819458.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_173d000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3336dbf8bb999212d0b15e7f018b3ab54caf9df4b17ce81490bdf93313f7b16e
                                        • Instruction ID: 51b3c5eb1ecd7020d9432696da575a75ea938a4b775a61cfd67e8bf06d54cb7a
                                        • Opcode Fuzzy Hash: 3336dbf8bb999212d0b15e7f018b3ab54caf9df4b17ce81490bdf93313f7b16e
                                        • Instruction Fuzzy Hash: 50F06D72508344AFE7209E5ADC84B62FFE8EF81634F18C55AED584E297C3799844CAB1
                                        Function 01791FE8 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b8d0da847016069d73c507da0332d4fa0a063ff626b921a30ac22fa72fd47c1
                                        • Instruction ID: 6a74eaacc15b92fffd747962b75cdb980a7dee2dac880f039fef88b7c4e5cb37
                                        • Opcode Fuzzy Hash: 3b8d0da847016069d73c507da0332d4fa0a063ff626b921a30ac22fa72fd47c1
                                        • Instruction Fuzzy Hash: F3F0247090930AEFEB14EFA8E801BAEFF7BAF42210F144099D401A7152CB71690DDBB1
                                        Function 01791DC9 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e12d4fde0aeacad51161bfa4c68ed31ef7be8e3d4a005f869657449a1a3e52f9
                                        • Instruction ID: 5d50c8c57afd7ae8d47c19eb45e2c354753e38e54088b933492fd7654143878c
                                        • Opcode Fuzzy Hash: e12d4fde0aeacad51161bfa4c68ed31ef7be8e3d4a005f869657449a1a3e52f9
                                        • Instruction Fuzzy Hash: 09F0B435609245AFCB069F1AE40095AFFBAEFC9232358C09BE889C7207D6319C56CB95
                                        Function 01791DD8 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d29fcfa727df59755c7e574f5c7b82b04826c6daa9a88ed0553b466936a25a01
                                        • Instruction ID: 5b1951c594454f759c8b629731b51dc91ede6b4027799441a8156a16a6823c07
                                        • Opcode Fuzzy Hash: d29fcfa727df59755c7e574f5c7b82b04826c6daa9a88ed0553b466936a25a01
                                        • Instruction Fuzzy Hash: 13E03931B08205AF8B189A4AE400D6ABBAAEBC9271754C06AF849C7305DA319D529B90
                                        Function 017909F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93794a83eb1e70f1b5bc9bf3e9b79830c150a650e2cf38ac0e5a3f5df10ef778
                                        • Instruction ID: 78508562d4ef06184f603067cd30daa7134f0a1550504b1380d032fd0eacae02
                                        • Opcode Fuzzy Hash: 93794a83eb1e70f1b5bc9bf3e9b79830c150a650e2cf38ac0e5a3f5df10ef778
                                        • Instruction Fuzzy Hash: 7CF0B274D00209DFCB45EFA8D544AAEBBB4FF05314F1046AAC415A7354EB709A44DB80
                                        Function 0179400F Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e2587b4e3f3dceee33a0975ecf493d612498d26b555001ce6e0ea51fb37ef7f
                                        • Instruction ID: 31bac644c9e7f3bbbfa79b4e8a4def901ed95c59010f5fe57252c64b926c1114
                                        • Opcode Fuzzy Hash: 0e2587b4e3f3dceee33a0975ecf493d612498d26b555001ce6e0ea51fb37ef7f
                                        • Instruction Fuzzy Hash: 49F0D470E046188FCB24CF5AD944AE9F7F1AFCA360F5591E5C01DA7220D6309A56CF05
                                        Function 01793397 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c8719a0a1405bc81d99ae56132804f7bb4038f7a269083ecb09462a34922701
                                        • Instruction ID: 8c524f718ec4a169111c7a530c09eb0f079569d97b41b8b3d3210688988e94a2
                                        • Opcode Fuzzy Hash: 9c8719a0a1405bc81d99ae56132804f7bb4038f7a269083ecb09462a34922701
                                        • Instruction Fuzzy Hash: C2E0E574E04208DFDB28DFAAE8408ACF7B1BFC4224B019166D015AB264D7309912CB41
                                        Function 0179244D Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e383ef1d29d6996b756e0ca5897102a96f1e756fab301a94dd8e56bf8c9b36b
                                        • Instruction ID: eba66c10c3ccd77af51a9619e14201c483d45a860ac8fea4529602d14d3a7d68
                                        • Opcode Fuzzy Hash: 5e383ef1d29d6996b756e0ca5897102a96f1e756fab301a94dd8e56bf8c9b36b
                                        • Instruction Fuzzy Hash: 85E08C34E08108DBDF24DF9AE8409ECF7B1EFCA320F20A1A5C009A7261C730AE168F54
                                        Function 017946B6 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3913069542.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1790000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d075c892a40e8f06128fdff24144ce5f9920482934f2d6877081d4558e482120
                                        • Instruction ID: 1619ef8bbb81eaa2d2079cb9e49bf093b56038786ef8b19dbfbe8ed6ba430567
                                        • Opcode Fuzzy Hash: d075c892a40e8f06128fdff24144ce5f9920482934f2d6877081d4558e482120
                                        • Instruction Fuzzy Hash: A0E0B678E0421C9BDB14DFD9E8405DCF7B2BFC5224F0092A6C56ABB254D7309916CB45

                                        Executed Functions

                                        Function 02D10B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fb9f18624a6d419f8dee3e0a749957ef9ede01e68a51b85260f5fe83f805bcf
                                        • Instruction ID: 778bd3a86e9c550c75560755b72b4528987ebc462b19c2be16768f6c440f9da7
                                        • Opcode Fuzzy Hash: 5fb9f18624a6d419f8dee3e0a749957ef9ede01e68a51b85260f5fe83f805bcf
                                        • Instruction Fuzzy Hash: F3828274900229CFDB24DFA8D884BDDB7B5BF49304F1086A6D509AB365DB30AE85CF50
                                        Function 02D105E7 Relevance: .3, Instructions: 335COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2c7f0f25577c4896cf1754b406eeb8305ada6e9c5770d229638c7239221e750
                                        • Instruction ID: 8e2c5ad987f5493823f0d687a1e9faf4791cc4c9b318582d5f4a088c133e01d9
                                        • Opcode Fuzzy Hash: c2c7f0f25577c4896cf1754b406eeb8305ada6e9c5770d229638c7239221e750
                                        • Instruction Fuzzy Hash: 08317031909389EFDB02EB64E8586993FF1FF46704B0445E6C5408F267EB342949DB92
                                        Function 02D10A49 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e25156625701c8d54842062df41ba165adc372cff83f315d63e38478b9f9057d
                                        • Instruction ID: bcd1ec10579ca751f952a6e4ca5380625d851d56c4bcf0cf339987509c7e0faa
                                        • Opcode Fuzzy Hash: e25156625701c8d54842062df41ba165adc372cff83f315d63e38478b9f9057d
                                        • Instruction Fuzzy Hash: 28215930E0024D9FCF01DFA8D444AEDBBB5FF8A710F8581A6D550BB262DB30A946CB94
                                        Function 02D10848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a4be85c544cec88863bf0b88bbfd3da49c8fafe27fea8dd2783d5d7a4237228
                                        • Instruction ID: c0394cacedf08bcff38222be869f0a53ed5a1a6f99c05db8d5fc90a9ad032d94
                                        • Opcode Fuzzy Hash: 1a4be85c544cec88863bf0b88bbfd3da49c8fafe27fea8dd2783d5d7a4237228
                                        • Instruction Fuzzy Hash: E4110A7190020DEFDB01FF64E948A9E77F5FB84B04F008AA8D1049B365EB706A45EF91
                                        Function 02D11870 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 711abeb81746644bbc4990c903f123f7e08eaa8473edc44c07b12d71e091c9aa
                                        • Instruction ID: 553f924b976adae19a94d3ada570adcbfd30bb7d745ef5b07f249484085e0257
                                        • Opcode Fuzzy Hash: 711abeb81746644bbc4990c903f123f7e08eaa8473edc44c07b12d71e091c9aa
                                        • Instruction Fuzzy Hash: 3CF03775D08249ABDF00DFA6E5043EEBBF4EB4A310F00916AD555B7241DB789A09CFA4
                                        Function 02D109DF Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8fced465b0682d4dac0794bf763b51037b7e966ffebf3e670229c45bf53743c5
                                        • Instruction ID: 6365cc5e08be3de4e468798be3f95e7a733a4dd89c6b06de293158086a1c0679
                                        • Opcode Fuzzy Hash: 8fced465b0682d4dac0794bf763b51037b7e966ffebf3e670229c45bf53743c5
                                        • Instruction Fuzzy Hash: C201F670D09249DFCB05DFA8C8545ADBBB4FF46200F1445EAC495A72A2EB305A45DB81
                                        Function 02D109F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1468220130.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2d10000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4697589ebef0e49fde9db93d065af66bc42b25139c0ffad7486f23f6d6b9b9b5
                                        • Instruction ID: bca68d1d58badc710ae677065917459580f7c89e699e8aa44fe1a3bdc3d43c16
                                        • Opcode Fuzzy Hash: 4697589ebef0e49fde9db93d065af66bc42b25139c0ffad7486f23f6d6b9b9b5
                                        • Instruction Fuzzy Hash: 86F0B7B0D0020DDFCB45EFA8D544AAEBBB4FF05304F1045AAC415A7390EB709A44DB80

                                        Execution Graph

                                        Execution Coverage:21.1%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:188
                                        Total number of Limit Nodes:8
                                        execution_graph 6521 66a8aea 6522 66a8a61 6521->6522 6522->6521 6526 66a8458 6522->6526 6530 66a8450 6522->6530 6523 66a999f 6527 66a849c NtResumeThread 6526->6527 6529 66a84f3 6527->6529 6529->6523 6531 66a8458 NtResumeThread 6530->6531 6533 66a84f3 6531->6533 6533->6523 6534 66a966c 6535 66a9678 6534->6535 6539 66a8678 6535->6539 6543 66a8671 6535->6543 6536 66a96eb 6540 66a86c1 NtWriteVirtualMemory 6539->6540 6542 66a875a 6540->6542 6542->6536 6544 66a86c1 NtWriteVirtualMemory 6543->6544 6546 66a875a 6544->6546 6546->6536 6547 66a6b6d 6548 66a6b79 6547->6548 6550 66a8678 NtWriteVirtualMemory 6548->6550 6551 66a8671 NtWriteVirtualMemory 6548->6551 6549 66a6c13 6550->6549 6551->6549 6552 66aa4e6 6553 66aa4fb 6552->6553 6557 66ab260 6553->6557 6563 66ab251 6553->6563 6554 66aa517 6558 66ab284 6557->6558 6559 66ab32d 6558->6559 6569 66a8262 6558->6569 6573 66a82a0 6558->6573 6577 66a8143 6558->6577 6559->6554 6565 66ab260 6563->6565 6564 66ab32d 6564->6554 6565->6564 6566 66a8262 NtReadVirtualMemory 6565->6566 6567 66a8143 NtReadVirtualMemory 6565->6567 6568 66a82a0 NtReadVirtualMemory 6565->6568 6566->6565 6567->6565 6568->6565 6570 66a827a NtReadVirtualMemory 6569->6570 6572 66a8364 6570->6572 6572->6558 6574 66a82ec NtReadVirtualMemory 6573->6574 6576 66a8364 6574->6576 6576->6558 6578 66a815a 6577->6578 6579 66a81ac NtReadVirtualMemory 6577->6579 6578->6558 6581 66a8364 6579->6581 6581->6558 6582 66aa738 6583 66aa763 6582->6583 6586 66ab260 3 API calls 6583->6586 6587 66ab251 3 API calls 6583->6587 6584 66aa77f 6590 66a8819 6584->6590 6594 66a8820 6584->6594 6585 66aa89a 6586->6584 6587->6584 6591 66a8820 NtSetContextThread 6590->6591 6593 66a88e1 6591->6593 6593->6585 6595 66a8869 NtSetContextThread 6594->6595 6597 66a88e1 6595->6597 6597->6585 6598 66a8c7f 6599 66a8c83 6598->6599 6606 66a9b78 6599->6606 6612 66a9b88 6599->6612 6600 66a8cd0 6618 66a8558 6600->6618 6622 66a8550 6600->6622 6601 66a8d0e 6608 66a9b88 6606->6608 6607 66a9d39 6607->6600 6608->6607 6609 66a8262 NtReadVirtualMemory 6608->6609 6610 66a8143 NtReadVirtualMemory 6608->6610 6611 66a82a0 NtReadVirtualMemory 6608->6611 6609->6608 6610->6608 6611->6608 6614 66a9bac 6612->6614 6613 66a9d39 6613->6600 6614->6613 6615 66a8262 NtReadVirtualMemory 6614->6615 6616 66a8143 NtReadVirtualMemory 6614->6616 6617 66a82a0 NtReadVirtualMemory 6614->6617 6615->6614 6616->6614 6617->6614 6619 66a859c VirtualAllocEx 6618->6619 6621 66a8614 6619->6621 6621->6601 6623 66a859c VirtualAllocEx 6622->6623 6625 66a8614 6623->6625 6625->6601 6626 66a677f 6627 66a6796 6626->6627 6631 66a7208 6627->6631 6635 66a71fc 6627->6635 6633 66a7298 CreateProcessW 6631->6633 6634 66a766c 6633->6634 6637 66a7298 CreateProcessW 6635->6637 6638 66a766c 6637->6638 6639 66a6531 6640 66a655c 6639->6640 6644 66a77e8 6640->6644 6650 66a77e2 6640->6650 6641 66a6578 6645 66a780c 6644->6645 6646 66a78b5 6645->6646 6647 66a8262 NtReadVirtualMemory 6645->6647 6648 66a8143 NtReadVirtualMemory 6645->6648 6649 66a82a0 NtReadVirtualMemory 6645->6649 6646->6641 6647->6645 6648->6645 6649->6645 6652 66a780c 6650->6652 6651 66a78b5 6651->6641 6652->6651 6653 66a8262 NtReadVirtualMemory 6652->6653 6654 66a8143 NtReadVirtualMemory 6652->6654 6655 66a82a0 NtReadVirtualMemory 6652->6655 6653->6652 6654->6652 6655->6652 6656 66a6937 6657 66a694f 6656->6657 6663 66a77e8 3 API calls 6657->6663 6664 66a77e2 3 API calls 6657->6664 6658 66a6a5b 6665 66a8678 NtWriteVirtualMemory 6658->6665 6666 66a8671 NtWriteVirtualMemory 6658->6666 6659 66a6a97 6661 66a77e8 3 API calls 6659->6661 6662 66a77e2 3 API calls 6659->6662 6660 66a6ac6 6661->6660 6662->6660 6663->6658 6664->6658 6665->6659 6666->6659 6682 66a94ca 6683 66a94dc 6682->6683 6686 66a9b78 3 API calls 6683->6686 6687 66a9b88 3 API calls 6683->6687 6684 66a954a 6688 66a9b78 3 API calls 6684->6688 6689 66a9b88 3 API calls 6684->6689 6685 66a958e 6686->6684 6687->6684 6688->6685 6689->6685 6695 66a660e 6696 66a6623 6695->6696 6698 66a77e8 3 API calls 6696->6698 6699 66a77e2 3 API calls 6696->6699 6697 66a663f 6698->6697 6699->6697 6700 66a970c 6701 66a9718 6700->6701 6704 66a8819 NtSetContextThread 6701->6704 6705 66a8820 NtSetContextThread 6701->6705 6702 66a973d 6706 66a8678 NtWriteVirtualMemory 6702->6706 6707 66a8671 NtWriteVirtualMemory 6702->6707 6703 66a97ea 6704->6702 6705->6702 6706->6703 6707->6703 6724 66aab06 6725 66aab51 6724->6725 6728 66ab260 3 API calls 6725->6728 6729 66ab251 3 API calls 6725->6729 6726 66aab6d 6730 66a8678 NtWriteVirtualMemory 6726->6730 6731 66a8671 NtWriteVirtualMemory 6726->6731 6727 66aaba9 6728->6726 6729->6726 6730->6727 6731->6727 6732 66a611a 6733 66a6132 6732->6733 6736 66a8819 NtSetContextThread 6733->6736 6737 66a8820 NtSetContextThread 6733->6737 6734 66a61e9 6738 66a8458 NtResumeThread 6734->6738 6739 66a8450 NtResumeThread 6734->6739 6735 66a62d9 6736->6734 6737->6734 6738->6735 6739->6735 6740 66a6dda 6741 66a6de6 6740->6741 6746 66a77e8 3 API calls 6741->6746 6747 66a77e2 3 API calls 6741->6747 6742 66a6e33 6744 66a8558 VirtualAllocEx 6742->6744 6745 66a8550 VirtualAllocEx 6742->6745 6743 66a6e71 6744->6743 6745->6743 6746->6742 6747->6742 6748 66a6e9b 6749 66a6eb3 6748->6749 6751 66a8819 NtSetContextThread 6749->6751 6752 66a8820 NtSetContextThread 6749->6752 6750 66a6f8a 6751->6750 6752->6750 6753 66a6358 6754 66a6364 6753->6754 6756 66a8458 NtResumeThread 6754->6756 6757 66a8450 NtResumeThread 6754->6757 6755 66a63a3 6756->6755 6757->6755 6763 66aac1c 6764 66aac28 6763->6764 6769 66ab260 3 API calls 6764->6769 6770 66ab251 3 API calls 6764->6770 6765 66aac44 6771 66a8458 NtResumeThread 6765->6771 6772 66a8450 NtResumeThread 6765->6772 6766 66aad5d 6773 66ab260 3 API calls 6766->6773 6774 66ab251 3 API calls 6766->6774 6767 66aae7c 6775 66a8558 VirtualAllocEx 6767->6775 6776 66a8550 VirtualAllocEx 6767->6776 6768 66aaeba 6769->6765 6770->6765 6771->6766 6772->6766 6773->6767 6774->6767 6775->6768 6776->6768 6782 66aa157 6784 66aa129 6782->6784 6783 66aa14a 6783->6783 6784->6783 6786 66a8458 NtResumeThread 6784->6786 6787 66a8450 NtResumeThread 6784->6787 6785 66ab013 6786->6785 6787->6785

                                        Executed Functions

                                        Function 012D427C Relevance: 5.4, Strings: 4, Instructions: 357COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 12d427c-12d436d 2 12d436f 0->2 3 12d4374-12d4391 0->3 2->3 4 12d4399 3->4 5 12d43a0-12d43bc 4->5 6 12d43be 5->6 7 12d43c5-12d43c6 5->7 6->4 6->7 8 12d47a5-12d47b8 6->8 9 12d46a1-12d46b8 6->9 10 12d45e0-12d45e4 6->10 11 12d4723-12d472f 6->11 12 12d46bd-12d46d6 call 12d4978 6->12 13 12d443e-12d4455 6->13 14 12d44b9-12d44ce 6->14 15 12d4579-12d458b 6->15 16 12d463a-12d465a 6->16 17 12d453a-12d455a 6->17 18 12d4676-12d4683 6->18 19 12d46f3-12d46f7 6->19 20 12d448f-12d449b 6->20 21 12d4688-12d469c 6->21 22 12d478b-12d47a0 6->22 23 12d43cb-12d43d7 6->23 24 12d45c4-12d45db 6->24 25 12d4503-12d450f 6->25 26 12d455f-12d4574 6->26 27 12d465f-12d4671 6->27 28 12d4419-12d4439 6->28 29 12d445a-12d4463 6->29 30 12d4757-12d4763 6->30 31 12d4610-12d461c 6->31 32 12d4590-12d459c 6->32 33 12d44d3-12d44d7 6->33 7->8 9->5 50 12d45f7-12d45fe 10->50 51 12d45e6-12d45f5 10->51 36 12d4736-12d4752 11->36 37 12d4731 11->37 64 12d46dc-12d46ee 12->64 13->5 14->5 15->5 16->5 17->5 18->5 34 12d46f9-12d4708 19->34 35 12d470a-12d4711 19->35 42 12d449d 20->42 43 12d44a2-12d44b4 20->43 21->5 22->5 54 12d43de-12d43f4 23->54 55 12d43d9 23->55 24->5 46 12d4516-12d4535 25->46 47 12d4511 25->47 26->5 27->5 28->5 40 12d4465-12d4474 29->40 41 12d4476-12d447d 29->41 38 12d476a-12d4786 30->38 39 12d4765 30->39 52 12d461e 31->52 53 12d4623 31->53 48 12d459e 32->48 49 12d45a3-12d45bf 32->49 44 12d44d9-12d44e8 33->44 45 12d44ea-12d44f1 33->45 56 12d4718-12d471e 34->56 35->56 36->5 37->36 38->5 39->38 58 12d4484-12d448a 40->58 41->58 42->43 43->5 60 12d44f8-12d44fe 44->60 45->60 46->5 47->46 48->49 49->5 62 12d4605-12d460b 50->62 51->62 52->53 71 12d462d-12d4635 53->71 72 12d43fb-12d4417 54->72 73 12d43f6 54->73 55->54 56->5 58->5 60->5 62->5 64->5 71->5 72->5 73->72
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: VD.$cw]U$cw]U$cw]U
                                        • API String ID: 0-1336082564
                                        • Opcode ID: 4e6a54e7e42755e15539df078ce53642f949f499494478677e1899ea5bbb58b3
                                        • Instruction ID: d3769b086cd69455a4c9414f74d34a27958d79222a88c27cd8e5aa36c56bab4c
                                        • Opcode Fuzzy Hash: 4e6a54e7e42755e15539df078ce53642f949f499494478677e1899ea5bbb58b3
                                        • Instruction Fuzzy Hash: D1F1A270D2424ADFC748DFA9C5864AEFBB2FF89300B64C56AC411AB658D734D942CF94
                                        Function 012D4348 Relevance: 5.3, Strings: 4, Instructions: 314COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 76 12d4348-12d436d 77 12d436f 76->77 78 12d4374-12d4391 76->78 77->78 79 12d4399 78->79 80 12d43a0-12d43bc 79->80 81 12d43be 80->81 82 12d43c5-12d43c6 80->82 81->79 81->82 83 12d47a5-12d47b8 81->83 84 12d46a1-12d46b8 81->84 85 12d45e0-12d45e4 81->85 86 12d4723-12d472f 81->86 87 12d46bd-12d46d6 call 12d4978 81->87 88 12d443e-12d4455 81->88 89 12d44b9-12d44ce 81->89 90 12d4579-12d458b 81->90 91 12d463a-12d465a 81->91 92 12d453a-12d455a 81->92 93 12d4676-12d4683 81->93 94 12d46f3-12d46f7 81->94 95 12d448f-12d449b 81->95 96 12d4688-12d469c 81->96 97 12d478b-12d47a0 81->97 98 12d43cb-12d43d7 81->98 99 12d45c4-12d45db 81->99 100 12d4503-12d450f 81->100 101 12d455f-12d4574 81->101 102 12d465f-12d4671 81->102 103 12d4419-12d4439 81->103 104 12d445a-12d4463 81->104 105 12d4757-12d4763 81->105 106 12d4610-12d461c 81->106 107 12d4590-12d459c 81->107 108 12d44d3-12d44d7 81->108 82->83 84->80 125 12d45f7-12d45fe 85->125 126 12d45e6-12d45f5 85->126 111 12d4736-12d4752 86->111 112 12d4731 86->112 139 12d46dc-12d46ee 87->139 88->80 89->80 90->80 91->80 92->80 93->80 109 12d46f9-12d4708 94->109 110 12d470a-12d4711 94->110 117 12d449d 95->117 118 12d44a2-12d44b4 95->118 96->80 97->80 129 12d43de-12d43f4 98->129 130 12d43d9 98->130 99->80 121 12d4516-12d4535 100->121 122 12d4511 100->122 101->80 102->80 103->80 115 12d4465-12d4474 104->115 116 12d4476-12d447d 104->116 113 12d476a-12d4786 105->113 114 12d4765 105->114 127 12d461e 106->127 128 12d4623 106->128 123 12d459e 107->123 124 12d45a3-12d45bf 107->124 119 12d44d9-12d44e8 108->119 120 12d44ea-12d44f1 108->120 131 12d4718-12d471e 109->131 110->131 111->80 112->111 113->80 114->113 133 12d4484-12d448a 115->133 116->133 117->118 118->80 135 12d44f8-12d44fe 119->135 120->135 121->80 122->121 123->124 124->80 137 12d4605-12d460b 125->137 126->137 127->128 146 12d462d-12d4635 128->146 147 12d43fb-12d4417 129->147 148 12d43f6 129->148 130->129 131->80 133->80 135->80 137->80 139->80 146->80 147->80 148->147
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: VD.$cw]U$cw]U$cw]U
                                        • API String ID: 0-1336082564
                                        • Opcode ID: db2d3df6865231e1c1f6bfa31b1d29095475b0c234b79120444da32bcebe4778
                                        • Instruction ID: 773e1deddd311243001fdbeb853f631959e29ec60b81f86f60f100dcd7b16683
                                        • Opcode Fuzzy Hash: db2d3df6865231e1c1f6bfa31b1d29095475b0c234b79120444da32bcebe4778
                                        • Instruction Fuzzy Hash: 10D18370D2424ADFCB58DFA9D5824AEFBB2FF88300B24C56AC516AB614D734D942CF94
                                        Function 066A7208 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 151 66a7208-66a72c2 153 66a737a-66a738f 151->153 154 66a72c8-66a7303 151->154 155 66a743f-66a7443 153->155 156 66a7395-66a73db 153->156 168 66a733b-66a734c 154->168 169 66a7305-66a730d 154->169 157 66a748d-66a74de 155->157 158 66a7445-66a7487 155->158 174 66a7419-66a7424 156->174 175 66a73dd-66a73e5 156->175 160 66a7596-66a75a8 157->160 161 66a74e4-66a751f 157->161 158->157 163 66a75aa-66a75c2 160->163 164 66a75c5-66a75d7 160->164 193 66a7521-66a7529 161->193 194 66a7557-66a7568 161->194 163->164 171 66a75d9-66a75f1 164->171 172 66a75f4-66a766a CreateProcessW 164->172 184 66a7352-66a7372 168->184 176 66a730f-66a7319 169->176 177 66a7330-66a7339 169->177 171->172 178 66a766c-66a7672 172->178 179 66a7673-66a76b4 172->179 191 66a742a-66a7439 174->191 180 66a7408-66a7417 175->180 181 66a73e7-66a73f1 175->181 182 66a731b 176->182 183 66a731d-66a732c 176->183 177->184 178->179 200 66a76cb-66a76e2 179->200 201 66a76b6-66a76c5 179->201 180->191 188 66a73f3 181->188 189 66a73f5-66a7404 181->189 182->183 183->183 190 66a732e 183->190 184->153 188->189 189->189 197 66a7406 189->197 190->177 191->155 198 66a752b-66a7535 193->198 199 66a754c-66a7555 193->199 205 66a756e-66a758e 194->205 197->180 203 66a7539-66a7548 198->203 204 66a7537 198->204 199->205 209 66a76fb-66a770b 200->209 210 66a76e4-66a76f0 200->210 201->200 203->203 208 66a754a 203->208 204->203 205->160 208->199 211 66a770d-66a771c 209->211 212 66a7722-66a7765 209->212 210->209 211->212 217 66a7767-66a776b 212->217 218 66a7775-66a7779 212->218 217->218 219 66a776d 217->219 220 66a777b-66a777f 218->220 221 66a7789-66a778d 218->221 219->218 220->221 222 66a7781 220->222 223 66a778f-66a7793 221->223 224 66a779d 221->224 222->221 223->224 225 66a7795 223->225 226 66a779e 224->226 225->224 226->226
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 066A7657
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 489fabdbdca9292574d42c2afcc116e437f6206800efbacc76b4a3b424ed1928
                                        • Instruction ID: b968386b763bf25fbf05cd0fd94800c180c58dd57eb691b189a4b6151aad3ed9
                                        • Opcode Fuzzy Hash: 489fabdbdca9292574d42c2afcc116e437f6206800efbacc76b4a3b424ed1928
                                        • Instruction Fuzzy Hash: C902AF74E01229CFDB64CFA9D880B9DBBB1BF49304F1485AAE419A7350DB34AE85CF54
                                        Function 066A71FC Relevance: 1.9, APIs: 1, Instructions: 392processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 66a71fc-66a72c2 229 66a737a-66a738f 227->229 230 66a72c8-66a7303 227->230 231 66a743f-66a7443 229->231 232 66a7395-66a73db 229->232 244 66a733b-66a734c 230->244 245 66a7305-66a730d 230->245 233 66a748d-66a74de 231->233 234 66a7445-66a7487 231->234 250 66a7419-66a7424 232->250 251 66a73dd-66a73e5 232->251 236 66a7596-66a75a8 233->236 237 66a74e4-66a751f 233->237 234->233 239 66a75aa-66a75c2 236->239 240 66a75c5-66a75d7 236->240 269 66a7521-66a7529 237->269 270 66a7557-66a7568 237->270 239->240 247 66a75d9-66a75f1 240->247 248 66a75f4-66a766a CreateProcessW 240->248 260 66a7352-66a7372 244->260 252 66a730f-66a7319 245->252 253 66a7330-66a7339 245->253 247->248 254 66a766c-66a7672 248->254 255 66a7673-66a76b4 248->255 267 66a742a-66a7439 250->267 256 66a7408-66a7417 251->256 257 66a73e7-66a73f1 251->257 258 66a731b 252->258 259 66a731d-66a732c 252->259 253->260 254->255 276 66a76cb-66a76e2 255->276 277 66a76b6-66a76c5 255->277 256->267 264 66a73f3 257->264 265 66a73f5-66a7404 257->265 258->259 259->259 266 66a732e 259->266 260->229 264->265 265->265 273 66a7406 265->273 266->253 267->231 274 66a752b-66a7535 269->274 275 66a754c-66a7555 269->275 281 66a756e-66a758e 270->281 273->256 279 66a7539-66a7548 274->279 280 66a7537 274->280 275->281 285 66a76fb-66a770b 276->285 286 66a76e4-66a76f0 276->286 277->276 279->279 284 66a754a 279->284 280->279 281->236 284->275 287 66a770d-66a771c 285->287 288 66a7722-66a7765 285->288 286->285 287->288 293 66a7767-66a776b 288->293 294 66a7775-66a7779 288->294 293->294 295 66a776d 293->295 296 66a777b-66a777f 294->296 297 66a7789-66a778d 294->297 295->294 296->297 298 66a7781 296->298 299 66a778f-66a7793 297->299 300 66a779d 297->300 298->297 299->300 301 66a7795 299->301 302 66a779e 300->302 301->300 302->302
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 066A7657
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: d8ac7a26b5fe9312bc3e449db6c8175f9d8546bf1ca4b5a094f7dfe0196c4bb4
                                        • Instruction ID: 3a7947f1e415e681d43fe28033ca3090387f9f01e14cba292deb902caa304bdf
                                        • Opcode Fuzzy Hash: d8ac7a26b5fe9312bc3e449db6c8175f9d8546bf1ca4b5a094f7dfe0196c4bb4
                                        • Instruction Fuzzy Hash: ADF1AE74E012298FEB64CFA9D880B9DBBB1FF49304F1485AAE419A7350DB349E85CF54
                                        Function 066A8143 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 303 66a8143-66a8158 304 66a815a-66a8161 303->304 305 66a81ac-66a81c1 303->305 307 66a81c6-66a81d8 305->307 308 66a81da-66a81f4 307->308 309 66a822e-66a8238 307->309 308->309 311 66a823a-66a8241 309->311 312 66a828f-66a8362 NtReadVirtualMemory 309->312 311->307 315 66a836b-66a83bd 312->315 316 66a8364-66a836a 312->316 316->315
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1fc5faef1f95b995318d92b4e6f05091a348acb3b567b2cc22f986fa82c2492f
                                        • Instruction ID: df93357b33b2fa6e68a79a132814b9dab99bf2331418eee2c07be0dea11126d5
                                        • Opcode Fuzzy Hash: 1fc5faef1f95b995318d92b4e6f05091a348acb3b567b2cc22f986fa82c2492f
                                        • Instruction Fuzzy Hash: 625148B5C0A3899FDF02CFA9D8906DEBFB0EF06314F14809AD494A7252C7385906CF65
                                        Function 066A8262 Relevance: 1.6, APIs: 1, Instructions: 143nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 321 66a8262-66a8278 322 66a827a-66a82cf 321->322 323 66a82d0-66a8362 NtReadVirtualMemory 321->323 322->323 326 66a836b-66a83bd 323->326 327 66a8364-66a836a 323->327 327->326
                                        APIs
                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 066A8352
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryReadVirtual
                                        • String ID:
                                        • API String ID: 2834387570-0
                                        • Opcode ID: 2b99e6acd5d48bae01b7d7740fb0f0a4f1605dade43af6dd1f65920c382b1b3c
                                        • Instruction ID: fb67d51567cd13bb380661a3a830176d7d3795fc47f7a049e48373b44670fb59
                                        • Opcode Fuzzy Hash: 2b99e6acd5d48bae01b7d7740fb0f0a4f1605dade43af6dd1f65920c382b1b3c
                                        • Instruction Fuzzy Hash: 6F41E0B5C052989FCF11CFA5D881AEEBFB0EF0A310F14946AE854BB251D7349906CF65
                                        Function 066A8671 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 332 66a8671-66a86e0 334 66a86e2-66a86f4 332->334 335 66a86f7-66a8758 NtWriteVirtualMemory 332->335 334->335 337 66a875a-66a8760 335->337 338 66a8761-66a87b3 335->338 337->338
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 066A8748
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3527976591-0
                                        • Opcode ID: 585f928c0e64b135d469b90da4092425460685a9b3980b778a8cc23b6ca09ebe
                                        • Instruction ID: f9a662464fd9ee28aadbe9dcf36f4552ea0810727ab084b4539574e0427e6124
                                        • Opcode Fuzzy Hash: 585f928c0e64b135d469b90da4092425460685a9b3980b778a8cc23b6ca09ebe
                                        • Instruction Fuzzy Hash: 6141BAB5D012589FDF00CFA9D984ADEFBF1BB49310F24942AE818B7250C779AA41CF54
                                        Function 066A8678 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 343 66a8678-66a86e0 345 66a86e2-66a86f4 343->345 346 66a86f7-66a8758 NtWriteVirtualMemory 343->346 345->346 348 66a875a-66a8760 346->348 349 66a8761-66a87b3 346->349 348->349
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 066A8748
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3527976591-0
                                        • Opcode ID: 583b856bed17436590d978c6c359da6cb58bd59a3979d425ad7732a900b5365a
                                        • Instruction ID: f636cc52e038f37b78f459b3e4f0ea8a5bd3ed7726e7a305b296373def51adf5
                                        • Opcode Fuzzy Hash: 583b856bed17436590d978c6c359da6cb58bd59a3979d425ad7732a900b5365a
                                        • Instruction Fuzzy Hash: 6541AAB5D012589FDF00CFA9D984ADEFBF1BB49310F24942AE814B7250D739AA45CF64
                                        Function 066A82A0 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 354 66a82a0-66a8362 NtReadVirtualMemory 357 66a836b-66a83bd 354->357 358 66a8364-66a836a 354->358 358->357
                                        APIs
                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 066A8352
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: MemoryReadVirtual
                                        • String ID:
                                        • API String ID: 2834387570-0
                                        • Opcode ID: d846dd8d41d4bb8347b8a743ef2d4ae2082999f290034cf3a9d1d0c5369103e7
                                        • Instruction ID: 8a9d04afeef5fa051e4569868136b2dd5e241595c22ae897ab6167540a4c64cc
                                        • Opcode Fuzzy Hash: d846dd8d41d4bb8347b8a743ef2d4ae2082999f290034cf3a9d1d0c5369103e7
                                        • Instruction Fuzzy Hash: CA41A8B5D04258DFDF10CFAAD880AEEFBB1BB49310F14942AE815B7200C735A945CF68
                                        Function 066A8819 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 381 66a8819-66a8880 384 66a8882-66a8894 381->384 385 66a8897-66a88df NtSetContextThread 381->385 384->385 387 66a88e8-66a8934 385->387 388 66a88e1-66a88e7 385->388 388->387
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 066A88CF
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 2bbe25623b73f9f7ea0b8188c9e8a7554c30e3d138eb90599ad50512f39bb2d8
                                        • Instruction ID: 019205e6d180495e3ce571f69e51be13ff266d8ab5bf0446446d7a50ce1433ab
                                        • Opcode Fuzzy Hash: 2bbe25623b73f9f7ea0b8188c9e8a7554c30e3d138eb90599ad50512f39bb2d8
                                        • Instruction Fuzzy Hash: 5041CBB5D012589FDB50CFAAD884AEEFBF1BF49314F14842AE414B7240D778A945CF94
                                        Function 066A8820 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 393 66a8820-66a8880 395 66a8882-66a8894 393->395 396 66a8897-66a88df NtSetContextThread 393->396 395->396 398 66a88e8-66a8934 396->398 399 66a88e1-66a88e7 396->399 399->398
                                        APIs
                                        • NtSetContextThread.NTDLL(?,?), ref: 066A88CF
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 8d5f85eaa842807a6547e556e17a462a8f6cd3f24c210eba533b8e336375760d
                                        • Instruction ID: 2357a2bc38c260e985a7a52d66711bbdcedc69e6f82df73146804d0ce9faaf1f
                                        • Opcode Fuzzy Hash: 8d5f85eaa842807a6547e556e17a462a8f6cd3f24c210eba533b8e336375760d
                                        • Instruction Fuzzy Hash: BD31ACB5D012589FDB14CFAAD884AEEFBF1BF49314F14842AE414B7240D778A945CF94
                                        Function 066A8450 Relevance: 1.6, APIs: 1, Instructions: 83nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 404 66a8450-66a84f1 NtResumeThread 408 66a84fa-66a853e 404->408 409 66a84f3-66a84f9 404->409 409->408
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 066A84E1
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 758b866a1481da31156660ed74202410b44144378eb5a7ccb461b692b4324ae1
                                        • Instruction ID: 66e18fb221d0289f2f3136cc771270c96785aa765dbd8c4a091d95fb8a370550
                                        • Opcode Fuzzy Hash: 758b866a1481da31156660ed74202410b44144378eb5a7ccb461b692b4324ae1
                                        • Instruction Fuzzy Hash: 7731A8B5D012189FDB10CFA9E880ADEFBF5FB49310F14942AE815B7200C779A942CF98
                                        Function 066A8458 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 414 66a8458-66a84f1 NtResumeThread 417 66a84fa-66a853e 414->417 418 66a84f3-66a84f9 414->418 418->417
                                        APIs
                                        • NtResumeThread.NTDLL(?,?), ref: 066A84E1
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 1387e2ca26a83dd9958cb021be8e6e65c2e82ff73fe5d9a2d4d4f2c1d59fe633
                                        • Instruction ID: 46ce3055691733492c5bdd21ed6fa5960053af9492b115fdd17e5f9ed56266a9
                                        • Opcode Fuzzy Hash: 1387e2ca26a83dd9958cb021be8e6e65c2e82ff73fe5d9a2d4d4f2c1d59fe633
                                        • Instruction Fuzzy Hash: 0231A7B5D012189FDB10CFA9D880A9EFBF5BB49310F10942AE815B7200C779A942CFA8
                                        Function 012DB518 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s]q
                                        • API String ID: 0-1442821580
                                        • Opcode ID: 8ec7ca92dd499948e398b8a0e59c07a4e24d0ffbc299d76907dd289efe74c818
                                        • Instruction ID: 68abebe8a24867150d51b9f397f22d888dd6c871a41c5f7ae14bd7d55e0912ef
                                        • Opcode Fuzzy Hash: 8ec7ca92dd499948e398b8a0e59c07a4e24d0ffbc299d76907dd289efe74c818
                                        • Instruction Fuzzy Hash: F8D1ADB1D15209CFCB18CFA8C5918AEFBB1FF99341B1681A9C411AB618E731DD41CF95
                                        Function 012DB5F8 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s]q
                                        • API String ID: 0-1442821580
                                        • Opcode ID: a9553e1c2d1e6f7a4272c0c628373210326246a5cddf7375f73c967900d066ee
                                        • Instruction ID: 39ed2db40227f1afff70807792edbb2e6d9d311ea5887bd1b3a2f6a2766456b9
                                        • Opcode Fuzzy Hash: a9553e1c2d1e6f7a4272c0c628373210326246a5cddf7375f73c967900d066ee
                                        • Instruction Fuzzy Hash: FFC15B70E21209CFCB18CF95C5918AEFBB2FF89340B1585A9D411AB718D731AD82CFA4
                                        Function 012D9C68 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K|@"
                                        • API String ID: 0-363044853
                                        • Opcode ID: 2874966601f9556527ae3bb1f73eddd9c1687d44b1b936ef02dc9f81aa04cf18
                                        • Instruction ID: ea1fb3de5c06b696a8f803b53c40b8194bb232b64d7ce2fa0758fd6167184611
                                        • Opcode Fuzzy Hash: 2874966601f9556527ae3bb1f73eddd9c1687d44b1b936ef02dc9f81aa04cf18
                                        • Instruction Fuzzy Hash: C8512870E14219CFDB08CFA9C5406AEFBF2FF88301F24D16AE559A7254D7349A81CB65
                                        Function 012D2171 Relevance: .3, Instructions: 279COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30fe0ae81f2f36d19befa2f816adf9aed6773752eee96ddacc65782e4932211c
                                        • Instruction ID: 2c023cbebeeebbbbbb932285ffa293e53bbffbb313b9f6a052ba748f508a8ad8
                                        • Opcode Fuzzy Hash: 30fe0ae81f2f36d19befa2f816adf9aed6773752eee96ddacc65782e4932211c
                                        • Instruction Fuzzy Hash: CAC126B4E15319CFDB48CFA9C944AAEBBB2FF89300F20816AD415AB354D7759A02CF54
                                        Function 012D2153 Relevance: .3, Instructions: 273COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30eaa89ea08d31538effd3af222c9bbbcb8b8e1dd57928eeb101a14ad85e2884
                                        • Instruction ID: a72c8596735eeeadbecd9129ce87c4a98b08deb9a108179ea1af22ebb85dcaa4
                                        • Opcode Fuzzy Hash: 30eaa89ea08d31538effd3af222c9bbbcb8b8e1dd57928eeb101a14ad85e2884
                                        • Instruction Fuzzy Hash: 7EC115B4E15319CFDB48CFA9C944AAEFBB2FF89300F20816AD415AB254D7759902CF54
                                        Function 012D7C00 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80c415b54d0228c1fe1c00ec820aeb006690b6dfea6bf2595f27ef3ca863bc1
                                        • Instruction ID: af6d7ecf8966d267f8aeafadf1ca948998532404848719122bd2608b3b01c841
                                        • Opcode Fuzzy Hash: a80c415b54d0228c1fe1c00ec820aeb006690b6dfea6bf2595f27ef3ca863bc1
                                        • Instruction Fuzzy Hash: A0B16AB4E10219CFDB18DFA8D98499DBBF2FF88304F14806AE425AB355EB349842CF51
                                        Function 012D2200 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d61a3b1bd374ab04273bc22240c88675316d16acb9af7ab362e487ae073c9c1a
                                        • Instruction ID: 43258f0bce8af5e07f0dca292d1eddd736b9c2d91d67d0df621d53ceba75740a
                                        • Opcode Fuzzy Hash: d61a3b1bd374ab04273bc22240c88675316d16acb9af7ab362e487ae073c9c1a
                                        • Instruction Fuzzy Hash: 22B1E2B4E15219CFDB48CFA9C984AAEFBB2FF89300F20812AD415AB354D7759901CF54
                                        Function 012D7BE2 Relevance: .2, Instructions: 247COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb1c08eb4d8bb20fcc6f83c6e124fb65bab48722843d4374e26e919b89fec2c1
                                        • Instruction ID: 2f8a94ca1fc080ef004a3608122858291ade582380894d9185aa55fc8acefd94
                                        • Opcode Fuzzy Hash: cb1c08eb4d8bb20fcc6f83c6e124fb65bab48722843d4374e26e919b89fec2c1
                                        • Instruction Fuzzy Hash: 75B147B4E00219CFDB18DFA9D98499DBBF2FF88305F14816AE825AB355DB349842CF51
                                        Function 012D7C58 Relevance: .2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80a7c3eb1e62e24e5bd08168230595d096eaa54c564ce0612e7d60746a7f6d07
                                        • Instruction ID: 21997b4cebe082fa9a155506aa4734390c2f7963cd552a1d14dab14987cb3a41
                                        • Opcode Fuzzy Hash: 80a7c3eb1e62e24e5bd08168230595d096eaa54c564ce0612e7d60746a7f6d07
                                        • Instruction Fuzzy Hash: A8A11674E00219DFDB18DFA9D99499DBBF2FF88305F14806AE825AB354DB349942CF90
                                        Function 012D2B31 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32fb9789258c8becb64f0fd2a3918cb57360eee1c52f145f867ddf8d7abd4a3b
                                        • Instruction ID: 09508f20eca866b2099a65c1c6abd33e0339557f2fe42ac48dd6bffae2b77677
                                        • Opcode Fuzzy Hash: 32fb9789258c8becb64f0fd2a3918cb57360eee1c52f145f867ddf8d7abd4a3b
                                        • Instruction Fuzzy Hash: D7512970E2420ACFDB08CFAAC5416AEFBF2FF89301F14D06AD515A7254E7748A418F94
                                        Function 012D3511 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 890cfaed27091ada1a467dafbd3d3e94366ce607b6b93a15388954b182004137
                                        • Instruction ID: cb19180675728bb5a50aa262fcbcf34f5631f7e39315f62f76ed6550f6e862da
                                        • Opcode Fuzzy Hash: 890cfaed27091ada1a467dafbd3d3e94366ce607b6b93a15388954b182004137
                                        • Instruction Fuzzy Hash: 915109B0E11258CFDB68CFA6D9846DEBBF2BF88310F1481AAD409AB354D7745A85CF41
                                        Function 012DA7A0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9921ede206a2a63220bd984682d9aa4af004ecb437350666a19c377824e25fa
                                        • Instruction ID: 07683686cd690ca00f566dea5e7939e931614f558f74ea64a148a818f2e63718
                                        • Opcode Fuzzy Hash: e9921ede206a2a63220bd984682d9aa4af004ecb437350666a19c377824e25fa
                                        • Instruction Fuzzy Hash: 92310AB1E006188BEB18CFAAD8447DEFBF3AFC9310F14C16AD419A6268DB740956CF50
                                        Function 012D081F Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94b7e725c2ce460e4b53d8566dee0120509670ac9f21dc094bb54a6d25e4c1a9
                                        • Instruction ID: f9cccb1aa416bb6b28fdb1683a60e8733eaa1dabcb9544eee42d6ad5acab4efa
                                        • Opcode Fuzzy Hash: 94b7e725c2ce460e4b53d8566dee0120509670ac9f21dc094bb54a6d25e4c1a9
                                        • Instruction Fuzzy Hash: A5212C71E057558FEB19CF7BC8446DABBF3AFC9200F08C0BAC418AA269EB3455468F55
                                        Function 012D0848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6906506502be475a3eea17e24a8f82b183df16b7e88d961b7ab3832729e1172
                                        • Instruction ID: 2ad5d2e62fcbfb040d5ce3492629b7eaefbac81208875d08e9be92a3054be639
                                        • Opcode Fuzzy Hash: f6906506502be475a3eea17e24a8f82b183df16b7e88d961b7ab3832729e1172
                                        • Instruction Fuzzy Hash: 2021BD71E106198BEB1CCF6BD8406DEFAF7AFC9300F04C176D518A6628EB3055568E54
                                        Function 066A8550 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 363 66a8550-66a8612 VirtualAllocEx 366 66a861b-66a8665 363->366 367 66a8614-66a861a 363->367 367->366
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066A8602
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 8dba413077a30bc5060463a18d36e7b5b97e1b50a64bc5fd3e0ff9a5150e2237
                                        • Instruction ID: ba88b3a7031b28a806b863d556015e66789f4a6dcd8acdf7c5094ec71f522fcb
                                        • Opcode Fuzzy Hash: 8dba413077a30bc5060463a18d36e7b5b97e1b50a64bc5fd3e0ff9a5150e2237
                                        • Instruction Fuzzy Hash: F94198B5D052589FDF10CFAAD980ADEFBB1BB49310F14942AE815B7310D735A902CF58
                                        Function 066A8558 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 372 66a8558-66a8612 VirtualAllocEx 375 66a861b-66a8665 372->375 376 66a8614-66a861a 372->376 376->375
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066A8602
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2103315960.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_66a0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 66fd65a681916cd1747787fc018befa5764aa40c1525ac5ce25dd3cdde6edfae
                                        • Instruction ID: 186a404315d6c4d8ba798d1400c4f18eb16473f3cc5faf2b9650016781845958
                                        • Opcode Fuzzy Hash: 66fd65a681916cd1747787fc018befa5764aa40c1525ac5ce25dd3cdde6edfae
                                        • Instruction Fuzzy Hash: FB3198B9D042589FDF10CFAAD980ADEFBB5BB49310F10A42AE815B7310D735A941CF68
                                        Function 012D2E68 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: qCy+
                                        • API String ID: 0-3529117827
                                        • Opcode ID: 0b2f48733d1ba9d7f5e148a143987c357401d2e29dfca1493da9e61e5ea50998
                                        • Instruction ID: ff249e32da690f141f866af28de6970121c6fea1edd6c34ab8c4a37fac5cc3fe
                                        • Opcode Fuzzy Hash: 0b2f48733d1ba9d7f5e148a143987c357401d2e29dfca1493da9e61e5ea50998
                                        • Instruction Fuzzy Hash: 4E31E674E1860ADFCB08CFA9C5819AEFBF2FF89300F14D5AA9514A7314D374AA418F91
                                        Function 012D09A5 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;z
                                        • API String ID: 0-1750328198
                                        • Opcode ID: 0a78bab25d4f7679c2a391847ca4c2fa6ac1e6baa57b6127987879b7440b7c6c
                                        • Instruction ID: d1d6bca5ad0153a64d22c26ca9702df556adaaebee9ebcfde03f88592fb50109
                                        • Opcode Fuzzy Hash: 0a78bab25d4f7679c2a391847ca4c2fa6ac1e6baa57b6127987879b7440b7c6c
                                        • Instruction Fuzzy Hash: EBF0DA70A05229CBDB68DB31C8956EA7272FFA4300F5044E9D48967250CFB59DC1DF45
                                        Function 012D9E60 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 448eabae8345788dfc1795570d542676d305e6e3d2503e6865511e865eb385a3
                                        • Instruction ID: 326d03908f8607ecd410e71bf534f0611d456f450f8cae1673d3f75809153291
                                        • Opcode Fuzzy Hash: 448eabae8345788dfc1795570d542676d305e6e3d2503e6865511e865eb385a3
                                        • Instruction Fuzzy Hash: 0431F7B4E14209DFCB48CFA9D4809AEBBF1FB89304F5095AAD825E7714D3749A81CF51
                                        Function 012D9E70 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 742476970452213793b706a789653951413d421e7b722a62a0b6c289aea9424b
                                        • Instruction ID: 82efb01a58b220aca714bd21baf8b71c2051ba2b1df527af0995721aafa6e2ca
                                        • Opcode Fuzzy Hash: 742476970452213793b706a789653951413d421e7b722a62a0b6c289aea9424b
                                        • Instruction Fuzzy Hash: FC31E7B4E14209DFCB48CFA9D4819AEBBF2FB89304F50956AD429E7714D3789A81CF50
                                        Function 012D0CC4 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 325a079f6cc13b4c6ecaed87893d30c747ee3b28548873b9c5c76c187e70d9f5
                                        • Instruction ID: 1712ba6f163218d168b1ec436bdc270874ca380445af0863b6139cdd39937050
                                        • Opcode Fuzzy Hash: 325a079f6cc13b4c6ecaed87893d30c747ee3b28548873b9c5c76c187e70d9f5
                                        • Instruction Fuzzy Hash: AE41B174A12228CFDB64CF25C990B99BBB2BF49310F1092D9E54DA7324DB309E81CF59
                                        Function 012D2D58 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cba94bcd321a5b3cf5745db96257f265efca6a5e0c3a839cfa01e99f641478f
                                        • Instruction ID: 33e0c6b2ae2a0ff4e39601757762729b5a0470a808aef84b4afe6fd90bda8db7
                                        • Opcode Fuzzy Hash: 1cba94bcd321a5b3cf5745db96257f265efca6a5e0c3a839cfa01e99f641478f
                                        • Instruction Fuzzy Hash: 8B31A3B4E042099FDB44CFA9C5809AEBBF2BF49300F1081AAD914A7355D774AA42CB50
                                        Function 012D9FE7 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb10e25cf57a6e3d9a01a1726589e5a8ac92863213c4750f63f3a98eb1a25cc7
                                        • Instruction ID: 057a29d4e0dd1284322b95e531140d0a191e62e13e25d08ecd723891d787d87e
                                        • Opcode Fuzzy Hash: cb10e25cf57a6e3d9a01a1726589e5a8ac92863213c4750f63f3a98eb1a25cc7
                                        • Instruction Fuzzy Hash: 24310970E182099FDB48CFA9C541AAEBBF2FB89340F54C5AAC414E7214D3749A458F91
                                        Function 012D4978 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe5f1f0e63488cc98d7c2b96aac749d75ac9aa910f1ab08737b05f045f060bd6
                                        • Instruction ID: 8a94e2c0c7af533084dcd0368de8aa88eb1954011dcf16dce6f0d29befede644
                                        • Opcode Fuzzy Hash: fe5f1f0e63488cc98d7c2b96aac749d75ac9aa910f1ab08737b05f045f060bd6
                                        • Instruction Fuzzy Hash: 44314970E15249DFDB04DFA9C5819AEBBF1FF88300F25C5AA8409AB255D3708A01CB51
                                        Function 012D2D68 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 015d9fc16fa66835c9e737eefe8fcb1bd428a405d5812b7786e1ba51ce4ef3bd
                                        • Instruction ID: 84a8df9f0d6ea0e3db9cd218155bd981815d8f9dbe418e82126cee52714380e7
                                        • Opcode Fuzzy Hash: 015d9fc16fa66835c9e737eefe8fcb1bd428a405d5812b7786e1ba51ce4ef3bd
                                        • Instruction Fuzzy Hash: 243186B4E10209DFDB44CFA9C581AAEFBF2BB88301F10916AD919A7354D774AA41CF50
                                        Function 012D8FEB Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 634a2fd3dd28dbb3f0cc6046b55bd26b5aafae99332aa46fab2eee87bd9b9bba
                                        • Instruction ID: e565fa6af06eab9e7a9f54adcebdacabb361d798f6bef7e4f7dbe1d807e72679
                                        • Opcode Fuzzy Hash: 634a2fd3dd28dbb3f0cc6046b55bd26b5aafae99332aa46fab2eee87bd9b9bba
                                        • Instruction Fuzzy Hash: 512194B4E10219CFDB58CFE8D994AADBBF2FB88301F208229E919A7345D7315956CF50
                                        Function 012D4A90 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2438929e20d0a1969bed9d97bc9281235b2103d78efd5339f25122251baf6deb
                                        • Instruction ID: 0092d2a5c827e3af1ce5adb060f79bf9a6ac192a6098ada1a98188ba7d78425e
                                        • Opcode Fuzzy Hash: 2438929e20d0a1969bed9d97bc9281235b2103d78efd5339f25122251baf6deb
                                        • Instruction Fuzzy Hash: 92213674E14208AFDB08DFA9C584A9DBBF2FF88200F24C5AAD514A7364D730DA10CB00
                                        Function 012DBCE8 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2f5455344743d33ea507b0d512fe3f03702f0be4fc6035dd407001581de42ad
                                        • Instruction ID: 0997b1bcf6990e3c7623136763e32af675325e3b9d2fe0329d5326449dca2aa8
                                        • Opcode Fuzzy Hash: d2f5455344743d33ea507b0d512fe3f03702f0be4fc6035dd407001581de42ad
                                        • Instruction Fuzzy Hash: 7F212934E14208DFCB48DFA9D595A9EFBF2FF89300F15C0A6D5199B214D7709A00CB01
                                        Function 012D4AA0 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d33bfae297d986415f9e0348d65334d441224782a82b4d0935113d96eea5c797
                                        • Instruction ID: 9c3a9f42af4da01e9f70b22ffd296f323c6bf8336b2e74b8ef65ee3fdce0c497
                                        • Opcode Fuzzy Hash: d33bfae297d986415f9e0348d65334d441224782a82b4d0935113d96eea5c797
                                        • Instruction Fuzzy Hash: A3213874E10209AFDB08DFA9C595A6DFBF2FF88200F14C4A5D519A7364E730DA10CB04
                                        Function 012D0F50 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae6f571e207134f4602191db8a91c5a2856bbf96944e51225063926f41aec1b4
                                        • Instruction ID: 0dc867d2ab420158b4de582b90719a556720db063cb439841064117571420162
                                        • Opcode Fuzzy Hash: ae6f571e207134f4602191db8a91c5a2856bbf96944e51225063926f41aec1b4
                                        • Instruction Fuzzy Hash: 33219A74901228CFDB69DF65D840BDDBBB2BB88700F1085EAD40EBA660DB704EC19F95
                                        Function 012D8F90 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e1be6db69bc87c13dc10919f1f0fb8a9b6ec2aef0d1a92bf1a08aca821b753d
                                        • Instruction ID: e2e50febb24e834e0dc0336358eb6828f4148d691e99c45d52c54a85bd50cd21
                                        • Opcode Fuzzy Hash: 8e1be6db69bc87c13dc10919f1f0fb8a9b6ec2aef0d1a92bf1a08aca821b753d
                                        • Instruction Fuzzy Hash: 94F097B1E007598BEB0CCFABC80469EFAF7AFC9300F14C13A85186B264EB741506CB91
                                        Function 012D1F25 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 905004d850ccd360de36302acffc51f3d0819b67b657a76a9e56f45d9969930a
                                        • Instruction ID: ccabf9bc8793d6e8fc3ea23af87dc04e545d2568a4fd5917500a2e894a069678
                                        • Opcode Fuzzy Hash: 905004d850ccd360de36302acffc51f3d0819b67b657a76a9e56f45d9969930a
                                        • Instruction Fuzzy Hash: 5A01DA74A10259DFDB58DBA4D950B9CB7B2FF88200F50809AD40DB7254CB309E85CF24
                                        Function 012D2F88 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6bb3381d288aa5bbbe76bb0c8093e651ac99cfa6935309a2c35f6640141b289
                                        • Instruction ID: 04c73bebad497a6cb52bcca0a70e7fe59b648987fdfaf01118a5c0d5ee3b4f07
                                        • Opcode Fuzzy Hash: e6bb3381d288aa5bbbe76bb0c8093e651ac99cfa6935309a2c35f6640141b289
                                        • Instruction Fuzzy Hash: CFF01DB0D04309DFCB55DFA4D50569DBBB1FB05300F1486EAD82897205E3759A55CF81
                                        Function 012D1D89 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae9d6a0a611d0b924b72fb9892def5c608a1762d06561d9debb5f0b8d4416aba
                                        • Instruction ID: 07d9f3b0254bdf713319d6324590f0ce8d1c9fc0387c9e7b0d46dd2d2c37f717
                                        • Opcode Fuzzy Hash: ae9d6a0a611d0b924b72fb9892def5c608a1762d06561d9debb5f0b8d4416aba
                                        • Instruction Fuzzy Hash: 3EF0B770D166198BEB58DF59C95078DBAF3BB88300F10C5A9C418A7354D7308A418F50
                                        Function 012D2F98 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a4129c787f819a35fd79f9bbacdd3185c1b22a5c78e18d2764c6bdde56fac84
                                        • Instruction ID: 77ac292905193ae10fe3be35f0b029e88b4dd443437ba418286cf53d620642b3
                                        • Opcode Fuzzy Hash: 8a4129c787f819a35fd79f9bbacdd3185c1b22a5c78e18d2764c6bdde56fac84
                                        • Instruction Fuzzy Hash: 42F0C9B4D00319DFDB54DFA8D545AAEBBB1FB09301F1085EAD828A3314D7719A51DF84
                                        Function 012D8BD4 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e5b652f9dec28bf6a532a1291804b7632c555feb8b46d3d33df9a66ef824ef9
                                        • Instruction ID: a1f5cb9b492da6b0a2e4dcf9a4757ea4c5366cbc0c2c3f4a148eacace5f90ca2
                                        • Opcode Fuzzy Hash: 1e5b652f9dec28bf6a532a1291804b7632c555feb8b46d3d33df9a66ef824ef9
                                        • Instruction Fuzzy Hash: E4F0F875A05264DFCB64CBA5DE84B59BBB3BB4A200F0884D89419A7614D7315E41CF16
                                        Function 012D37FD Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4961c29ac18f3d5ad04c8ea571172ec95d1cba5f8925b23c20ced4e158fa9cbd
                                        • Instruction ID: 268e0dbd8aa88af4474bab0436f8b4ffe25b1c5a4ff063721ab05238017f2cb6
                                        • Opcode Fuzzy Hash: 4961c29ac18f3d5ad04c8ea571172ec95d1cba5f8925b23c20ced4e158fa9cbd
                                        • Instruction Fuzzy Hash: 13E0EC78612344CFC799CF60D6448497B72FF49316F5004A9E41A9B264DB35DAC1CF00
                                        Function 012D8E1F Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f675ba26fdb71a251dec3a9df4bfb36d0a7ba49e4d6dc88e16ac07e8b7aecb6
                                        • Instruction ID: 828e5873aa1528131d375ceb8218d0d02b650e77d8c5b2402f4f70840e5dfe82
                                        • Opcode Fuzzy Hash: 1f675ba26fdb71a251dec3a9df4bfb36d0a7ba49e4d6dc88e16ac07e8b7aecb6
                                        • Instruction Fuzzy Hash: 2BE08C70A161188FDB24DF64C980B49B7F2BF84200F1492E5C108AB348D7309900CF10
                                        Function 012DB03D Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 131022d09caf34d60c1faad6cfa4aa4e69481fe5ed091d7776a634477a4bfdf8
                                        • Instruction ID: dbfbab9bc512878ffb4b4964bbad282a09e7a1434b3e118bc5076491587b5fcb
                                        • Opcode Fuzzy Hash: 131022d09caf34d60c1faad6cfa4aa4e69481fe5ed091d7776a634477a4bfdf8
                                        • Instruction Fuzzy Hash: 0DD09275502354CFC729CF25DA959997B72FF09302F1181A9E82A9B325CB3AEAC1CF00
                                        Function 012D14F0 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2096858146.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_12d0000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5b3ac788e9e37408a49a3792b1da8a5b937bbf8b8afd200d2870fce23f27b18
                                        • Instruction ID: 9fdfa5ed2ab2160a50595c479d5edd68bc2739d5c67debcc367f3be2c5dbfe3f
                                        • Opcode Fuzzy Hash: f5b3ac788e9e37408a49a3792b1da8a5b937bbf8b8afd200d2870fce23f27b18
                                        • Instruction Fuzzy Hash: 56D09E34D6421D9FCB19CFA4D9419CDB7F1FB98600F409A55D015E7214E3B095859F54

                                        Executed Functions

                                        Function 01730B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03dcbb63453fcf0d745018d93fc2780a9592cbd9f03b62d23a8ce4cb2d616026
                                        • Instruction ID: 407668e9509bcf2a235b946dcc43b0da03ad7adbbb5a295d603a2cc91c15d758
                                        • Opcode Fuzzy Hash: 03dcbb63453fcf0d745018d93fc2780a9592cbd9f03b62d23a8ce4cb2d616026
                                        • Instruction Fuzzy Hash: FF829174A01229CFDB24DF69D884BDDB7B1BF89314F1082E6D409AB265DB31AE85CF50
                                        Function 017305E7 Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a17dfecb33042fe5f4c3d2de9a2b8f06dca7942e53e95561cfe4a3ea85479cfd
                                        • Instruction ID: 08c18240bfff9780943364d5607420be41df8b3b05b70389e19bdc31c29f60da
                                        • Opcode Fuzzy Hash: a17dfecb33042fe5f4c3d2de9a2b8f06dca7942e53e95561cfe4a3ea85479cfd
                                        • Instruction Fuzzy Hash: 6F3170B09093499FDB02DF74D9486897FF1FB86724B0085E9C405CF262DB786D4ADB91
                                        Function 01730630 Relevance: .3, Instructions: 317COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d3186e73ae85fc2112b9401f80fcd2eef981c9354ab1f1d36d502f9a6bb8939
                                        • Instruction ID: ae4fd6341cd9629972005de49082db24d6d83dd917bf322dc9f35de1c08d9fb0
                                        • Opcode Fuzzy Hash: 0d3186e73ae85fc2112b9401f80fcd2eef981c9354ab1f1d36d502f9a6bb8939
                                        • Instruction Fuzzy Hash: DC21AE709053099FDB01DF74E94478D7BF2FB8A714F0086A9C0158F662DB392E8ACB82
                                        Function 01730A49 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 213370e7c7edf49cedd49aae8b11151ad4a549920ee4d5073c4567685ebcf271
                                        • Instruction ID: d548485b0453918917dbece70b569b9f5e9ab952ceb22648fffb2aee3b65daf4
                                        • Opcode Fuzzy Hash: 213370e7c7edf49cedd49aae8b11151ad4a549920ee4d5073c4567685ebcf271
                                        • Instruction Fuzzy Hash: 62212835E012499FCF01DFA8D9409DDBBB1FF89310F4582AAD455BB261DB30A946CB94
                                        Function 01730848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8587d8af3f01385391148096f1dae2968bf5f1b31b4f105ded406611f81c2ad
                                        • Instruction ID: 9c7dbb5f36955ba8ff125339efcb486f1c08291381b2ee06a854a2c8c0d1c1dd
                                        • Opcode Fuzzy Hash: f8587d8af3f01385391148096f1dae2968bf5f1b31b4f105ded406611f81c2ad
                                        • Instruction Fuzzy Hash: 1A114F70901309AFDB00EF65E948A8D7BF1FB85704F0096A8D4059F265DB756E86CF81
                                        Function 01731870 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10984b4cf592a068fff3e6a8be110c7ba648ba136277364cac779295ad078176
                                        • Instruction ID: 5cd436a8771a56f44cfd5ba391d8f2af1380231266f3eb307f34642dcbe379a7
                                        • Opcode Fuzzy Hash: 10984b4cf592a068fff3e6a8be110c7ba648ba136277364cac779295ad078176
                                        • Instruction Fuzzy Hash: 2AF03775D0824DCFDF14CFAAD4047EEBBF4AB9A310F1091AAC514BA245DB384A0ADF94
                                        Function 017309DF Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe05c8ee88fbe542f9c13b8ff2a87633bbaa62f9e5dd11a9ed4c4bfd07c15f85
                                        • Instruction ID: 4b3e155868897cbb649a4a0346da370e127fb3006d4900fe31d665079b787cfb
                                        • Opcode Fuzzy Hash: fe05c8ee88fbe542f9c13b8ff2a87633bbaa62f9e5dd11a9ed4c4bfd07c15f85
                                        • Instruction Fuzzy Hash: 53011474D04309DFCB45EFB8D94469DBBF1FF45200F1046AAC455EB250EB709A45DB81
                                        Function 017309F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000017.00000002.2092592398.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_23_2_1730000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c274a2c0be2d09eafd0be5cc395490a8458faea747e80092796bd1d7a54155a5
                                        • Instruction ID: 73e0c6d9814c5af94120562941ec4b1deda42a09a027fe0974823a0de565d113
                                        • Opcode Fuzzy Hash: c274a2c0be2d09eafd0be5cc395490a8458faea747e80092796bd1d7a54155a5
                                        • Instruction Fuzzy Hash: 20F0AF70D01209DFCB45EFB8D944AAEBBB4FF45200F1046AAC415AB254EB709A55CB80

                                        Executed Functions

                                        Function 01330B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a365b0531340a90a6aaf0dca3741d86c04615ff64fcc9cc1cdf260a8a23a60b8
                                        • Instruction ID: 2f61e7ebbd2869e49efe5e0c66630a85bbb59de96d73cb26ef2cf7ef9a23599e
                                        • Opcode Fuzzy Hash: a365b0531340a90a6aaf0dca3741d86c04615ff64fcc9cc1cdf260a8a23a60b8
                                        • Instruction Fuzzy Hash: 89829274A00229CFDB24DF68D884BDDBBB5BF89304F1082A6D419AB365D734AE85CF54
                                        Function 013305E7 Relevance: .3, Instructions: 336COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ab0314c29b8df2d57b46d1946c8c0c53d34df5d4d31115fb228331589824a1b
                                        • Instruction ID: 97ddaa00c2457cb212333563a43f355431d34fc7aca4907867a0dfb327927f05
                                        • Opcode Fuzzy Hash: 4ab0314c29b8df2d57b46d1946c8c0c53d34df5d4d31115fb228331589824a1b
                                        • Instruction Fuzzy Hash: 63318C71909384AFDB06EF74E8946C93FB1FF86A14F0145E6C0849F262E7385D4ACB92
                                        Function 01330630 Relevance: .3, Instructions: 317COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 288944ba521d279b61055d249af719fa10d255bad02750aa1c1fe5d83e04f643
                                        • Instruction ID: 0052639b0134293c9137ce58fddc12a71b1eac7d17ce749c0cac65464fe87253
                                        • Opcode Fuzzy Hash: 288944ba521d279b61055d249af719fa10d255bad02750aa1c1fe5d83e04f643
                                        • Instruction Fuzzy Hash: 20217C30900349EFDB05EF75E844B897BB1FB85B04F0045A9C000AF662E7781E1ACF82
                                        Function 01330A49 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef0269b01b260cd9ae09bc26d77f5de7a61c98b984d585606b8d4afde00d1480
                                        • Instruction ID: e0981dafe8ee1a23b4bd70bcb3c3d60ceea016bf8021ffd13d343eacb46106ff
                                        • Opcode Fuzzy Hash: ef0269b01b260cd9ae09bc26d77f5de7a61c98b984d585606b8d4afde00d1480
                                        • Instruction Fuzzy Hash: EC216831E002499FCF01DFA8D440ADDBBB6FF89310F8582A6D450BB261DB30A946CBA4
                                        Function 01330848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06c3117d130b8025ff4b58bdc3d6afd49b787afe128f50bfb8a7348650a1a23d
                                        • Instruction ID: 662e97eeadfae49ecf6672fb27af1221fa7da4c4bec7d3efc99e3b3477a4fc22
                                        • Opcode Fuzzy Hash: 06c3117d130b8025ff4b58bdc3d6afd49b787afe128f50bfb8a7348650a1a23d
                                        • Instruction Fuzzy Hash: 9F112930900209EFDB04EFA9F848B8D7BB5FB84B04F0086B8D514AF255EB785E158F81
                                        Function 01331870 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30ebb4b28d16f1bf62ad16cb4743f26792989464d871100622049134b0c03e74
                                        • Instruction ID: 81c24bbd0951cd9d263b2c1076e60c6c2ae946aa6a3dba3c66830023598b2b9f
                                        • Opcode Fuzzy Hash: 30ebb4b28d16f1bf62ad16cb4743f26792989464d871100622049134b0c03e74
                                        • Instruction Fuzzy Hash: 07F03CB5D0824E9BDF00DFA6D4043EEBBF4EB89314F405469D514B6240D7395509CF98
                                        Function 013309DF Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db3ae69dc3e290eee806c278f12960f9c2a54a971283c37c2c81a1c086ab43f1
                                        • Instruction ID: 1568f9013a7aacad9a84ac7ab848d2cdf3832ecd3402d0e4b56869714ff2fd43
                                        • Opcode Fuzzy Hash: db3ae69dc3e290eee806c278f12960f9c2a54a971283c37c2c81a1c086ab43f1
                                        • Instruction Fuzzy Hash: 370137B0D04249DFCB06EFB8D8446ADBBB0FF06200F1046EAC455E7291EB304A45CB82
                                        Function 013309F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2092827941.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_1330000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5232567566d136ff68a7dfb7457bf4a450b41b7a3241078e67218afe0df9b4bf
                                        • Instruction ID: 7ddec34f3c71bdcdecbd106cdf705083923c055013fc8a4388206a9de664da21
                                        • Opcode Fuzzy Hash: 5232567566d136ff68a7dfb7457bf4a450b41b7a3241078e67218afe0df9b4bf
                                        • Instruction Fuzzy Hash: 56F0B274D00209DFCB49EFA8D544AAEBBB4FF45304F5046AAC415A7354EB709A44DB80

                                        Executed Functions

                                        Function 02F50B60 Relevance: .8, Instructions: 765COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b789ba65e73999b26c2e44fbf35ada837c9e7f692c19da0c9f809255bc29efb
                                        • Instruction ID: ff081bd452b2fcad011a3a5998579819f283b317559e25bb7f9bc13fef46ac84
                                        • Opcode Fuzzy Hash: 8b789ba65e73999b26c2e44fbf35ada837c9e7f692c19da0c9f809255bc29efb
                                        • Instruction Fuzzy Hash: 00829174A00229CFDB24DF68D884BDDB7B1BF49314F1085AAD909AB365DB34AE85CF50
                                        Function 02F505E7 Relevance: .3, Instructions: 348COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1842ee57ba3d4f47b474bfd937e76a38cf97f172253dccef8af40551be43f0fd
                                        • Instruction ID: 8fb1453dcb4d037e27b09bd00a8c77c5c036ac9b9a7a51cf25088efaef9c3bc7
                                        • Opcode Fuzzy Hash: 1842ee57ba3d4f47b474bfd937e76a38cf97f172253dccef8af40551be43f0fd
                                        • Instruction Fuzzy Hash: A34180718093859FDB03DFB4D8546883FF1EB8A750B0545EAC544EF266DB385D0ACB92
                                        Function 02F50630 Relevance: .3, Instructions: 317COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec04c32255e9721b3c4179ff02b44d0b85ec183840363b1ac904495e621f0a19
                                        • Instruction ID: aa30fafc8c84f23ed0651e4269115b4cc4ffe6cc51e0637de8706a3e87c03ebe
                                        • Opcode Fuzzy Hash: ec04c32255e9721b3c4179ff02b44d0b85ec183840363b1ac904495e621f0a19
                                        • Instruction Fuzzy Hash: 5D217C31904309DFDB05EF78E444B897BB1FB85B14F1086A9C404AF656D7395E1ACF81
                                        Function 02F50A49 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d193f10b4c9ee4bb7bdc5f095f61dc89e85eebfadd914218548042f29667d0a4
                                        • Instruction ID: e15c9a0cba76b1208da524aead3008569169f9c6853bb4a7777cf02e9d03089d
                                        • Opcode Fuzzy Hash: d193f10b4c9ee4bb7bdc5f095f61dc89e85eebfadd914218548042f29667d0a4
                                        • Instruction Fuzzy Hash: 9F219A31E002499FCF01DFACC440ADDBBB1FF8A310F8481AAD514BB251DB30A946CBA0
                                        Function 02F50848 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b978f4b46e656629893cef88f3929815488bc44a43df219873349c832d966259
                                        • Instruction ID: 758648ade1088c32eb099b5b0297e26297b711d981378311e492dbb68506af70
                                        • Opcode Fuzzy Hash: b978f4b46e656629893cef88f3929815488bc44a43df219873349c832d966259
                                        • Instruction Fuzzy Hash: 91112970900209EFDB04EFA9E584B8D7BF6FB84B04F1086B8C415AF255EB785E558F81
                                        Function 02F51870 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e32858560f4b18e806e76ab05bf13e552e2187240bb601051263005eb1e3d7b5
                                        • Instruction ID: 7d5cf04d5281907fc09555e4c09fde26e3576755588d2d9b7c6773ccbf653190
                                        • Opcode Fuzzy Hash: e32858560f4b18e806e76ab05bf13e552e2187240bb601051263005eb1e3d7b5
                                        • Instruction Fuzzy Hash: 95F069B0E0421A9BCF10CF96D8047EEB7F4AB4A350F005069DA14B2200DB38664ACFA0
                                        Function 02F509DF Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b07886858e1db50ef669ccf582c803849a5003339b567a2730f7ea8a2a06239a
                                        • Instruction ID: fe65dbda7d4fb41816ac2454b796889af28ebe54bd17f5ae55ef5e96b39964df
                                        • Opcode Fuzzy Hash: b07886858e1db50ef669ccf582c803849a5003339b567a2730f7ea8a2a06239a
                                        • Instruction Fuzzy Hash: C1014670D08249DFCB02DFA8C8546ADBBB0AF0A310F1845EAC845E7392EB304A45CB81
                                        Function 02F509F0 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2092968915.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2f50000_AVKlyo045S.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a4e3e3570a8e58dd16c19a7d50f5dcb0c065f62416006482a5979b7095f86ca
                                        • Instruction ID: 74b61727f51769a60dcb71ffab8c6d6f68f2da2b75c99bb0c23132d7a7864062
                                        • Opcode Fuzzy Hash: 0a4e3e3570a8e58dd16c19a7d50f5dcb0c065f62416006482a5979b7095f86ca
                                        • Instruction Fuzzy Hash: 8AF0B2B0D00209DFCB45EFA8D544AAEBBB4FF05314F1046AAC415A7354EB709A44CB80