Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MzXmoBVXtU.exe

Overview

General Information

Sample name:MzXmoBVXtU.exe
renamed because original name is a hash value
Original sample name:4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
Analysis ID:1467008
MD5:edc793f85ad6e90c754a9f0799cc08e3
SHA1:c0a2e36283f9e20219b25dd4e15ec7dc73e7aa71
SHA256:4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb
Tags:exe
Infos:

Detection

XenoRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MzXmoBVXtU.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\MzXmoBVXtU.exe" MD5: EDC793F85AD6E90C754A9F0799CC08E3)
    • MzXmoBVXtU.exe (PID: 4124 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
      • MzXmoBVXtU.exe (PID: 5368 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe" MD5: EDC793F85AD6E90C754A9F0799CC08E3)
        • MzXmoBVXtU.exe (PID: 7252 cmdline: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
        • MzXmoBVXtU.exe (PID: 7276 cmdline: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
        • MzXmoBVXtU.exe (PID: 7304 cmdline: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
    • MzXmoBVXtU.exe (PID: 7032 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
      • schtasks.exe (PID: 7860 cmdline: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MzXmoBVXtU.exe (PID: 4408 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
  • MzXmoBVXtU.exe (PID: 7916 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
    • MzXmoBVXtU.exe (PID: 7976 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
    • MzXmoBVXtU.exe (PID: 7984 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
    • MzXmoBVXtU.exe (PID: 8000 cmdline: C:\Users\user\Desktop\MzXmoBVXtU.exe MD5: EDC793F85AD6E90C754A9F0799CC08E3)
  • cleanup

Malware Configuration

Threatname: XenoRAT

{"C2 url": "91.92.248.167", "Mutex Name": "Wolid_rat_nd8859g", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2037006384.0000000003052000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
    00000004.00000002.2021044711.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
      00000005.00000002.2046449338.0000000003345000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
        00000000.00000002.2037006384.0000000003061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
          00000005.00000002.2046449338.0000000003298000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.MzXmoBVXtU.exe.400000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
              14.2.MzXmoBVXtU.exe.2d1e72c.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                5.2.MzXmoBVXtU.exe.311d670.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                  0.2.MzXmoBVXtU.exe.2e3d62c.2.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                    5.2.MzXmoBVXtU.exe.311d670.0.raw.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\MzXmoBVXtU.exe, ParentImage: C:\Users\user\Desktop\MzXmoBVXtU.exe, ParentProcessId: 7032, ParentProcessName: MzXmoBVXtU.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, ProcessId: 7860, ProcessName: schtasks.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\MzXmoBVXtU.exe, ParentImage: C:\Users\user\Desktop\MzXmoBVXtU.exe, ParentProcessId: 7032, ParentProcessName: MzXmoBVXtU.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F, ProcessId: 7860, ProcessName: schtasks.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.unpackMalware Configuration Extractor: XenoRAT {"C2 url": "91.92.248.167", "Mutex Name": "Wolid_rat_nd8859g", "Install Folder": "appdata"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeReversingLabs: Detection: 71%
                      Multi AV Scanner detection for submitted file
                      Source: MzXmoBVXtU.exeReversingLabs: Detection: 79%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: MzXmoBVXtU.exeJoe Sandbox ML: detected
                      Source: MzXmoBVXtU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: MzXmoBVXtU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 00C417B0h2_2_00C40B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 00F917B0h3_2_00F90B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 00F917B0h3_2_00F90B51
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 012B17B0h4_2_012B0B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 4x nop then jmp 00C417B0h6_2_00C40B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 4x nop then jmp 00E117B0h7_2_00E10B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 4x nop then jmp 013417B0h8_2_01340B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 019717B0h15_2_01970B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 030817B0h16_2_03080B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4x nop then jmp 017117B0h17_2_01710B60

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 91.92.248.167
                      Source: global trafficTCP traffic: 192.168.2.5:49711 -> 91.92.248.167:1280
                      Source: Joe Sandbox ViewIP Address: 91.92.248.167 91.92.248.167
                      Source: Joe Sandbox ViewASN Name: THEZONEBG THEZONEBG
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.167
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD37E18 NtReadVirtualMemory,0_2_0AD37E18
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD383D0 NtResumeThread,0_2_0AD383D0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD38798 NtSetContextThread,0_2_0AD38798
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD385F0 NtWriteVirtualMemory,0_2_0AD385F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD382E9 NtResumeThread,0_2_0AD382E9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD37E10 NtReadVirtualMemory,0_2_0AD37E10
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD38790 NtSetContextThread,0_2_0AD38790
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD38340 NtResumeThread,0_2_0AD38340
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD385E9 NtWriteVirtualMemory,0_2_0AD385E9
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B058798 NtSetContextThread,5_2_0B058798
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0583D0 NtResumeThread,5_2_0B0583D0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B057E18 NtReadVirtualMemory,5_2_0B057E18
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0585F0 NtWriteVirtualMemory,5_2_0B0585F0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B058340 NtResumeThread,5_2_0B058340
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B058790 NtSetContextThread,5_2_0B058790
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B057E10 NtReadVirtualMemory,5_2_0B057E10
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0582E1 NtResumeThread,5_2_0B0582E1
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0585E9 NtWriteVirtualMemory,5_2_0B0585E9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_052785F0 NtWriteVirtualMemory,14_2_052785F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05278798 NtSetContextThread,14_2_05278798
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_052783D0 NtResumeThread,14_2_052783D0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05277E18 NtReadVirtualMemory,14_2_05277E18
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_052785E9 NtWriteVirtualMemory,14_2_052785E9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05278340 NtResumeThread,14_2_05278340
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05278790 NtSetContextThread,14_2_05278790
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05277E10 NtReadVirtualMemory,14_2_05277E10
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_052782DB NtResumeThread,14_2_052782DB
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D81000_2_011D8100
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D45800_2_011D4580
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D91B00_2_011D91B0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DB9A80_2_011DB9A8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D35EB0_2_011D35EB
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D08480_2_011D0848
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D9F600_2_011D9F60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D23880_2_011D2388
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D2BE20_2_011D2BE2
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D7E9F0_2_011D7E9F
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DAAD90_2_011DAAD9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D91A00_2_011D91A0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DD9C80_2_011DD9C8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D443C0_2_011D443C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D08380_2_011D0838
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D68780_2_011D6878
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D54700_2_011D5470
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D68680_2_011D6868
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D54620_2_011D5462
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D84980_2_011D8498
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D44810_2_011D4481
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D80F00_2_011D80F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DD3280_2_011DD328
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DC7D80_2_011DC7D8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D5FD00_2_011D5FD0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D5FC00_2_011D5FC0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DDBE80_2_011DDBE8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D36380_2_011D3638
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D72300_2_011D7230
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D66580_2_011D6658
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D664A0_2_011D664A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DDE780_2_011DDE78
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D72900_2_011D7290
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D6AB80_2_011D6AB8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D6AA90_2_011D6AA9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D62D80_2_011D62D8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011D22D00_2_011D22D0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD35FD00_2_0AD35FD0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD3A0480_2_0AD3A048
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD371980_2_0AD37198
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD32E000_2_0AD32E00
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD35FC00_2_0AD35FC0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD3341B0_2_0AD3341B
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD3A0390_2_0AD3A039
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD3718C0_2_0AD3718C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD389480_2_0AD38948
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0AD389380_2_0AD38938
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E06E6F00_2_0E06E6F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E06C9E00_2_0E06C9E0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0682200_2_0E068220
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E06462F0_2_0E06462F
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E068E580_2_0E068E58
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E06C2680_2_0E06C268
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0672F00_2_0E0672F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0697180_2_0E069718
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0600400_2_0E060040
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0694F80_2_0E0694F8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0635B10_2_0E0635B1
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0699C00_2_0E0699C0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E0651E80_2_0E0651E8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 2_2_00C40B602_2_00C40B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F948603_2_00F94860
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F920303_2_00F92030
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F936603_2_00F93660
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F90B603_2_00F90B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F936503_2_00F93650
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F90B513_2_00F90B51
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 4_2_012B0B604_2_012B0B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFAAD95_2_02EFAAD9
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF7E9F5_2_02EF7E9F
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF2BE15_2_02EF2BE1
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF23885_2_02EF2388
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF9F605_2_02EF9F60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF08485_2_02EF0848
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF35EB5_2_02EF35EB
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFB9A85_2_02EFB9A8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF91B05_2_02EF91B0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF45805_2_02EF4580
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF81005_2_02EF8100
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF62D85_2_02EF62D8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF22D05_2_02EF22D0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF6AA95_2_02EF6AA9
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF6AB85_2_02EF6AB8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF72905_2_02EF7290
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFDE785_2_02EFDE78
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF66495_2_02EF6649
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF66585_2_02EF6658
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF723E5_2_02EF723E
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF36385_2_02EF3638
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFDBE85_2_02EFDBE8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF5FC05_2_02EF5FC0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFC7D85_2_02EFC7D8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF5FD05_2_02EF5FD0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFD3285_2_02EFD328
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF84E05_2_02EF84E0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF80F05_2_02EF80F0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF44815_2_02EF4481
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF68685_2_02EF6868
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF54615_2_02EF5461
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF68785_2_02EF6878
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF54705_2_02EF5470
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF443C5_2_02EF443C
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF08385_2_02EF0838
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFD9C85_2_02EFD9C8
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EF91A05_2_02EF91A0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B055FD05_2_0B055FD0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0571985_2_0B057198
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B05A0485_2_0B05A048
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B055FC05_2_0B055FC0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B052E005_2_0B052E00
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0529085_2_0B052908
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0589385_2_0B058938
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0589485_2_0B058948
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B05718C5_2_0B05718C
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B052DF05_2_0B052DF0
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B0534235_2_0B053423
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_0B05A0395_2_0B05A039
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 6_2_00C40B606_2_00C40B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 7_2_00E10B607_2_00E10B60
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 8_2_01340B608_2_01340B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101354A14_2_0101354A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101458014_2_01014580
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101B9A814_2_0101B9A8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_010191B014_2_010191B0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_010181C714_2_010181C7
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101084814_2_01010848
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01019F6014_2_01019F60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101238814_2_01012388
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01012BE214_2_01012BE2
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01017E2814_2_01017E28
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101AAD914_2_0101AAD9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101919A14_2_0101919A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101D9C814_2_0101D9C8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01017DDF14_2_01017DDF
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101083814_2_01010838
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101443C14_2_0101443C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101546214_2_01015462
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101686814_2_01016868
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101547014_2_01015470
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101687814_2_01016878
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101448114_2_01014481
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101849814_2_01018498
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101231514_2_01012315
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101D32814_2_0101D328
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101173014_2_01011730
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01015FC014_2_01015FC0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01015FD014_2_01015FD0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101C7D814_2_0101C7D8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101DBE814_2_0101DBE8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101363814_2_01013638
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101664A14_2_0101664A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101665814_2_01016658
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101DE7814_2_0101DE78
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101729014_2_01017290
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01016AA914_2_01016AA9
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_01016AB814_2_01016AB8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_010162D814_2_010162D8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_010122F514_2_010122F5
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527719814_2_05277198
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527A04814_2_0527A048
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05275FD014_2_05275FD0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527893814_2_05278938
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527290814_2_05272908
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527894814_2_05278948
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527718C14_2_0527718C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0527A03914_2_0527A039
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05273F5A14_2_05273F5A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05275FC014_2_05275FC0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05272E0014_2_05272E00
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_054351E814_2_054351E8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543359E14_2_0543359E
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543004014_2_05430040
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543639814_2_05436398
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05435A1014_2_05435A10
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_054372F014_2_054372F0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543514014_2_05435140
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543511814_2_05435118
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_054399C014_2_054399C0
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543000614_2_05430006
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_054394F814_2_054394F8
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543971814_2_05439718
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05438E5814_2_05438E58
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543C26814_2_0543C268
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543822014_2_05438220
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0543462F14_2_0543462F
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05435ECF14_2_05435ECF
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 15_2_01970B6015_2_01970B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 16_2_03080B6016_2_03080B60
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 17_2_01710B6017_2_01710B60
                      Source: MzXmoBVXtU.exe, 00000000.00000002.2037006384.0000000002E31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000000.00000000.2011077979.0000000000A52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameserver1.exe> vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000000.00000002.2037006384.0000000003052000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000000.00000002.2040650376.000000000DF90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameserver1.exe> vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000000.00000002.2035657345.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000000.00000002.2037006384.0000000003061000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000002.00000002.2022708350.0000000000B5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameserver1.exe vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000004.00000002.2021044711.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000005.00000002.2045442848.00000000012DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000005.00000002.2046449338.0000000003298000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000005.00000002.2046449338.0000000003345000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 00000005.00000002.2046449338.0000000003111000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 0000000E.00000002.2654780705.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 0000000E.00000002.2654780705.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe, 0000000E.00000002.2654780705.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXolid_manager.exe< vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exeBinary or memory string: OriginalFilenameserver1.exe> vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exe.2.drBinary or memory string: OriginalFilenameserver1.exe> vs MzXmoBVXtU.exe
                      Source: MzXmoBVXtU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: MzXmoBVXtU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: MzXmoBVXtU.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: 5.2.MzXmoBVXtU.exe.311d670.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@25/4@0/1
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MzXmoBVXtU.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMutant created: \Sessions\1\BaseNamedObjects\Wolid_rat_nd8859g-admin
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA71E.tmpJump to behavior
                      Source: MzXmoBVXtU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: MzXmoBVXtU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: MzXmoBVXtU.exeReversingLabs: Detection: 79%
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile read: C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe "C:\Users\user\Desktop\MzXmoBVXtU.exe"
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe "C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe"
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exe
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe "C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /FJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: version.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: MzXmoBVXtU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MzXmoBVXtU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: 5.2.MzXmoBVXtU.exe.311d670.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 5.2.MzXmoBVXtU.exe.311d670.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_011DB39B push eax; retf 0_2_011DB39C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E062ABB pushfd ; retf 0_2_0E062ABC
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E060C37 push esi; iretd 0_2_0E060C44
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E060C73 push eax; ret 0_2_0E060C74
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 0_2_0E063DF7 push ss; iretd 0_2_0E063DFB
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F92609 push cs; iretd 3_2_00F9260A
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 3_2_00F92600 push cs; iretd 3_2_00F92602
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeCode function: 5_2_02EFB39B push eax; retf 5_2_02EFB39C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_0101B39B push eax; retf 14_2_0101B39C
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05433DF7 push ss; iretd 14_2_05433DFB
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05430C73 push eax; ret 14_2_05430C74
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05430C37 push esi; iretd 14_2_05430C44
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeCode function: 14_2_05432ABB pushfd ; retf 14_2_05432ABC
                      Source: MzXmoBVXtU.exeStatic PE information: section name: .text entropy: 7.649185436436879
                      Source: MzXmoBVXtU.exe.2.drStatic PE information: section name: .text entropy: 7.649185436436879
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeFile created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5400000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 6400000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 6530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 7530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 79C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 89C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: AB00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: BB00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: BF90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: CF90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5400000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 6530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 79C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 89C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 4860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 58D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 56F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 68D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 78D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 7D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 9D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: AE20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: BE20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: C2B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: D2B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 58D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 68D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 7D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 9D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 1020000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory allocated: 4DA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 4D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5490000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 6490000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 65C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 75C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 65C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 9A10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: AA10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: BA10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 18D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 18D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 5220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 1710000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 3480000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: 32A0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeWindow / User API: threadDelayed 2913Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeWindow / User API: threadDelayed 6914Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5588Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 6332Thread sleep count: 2913 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 6332Thread sleep count: 6914 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59228s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -59096s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58964s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58773s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58646s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58519s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -58074s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57966s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -57110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -56110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -55110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54233s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54119s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -54009s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -53906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -53797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 5364Thread sleep time: -53688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 4276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe TID: 7184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe TID: 7356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 8044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exe TID: 8040Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59844Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59735Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59610Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59485Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59360Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59228Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 59096Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58964Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58773Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58646Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58519Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58406Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58297Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58188Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 58074Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57966Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57860Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57735Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57610Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57485Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57360Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57235Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 57110Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56985Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56860Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56735Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56610Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56438Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56328Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56219Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 56110Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55985Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55860Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55735Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55610Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55485Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55360Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55235Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 55110Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54985Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54860Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54735Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54610Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54485Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54360Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54233Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54119Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 54009Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 53906Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 53797Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 53688Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeThread delayed: delay time: 922337203685477
                      Source: MzXmoBVXtU.exe, 00000003.00000002.4473644478.0000000000D37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeMemory written: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeMemory written: C:\Users\user\Desktop\MzXmoBVXtU.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe "C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /FJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeProcess created: C:\Users\user\Desktop\MzXmoBVXtU.exe C:\Users\user\Desktop\MzXmoBVXtU.exeJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeQueries volume information: C:\Users\user\Desktop\MzXmoBVXtU.exe VolumeInformation
                      Source: C:\Users\user\Desktop\MzXmoBVXtU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 4.2.MzXmoBVXtU.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.MzXmoBVXtU.exe.311d670.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.MzXmoBVXtU.exe.311d670.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d19bf0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000003052000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2021044711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003298000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 4408, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 5368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 7916, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 4.2.MzXmoBVXtU.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.MzXmoBVXtU.exe.311d670.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.MzXmoBVXtU.exe.311d670.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d19bf0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MzXmoBVXtU.exe.2e3d62c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.MzXmoBVXtU.exe.2d1e72c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000003052000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2021044711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003298000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2037006384.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2046449338.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2654780705.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 4408, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 5368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MzXmoBVXtU.exe PID: 7916, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping11
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory31
                      Virtualization/Sandbox Evasion                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		31
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Application Window Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets12
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467008 Sample: MzXmoBVXtU.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 8 MzXmoBVXtU.exe 1 2->8         started        12 MzXmoBVXtU.exe 2->12         started        process3 file4 41 C:\Users\user\AppData\...\MzXmoBVXtU.exe.log, ASCII 8->41 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Injects a PE file into a foreign processes 8->61 14 MzXmoBVXtU.exe 4 8->14         started        17 MzXmoBVXtU.exe 5 8->17         started        20 MzXmoBVXtU.exe 2 8->20         started        22 MzXmoBVXtU.exe 2 12->22         started        24 MzXmoBVXtU.exe 2 12->24         started        26 MzXmoBVXtU.exe 12->26         started        signatures5 process6 dnsIp7 43 C:\Users\user\AppData\...\MzXmoBVXtU.exe, PE32 14->43 dropped 45 C:\Users\...\MzXmoBVXtU.exe:Zone.Identifier, ASCII 14->45 dropped 28 MzXmoBVXtU.exe 14->28         started        49 91.92.248.167, 1280, 49711, 49712 THEZONEBG Bulgaria 17->49 47 C:\Users\user\AppData\Local\...\tmpA71E.tmp, ASCII 17->47 dropped 31 schtasks.exe 1 17->31         started        file8 process9 signatures10 63 Multi AV Scanner detection for dropped file 28->63 65 Machine Learning detection for dropped file 28->65 67 Injects a PE file into a foreign processes 28->67 33 MzXmoBVXtU.exe 2 28->33         started        35 MzXmoBVXtU.exe 2 28->35         started        37 MzXmoBVXtU.exe 2 28->37         started        39 conhost.exe 31->39         started        process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MzXmoBVXtU.exe79%ReversingLabsWin32.Trojan.Leonem
                      MzXmoBVXtU.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe71%ReversingLabsWin32.Trojan.Leonem

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      91.92.248.1670%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      91.92.248.167true
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      91.92.248.167
                      		unknownBulgaria
                      		34368THEZONEBGtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1467008
                      Start date and time:2024-07-03 16:23:06 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 23s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:MzXmoBVXtU.exe
                      renamed because original name is a hash value
                      Original Sample Name:4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@25/4@0/1
                      EGA Information:
                      • Successful, ratio: 25%
                      HCA Information:
                      • Successful, ratio: 94%
                      • Number of executed functions: 288
                      • Number of non-executed functions: 34
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 4124 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 4408 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7032 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7252 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7276 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7304 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7976 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 7984 because it is empty
                      • Execution Graph export aborted for target MzXmoBVXtU.exe, PID 8000 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: MzXmoBVXtU.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:23:54API Interceptor6870794x Sleep call for process: MzXmoBVXtU.exe modified
                      16:24:56Task SchedulerRun new task: cms path: C:\Users\user\Desktop\MzXmoBVXtU.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      91.92.248.167AVKlyo045S.exeGet hashmaliciousXenoRATBrowse
                        xzMyweCMgr.exeGet hashmaliciousXenoRATBrowse
                          s3e5Mme8rD.exeGet hashmaliciousXenoRATBrowse
                            s36tmQLray.exeGet hashmaliciousXenoRATBrowse
                              6exBrDSJkZ.exeGet hashmaliciousXenoRATBrowse
                                Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse
                                  Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse
                                    Y9qoiJLnl8.exeGet hashmaliciousXenoRATBrowse
                                      Transaccion_Recibos.xlsGet hashmaliciousXenoRATBrowse

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        THEZONEBGAVKlyo045S.exeGet hashmaliciousXenoRATBrowse
                                        • 91.92.248.167
                                        Inquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                        • 91.92.254.29
                                        Inquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                        • 91.92.254.29
                                        RW-TS-Payment204_A3084_04893_D4084_Y5902_CE3018_S4081_W30981.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                        • 91.92.255.36
                                        4YlwTsmpuZ.rtfGet hashmaliciousUnknownBrowse
                                        • 91.92.254.29
                                        02_07_2024_D#U00f6nemi_MEVDUAT Ekstre Bilgiler.exeGet hashmaliciousAsyncRATBrowse
                                        • 91.92.240.178
                                        JrBo2dgrUX.exeGet hashmaliciousLokibotBrowse
                                        • 91.92.240.69
                                        DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                        • 91.92.254.14
                                        457525.xlsGet hashmaliciousUnknownBrowse
                                        • 91.92.254.14
                                        Scan-Payment-Advice.xlsGet hashmaliciousLokibotBrowse
                                        • 91.92.240.69

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MzXmoBVXtU.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):522
                                        Entropy (8bit):5.358731107079437
                                        Encrypted:false
                                        SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
                                        MD5:93E4C46884CB6EE7CDCC4AACE78CDFAC
                                        SHA1:29B12D9409BA9AFE4C949F02F7D232233C0B5228
                                        SHA-256:2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
                                        SHA-512:E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                        C:\Users\user\AppData\Local\Temp\tmpA71E.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        File Type:ASCII text
                                        Category:dropped
                                        Size (bytes):1027
                                        Entropy (8bit):3.8376197412289286
                                        Encrypted:false
                                        SSDEEP:12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++VNqdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+V4xvn
                                        MD5:C0E42ECBD607EBAC4B5E3E10BE5E0C7B
                                        SHA1:20526939ECC750EFF136C36AFCBE9C46F582180B
                                        SHA-256:931D515BD44F72E4DD9C12B36191F5C6811BFB6C2839895F3D27F17D0A25D645
                                        SHA-512:4C4691D5208BAE4C3A41A347CBDE4D3A49DDAB2CEDF6D15F1DD1C9BCE6BCB6968D77EDCCC4339B12A24412597D5A774782DE07E0AB445479453393BBF585CF2F
                                        Malicious:true
                                        Reputation:low
                                        Preview:. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\Desktop\MzXmoBVXtU.exe</Command>. </Exec>. </Actio

                                        C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):240640
                                        Entropy (8bit):7.614917933208624
                                        Encrypted:false
                                        SSDEEP:6144:OGKCONo00JeBH3onZ2q5YUUexxgKR63u9i24NnPdI:OBCy0J+XQZ1xgKR63u9i24NnPG
                                        MD5:EDC793F85AD6E90C754A9F0799CC08E3
                                        SHA1:C0A2E36283F9E20219B25DD4E15EC7DC73E7AA71
                                        SHA-256:4D70544594FDD2D04F114222DAC0F9A5A21A05A2A3FFD68688CDAB8ED93588EB
                                        SHA-512:653FFA9B5F36AFC61804354D74FAF0D15E0FF3DB4209A4D688DE9C49917966A095B56108DA1948E5011B262ABD910259977F428D80E407D48A6AF07579A6058A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 71%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X|f............................n.... ........@.. ....................................`.....................................O.......#............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...#...........................@..@.reloc..............................@..B................P.......H........................................................................G~340.:.t.#`..OlA.p.%....p...."{.}6...{....-...).0FN..IE...}.{ '....J#.K....1!.(.Q.*.6u.b.u>.*..}....n..?..U.Dh`.5.).;#../a..el.<C.4...b]T..h..>.i*<..cEq..2.d....O...\YE.?.wnZp........U..P..K...,...NXL%..'TW....=.CB.".n:........,.z.*..x...u...P.-}....2=.H..VR0.E...<..a...HK,.:.[.)w.V&?':>.....=....c%W.;..rJ........EI.T..RE.l#.....H.y.....~..|hhh0.$..;@.....(ag.....*.\.&.5Y..`]...}

                                        C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.614917933208624
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:MzXmoBVXtU.exe
                                        File size:240'640 bytes
                                        MD5:edc793f85ad6e90c754a9f0799cc08e3
                                        SHA1:c0a2e36283f9e20219b25dd4e15ec7dc73e7aa71
                                        SHA256:4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb
                                        SHA512:653ffa9b5f36afc61804354d74faf0d15e0ff3db4209a4d688de9c49917966a095b56108da1948e5011b262abd910259977f428d80e407d48a6af07579a6058a
                                        SSDEEP:6144:OGKCONo00JeBH3onZ2q5YUUexxgKR63u9i24NnPdI:OBCy0J+XQZ1xgKR63u9i24NnPG
                                        TLSH:5D345A9C765476DFC85BC4768AA81C68FA6174BB431BC203E45726ADAE0D99BCF040F3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X|f............................n.... ........@.. ....................................`................................

                                        File Icon

                                        Icon Hash:34cc34374f29390d

                                        Static PE Info

                                        General

                                        Entrypoint:0x43b36e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x667C58FD [Wed Jun 26 18:07:57 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3b31c0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x1223.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x393740x394007acce54532608a0a9218257ea7cd0b81False0.8313532000545851data7.649185436436879IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x3c0000x12230x1400a226d904740c252958aacc2ac4803c42False0.34140625data4.528411472952591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3e0000xc0x2005eeedade8478cd4cf119ee4c0e7aea8dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x3c1300x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.3191489361702128
                                        RT_GROUP_ICON0x3c5980x14data1.1
                                        RT_VERSION0x3c5ac0x3a4data0.40665236051502146
                                        RT_MANIFEST0x3c9500x8d3XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3935369632580788

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 3, 2024 16:24:58.398783922 CEST497111280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:24:58.405112982 CEST12804971191.92.248.167192.168.2.5
                                        Jul 3, 2024 16:24:58.405188084 CEST497111280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:00.025152922 CEST12804971191.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:00.025268078 CEST497111280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:10.039597988 CEST497121280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:10.044567108 CEST12804971291.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:10.044688940 CEST497121280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:11.667195082 CEST12804971291.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:11.667299032 CEST497121280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:21.680495024 CEST497131280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:21.685523033 CEST12804971391.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:21.685662031 CEST497131280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:23.351254940 CEST12804971391.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:23.351432085 CEST497131280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:33.367732048 CEST497141280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:33.372849941 CEST12804971491.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:33.372978926 CEST497141280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:37.419586897 CEST12804971491.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:37.419687033 CEST497141280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:46.555028915 CEST497151280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:46.559870005 CEST12804971591.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:46.559936047 CEST497151280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:48.181992054 CEST12804971591.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:48.182075977 CEST497151280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:57.852052927 CEST497161280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:25:57.860440969 CEST12804971691.92.248.167192.168.2.5
                                        Jul 3, 2024 16:25:57.860544920 CEST497161280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:04.901365042 CEST12804971691.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:04.901469946 CEST497161280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:09.727168083 CEST497171280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:09.732227087 CEST12804971791.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:09.732367992 CEST497171280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:11.354249954 CEST12804971791.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:11.354412079 CEST497171280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:21.360791922 CEST497181280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:21.365890980 CEST12804971891.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:21.367537975 CEST497181280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:22.979583025 CEST12804971891.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:22.979706049 CEST497181280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:23.555238008 CEST497191280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:23.561306953 CEST12804971991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:23.561383009 CEST497191280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:25.185879946 CEST12804971991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:25.186008930 CEST497191280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:32.523883104 CEST497201280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:32.528924942 CEST12804972091.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:32.529012918 CEST497201280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:34.155333042 CEST12804972091.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:34.155417919 CEST497201280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:36.914613962 CEST497211280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:36.919652939 CEST12804972191.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:36.919785976 CEST497211280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:38.545815945 CEST12804972191.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:38.546083927 CEST497211280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:46.711682081 CEST497221280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:26:46.716692924 CEST12804972291.92.248.167192.168.2.5
                                        Jul 3, 2024 16:26:46.716833115 CEST497221280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:05.684042931 CEST12804972291.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:05.684129000 CEST497221280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:09.039473057 CEST497231280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:09.044764042 CEST12804972391.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:09.044859886 CEST497231280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:10.704240084 CEST12804972391.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:10.704571009 CEST497231280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:20.619505882 CEST497241280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:20.691843987 CEST12804972491.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:20.691999912 CEST497241280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:22.326159954 CEST12804972491.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:22.326268911 CEST497241280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:27.602008104 CEST497251280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:27.607002974 CEST12804972591.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:27.607577085 CEST497251280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:29.263850927 CEST12804972591.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:29.267396927 CEST497251280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:32.195889950 CEST497261280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:32.201366901 CEST12804972691.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:32.201450109 CEST497261280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:33.846431971 CEST12804972691.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:33.849656105 CEST497261280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:33.931612015 CEST497271280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:33.936578989 CEST12804972791.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:33.936934948 CEST497271280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:35.607912064 CEST12804972791.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:35.608083963 CEST497271280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:38.117602110 CEST497281280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:38.198302984 CEST12804972891.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:38.198431015 CEST497281280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:39.828553915 CEST12804972891.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:39.831537008 CEST497281280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:42.837574959 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:42.842550993 CEST12804972991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:42.842622995 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:44.464978933 CEST12804972991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:44.465214014 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:45.510145903 CEST12804972991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:45.510982990 CEST12804972991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:45.511071920 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:45.511511087 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:45.512270927 CEST12804972991.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:45.512320995 CEST497291280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:54.471527100 CEST497301280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:54.476670980 CEST12804973091.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:54.476789951 CEST497301280192.168.2.591.92.248.167
                                        Jul 3, 2024 16:27:56.091044903 CEST12804973091.92.248.167192.168.2.5
                                        Jul 3, 2024 16:27:56.091620922 CEST497301280192.168.2.591.92.248.167

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:10:23:53
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\MzXmoBVXtU.exe"
                                        Imagebase:0xa50000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2037006384.0000000003052000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2037006384.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2037006384.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:10:23:54
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0x4d0000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:10:23:54
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0x5d0000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:4
                                        Start time:10:23:54
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0xc50000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000004.00000002.2021044711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:10:23:55
                                        Start date:03/07/2024
                                        Path:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe"
                                        Imagebase:0xc20000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2046449338.0000000003345000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2046449338.0000000003298000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2046449338.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 71%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:10:23:55
                                        Start date:03/07/2024
                                        Path:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Imagebase:0x630000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:10:23:56
                                        Start date:03/07/2024
                                        Path:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Imagebase:0x660000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:10:23:56
                                        Start date:03/07/2024
                                        Path:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\XenoManager\MzXmoBVXtU.exe
                                        Imagebase:0xa60000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:10:24:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks.exe" /Create /TN "cms" /XML "C:\Users\user\AppData\Local\Temp\tmpA71E.tmp" /F
                                        Imagebase:0xc30000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:10:24:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:10:24:56
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0xa00000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000E.00000002.2654780705.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000E.00000002.2654780705.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000E.00000002.2654780705.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:10:24:57
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0xf30000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:10:24:57
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0xf50000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:10:24:57
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\MzXmoBVXtU.exe
                                        Imagebase:0xfa0000
                                        File size:240'640 bytes
                                        MD5 hash:EDC793F85AD6E90C754A9F0799CC08E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:19.3%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:15.8%
                                          Total number of Nodes:209
                                          Total number of Limit Nodes:8
                                          execution_graph 8700 ad3ac53 8701 ad3ac5f 8700->8701 8705 ad385e9 8701->8705 8709 ad385f0 8701->8709 8702 ad3acd2 8706 ad385f0 NtWriteVirtualMemory 8705->8706 8708 ad386d2 8706->8708 8708->8702 8710 ad38639 NtWriteVirtualMemory 8709->8710 8712 ad386d2 8710->8712 8712->8702 8713 ad39813 8714 ad3981f 8713->8714 8721 ad39ae8 8714->8721 8726 ad39ad8 8714->8726 8715 ad39876 8716 ad398d9 8715->8716 8717 ad385f0 NtWriteVirtualMemory 8715->8717 8718 ad385e9 NtWriteVirtualMemory 8715->8718 8717->8715 8718->8715 8723 ad39b0c 8721->8723 8722 ad39cc4 8722->8715 8723->8722 8731 ad37e10 8723->8731 8735 ad37e18 8723->8735 8728 ad39b0c 8726->8728 8727 ad39cc4 8727->8715 8728->8727 8729 ad37e10 NtReadVirtualMemory 8728->8729 8730 ad37e18 NtReadVirtualMemory 8728->8730 8729->8728 8730->8728 8732 ad37e18 NtReadVirtualMemory 8731->8732 8734 ad37edc 8732->8734 8734->8723 8736 ad37e64 NtReadVirtualMemory 8735->8736 8738 ad37edc 8736->8738 8738->8723 8739 ad38fd7 8740 ad38fe3 8739->8740 8744 ad38790 8740->8744 8748 ad38798 8740->8748 8741 ad39008 8745 ad38798 NtSetContextThread 8744->8745 8747 ad38859 8745->8747 8747->8741 8749 ad387e1 NtSetContextThread 8748->8749 8751 ad38859 8749->8751 8751->8741 8752 ad36557 8753 ad36563 8752->8753 8757 ad37773 8753->8757 8762 ad37778 8753->8762 8754 ad3657f 8759 ad37778 8757->8759 8758 ad37940 8758->8754 8759->8758 8760 ad37e10 NtReadVirtualMemory 8759->8760 8761 ad37e18 NtReadVirtualMemory 8759->8761 8760->8759 8761->8759 8763 ad3779c 8762->8763 8764 ad37940 8763->8764 8765 ad37e10 NtReadVirtualMemory 8763->8765 8766 ad37e18 NtReadVirtualMemory 8763->8766 8764->8754 8765->8763 8766->8763 8767 ad398d6 8768 ad39893 8767->8768 8769 ad398d9 8767->8769 8768->8767 8770 ad385f0 NtWriteVirtualMemory 8768->8770 8771 ad385e9 NtWriteVirtualMemory 8768->8771 8770->8768 8771->8768 8777 ad3645b 8778 ad36470 8777->8778 8780 ad37773 2 API calls 8778->8780 8781 ad37778 2 API calls 8778->8781 8779 ad3648c 8780->8779 8781->8779 8782 ad38e5f 8783 ad38e77 8782->8783 8788 ad383d0 8783->8788 8792 ad382e9 8783->8792 8796 ad38340 8783->8796 8784 ad38f68 8789 ad383f0 NtResumeThread 8788->8789 8791 ad3846b 8789->8791 8791->8784 8793 ad382f5 NtResumeThread 8792->8793 8795 ad3846b 8793->8795 8795->8784 8797 ad38345 NtResumeThread 8796->8797 8799 ad3846b 8797->8799 8799->8784 8800 ad3ad5c 8801 ad3ad68 8800->8801 8805 ad3b237 8801->8805 8810 ad3b248 8801->8810 8802 ad3ad84 8807 ad3b248 8805->8807 8806 ad3b315 8806->8802 8807->8806 8808 ad37e10 NtReadVirtualMemory 8807->8808 8809 ad37e18 NtReadVirtualMemory 8807->8809 8808->8807 8809->8807 8812 ad3b26c 8810->8812 8811 ad3b315 8811->8802 8812->8811 8813 ad37e10 NtReadVirtualMemory 8812->8813 8814 ad37e18 NtReadVirtualMemory 8812->8814 8813->8812 8814->8812 8820 ad38a86 8821 ad38a92 8820->8821 8824 ad39ad8 2 API calls 8821->8824 8825 ad39ae8 2 API calls 8821->8825 8822 ad38adf 8828 ad384d0 8822->8828 8832 ad384c8 8822->8832 8823 ad38b1d 8824->8822 8825->8822 8829 ad38514 VirtualAllocEx 8828->8829 8831 ad3858c 8829->8831 8831->8823 8833 ad384d0 VirtualAllocEx 8832->8833 8835 ad3858c 8833->8835 8835->8823 8847 ad3608f 8848 ad36061 8847->8848 8848->8847 8849 ad36089 8848->8849 8854 ad383d0 NtResumeThread 8848->8854 8855 ad38340 NtResumeThread 8848->8855 8856 ad382e9 NtResumeThread 8848->8856 8851 ad383d0 NtResumeThread 8849->8851 8852 ad38340 NtResumeThread 8849->8852 8853 ad382e9 NtResumeThread 8849->8853 8850 ad36f78 8851->8850 8852->8850 8853->8850 8854->8848 8855->8848 8856->8848 8857 ad3664f 8858 ad3665b 8857->8858 8864 ad38790 NtSetContextThread 8858->8864 8865 ad38798 NtSetContextThread 8858->8865 8859 ad36680 8866 ad385f0 NtWriteVirtualMemory 8859->8866 8867 ad385e9 NtWriteVirtualMemory 8859->8867 8860 ad3672d 8862 ad37773 2 API calls 8860->8862 8863 ad37778 2 API calls 8860->8863 8861 ad3677b 8862->8861 8863->8861 8864->8859 8865->8859 8866->8860 8867->8860 8868 ad362f3 8869 ad3630f 8868->8869 8871 ad385f0 NtWriteVirtualMemory 8869->8871 8872 ad385e9 NtWriteVirtualMemory 8869->8872 8870 ad36397 8871->8870 8872->8870 8873 ad3a972 8874 ad3a98a 8873->8874 8879 ad3b237 2 API calls 8874->8879 8880 ad3b248 2 API calls 8874->8880 8875 ad3aa89 8877 ad384d0 VirtualAllocEx 8875->8877 8878 ad384c8 VirtualAllocEx 8875->8878 8876 ad3aac7 8877->8876 8878->8876 8879->8875 8880->8875 8886 ad3a57b 8887 ad3a587 8886->8887 8892 ad3b237 2 API calls 8887->8892 8893 ad3b248 2 API calls 8887->8893 8888 ad3a5de 8890 ad385f0 NtWriteVirtualMemory 8888->8890 8891 ad385e9 NtWriteVirtualMemory 8888->8891 8889 ad3a61a 8890->8889 8891->8889 8892->8888 8893->8888 8894 ad3a77a 8895 ad3a792 8894->8895 8898 ad38790 NtSetContextThread 8895->8898 8899 ad38798 NtSetContextThread 8895->8899 8896 ad3a869 8900 ad385f0 NtWriteVirtualMemory 8896->8900 8901 ad385e9 NtWriteVirtualMemory 8896->8901 8897 ad3a916 8898->8896 8899->8896 8900->8897 8901->8897 8902 ad3a23a 8903 ad3a116 8902->8903 8903->8902 8904 ad3b01e 8903->8904 8906 ad3b237 NtReadVirtualMemory NtReadVirtualMemory 8903->8906 8907 ad3b248 NtReadVirtualMemory NtReadVirtualMemory 8903->8907 8908 ad383d0 NtResumeThread 8904->8908 8909 ad38340 NtResumeThread 8904->8909 8910 ad382e9 NtResumeThread 8904->8910 8905 ad3b068 8906->8903 8907->8903 8908->8905 8909->8905 8910->8905 8911 ad3917e 8912 ad3918a 8911->8912 8914 ad383d0 NtResumeThread 8912->8914 8915 ad38340 NtResumeThread 8912->8915 8916 ad382e9 NtResumeThread 8912->8916 8913 ad391c8 8914->8913 8915->8913 8916->8913 8917 ad360fc 8918 ad36114 8917->8918 8920 ad38790 NtSetContextThread 8918->8920 8921 ad38798 NtSetContextThread 8918->8921 8919 ad361eb 8920->8919 8921->8919 8927 ad394ea 8928 ad394ff 8927->8928 8931 ad39ad8 2 API calls 8928->8931 8932 ad39ae8 2 API calls 8928->8932 8929 ad3951b 8933 ad39ad8 2 API calls 8929->8933 8934 ad39ae8 2 API calls 8929->8934 8930 ad3955f 8931->8929 8932->8929 8933->8930 8934->8930 8935 ad391e9 8936 ad391f5 8935->8936 8939 ad385f0 NtWriteVirtualMemory 8936->8939 8940 ad385e9 NtWriteVirtualMemory 8936->8940 8937 ad3928f 8941 ad39ad8 2 API calls 8937->8941 8942 ad39ae8 2 API calls 8937->8942 8938 ad392dd 8939->8937 8940->8937 8941->8938 8942->8938 8943 ad36b69 8944 ad36b75 8943->8944 8952 ad37773 2 API calls 8944->8952 8953 ad37778 2 API calls 8944->8953 8945 ad36bc2 8954 ad384d0 VirtualAllocEx 8945->8954 8955 ad384c8 VirtualAllocEx 8945->8955 8946 ad36c00 8956 ad37773 2 API calls 8946->8956 8957 ad37778 2 API calls 8946->8957 8947 ad36d9e 8958 ad385f0 NtWriteVirtualMemory 8947->8958 8959 ad385e9 NtWriteVirtualMemory 8947->8959 8948 ad36dda 8950 ad37773 2 API calls 8948->8950 8951 ad37778 2 API calls 8948->8951 8949 ad36e09 8950->8949 8951->8949 8952->8945 8953->8945 8954->8946 8955->8946 8956->8947 8957->8947 8958->8948 8959->8948 8960 ad365a8 8961 ad365bf 8960->8961 8965 ad37198 8961->8965 8969 ad3718c 8961->8969 8967 ad37228 CreateProcessW 8965->8967 8968 ad375fc 8967->8968 8972 ad37194 CreateProcessW 8969->8972 8971 ad375fc 8972->8971

                                          Executed Functions

                                          Function 0E06E6F0 Relevance: 5.7, Strings: 4, Instructions: 665COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 e06e6f0-e06e700 1 e06e706-e06e70a 0->1 2 e06e983-e06e9db 0->2 3 e06e9e2-e06ea3a 1->3 4 e06e710-e06e714 1->4 2->3 6 e06ea41-e06ea99 3->6 4->6 7 e06e71a-e06e757 4->7 28 e06eaa0-e06eb3a 6->28 7->28 29 e06e75d-e06e785 7->29 82 e06eb3e-e06eb53 28->82 83 e06eb3c 28->83 41 e06e787 29->41 42 e06e78b-e06e78e 29->42 41->42 44 e06e795-e06e7c0 42->44 45 e06e790 42->45 52 e06e7c2-e06e7d2 44->52 53 e06e7dd-e06e7e0 44->53 45->44 52->53 61 e06e7d4-e06e7da 52->61 54 e06e7e2-e06e7ef 53->54 55 e06e80c-e06e80f 53->55 54->55 65 e06e7f1-e06e7f5 54->65 57 e06e811-e06e81e 55->57 58 e06e83b-e06e84a 55->58 57->58 67 e06e820-e06e824 57->67 68 e06e85e-e06e861 58->68 69 e06e84c-e06e85c 58->69 61->53 70 e06e806-e06e809 65->70 71 e06e7f7-e06e7fd 65->71 72 e06e826-e06e82c 67->72 73 e06e835-e06e838 67->73 75 e06e869-e06e8c7 call e06fde0 68->75 69->75 70->55 71->70 74 e06e7ff-e06e804 71->74 72->73 77 e06e82e-e06e833 72->77 73->58 74->58 102 e06e925-e06e936 75->102 103 e06e8c9-e06e91d 75->103 77->58 85 e06eb55-e06eb57 82->85 86 e06eb59-e06eb5b 82->86 83->82 85->86 87 e06eb60-e06eb6c 85->87 88 e06ec30-e06ec36 86->88 92 e06eb72-e06eb7e 87->92 93 e06ebf1-e06ec07 87->93 92->93 97 e06eb80-e06ebae 92->97 98 e06ec0e-e06ec10 93->98 99 e06ec09-e06ec0c 93->99 97->93 119 e06ebb0-e06ebbb 97->119 98->88 99->98 100 e06ec12-e06ec28 99->100 109 e06ec2e 100->109 110 e06ec2a-e06ec2c 100->110 202 e06e938 call ad30e07 102->202 203 e06e938 call ad31188 102->203 103->102 109->88 110->88 111 e06e93e-e06e94f 117 e06e966-e06e969 111->117 118 e06e951-e06e964 111->118 122 e06e971-e06e980 117->122 118->122 119->93 125 e06ebbd-e06ebd7 119->125 130 e06ec37-e06f188 125->130 131 e06ebd9-e06ebe3 125->131 131->130 132 e06ebe5-e06ebef 131->132 132->88 202->111 203->111
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Haq$Haq$Haq$Haq
                                          • API String ID: 0-3862180702
                                          • Opcode ID: a4270cbc02139efe4b2a1a824ac6f07676c3e54488d77b2366c642773ff91259
                                          • Instruction ID: 8f7f09689e7b62b05914bc37389fe9aeee121efd6b7fb85c2fd9eab91f371c15
                                          • Opcode Fuzzy Hash: a4270cbc02139efe4b2a1a824ac6f07676c3e54488d77b2366c642773ff91259
                                          • Instruction Fuzzy Hash: 5E427278600319DFCB05EF66E658B5A7BBBFF88300F108928D945573A9CB38AC46CB55
                                          Function 011D443C Relevance: 5.4, Strings: 4, Instructions: 368COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 204 11d443c-11d4445 205 11d4468-11d4477 204->205 206 11d4447-11d45a5 204->206 208 11d45ac-11d45f2 call 11d4bc0 206->208 209 11d45a7 206->209 212 11d45f5 208->212 209->208 213 11d45fc-11d4618 212->213 214 11d461a 213->214 215 11d4621-11d4622 213->215 214->212 214->215 216 11d49b8-11d49bf 214->216 217 11d4799-11d479d 214->217 218 11d4950-11d495c 214->218 219 11d48d2-11d48de 214->219 220 11d4692-11d469e 214->220 221 11d480d-11d4819 214->221 222 11d488f-11d48bb 214->222 223 11d484e-11d486e 214->223 224 11d464e-11d4652 214->224 225 11d47c9-11d47d5 214->225 226 11d474b-11d4754 214->226 227 11d4984-11d4990 214->227 228 11d4906-11d490a 214->228 229 11d4700-11d470c 214->229 230 11d48c0-11d48cd 214->230 231 11d4780-11d4794 214->231 232 11d467b-11d468d 214->232 233 11d4734-11d4746 214->233 234 11d4837-11d4849 214->234 235 11d4936-11d494b 214->235 236 11d47f3-11d4808 214->236 237 11d4873-11d488a 214->237 238 11d4627-11d462f call 11d4f08 214->238 239 11d46e6-11d46fb 214->239 215->216 246 11d479f-11d47ae 217->246 247 11d47b0-11d47b7 217->247 254 11d495e 218->254 255 11d4963-11d497f 218->255 244 11d48e5-11d4901 219->244 245 11d48e0 219->245 256 11d46a5-11d46bb 220->256 257 11d46a0 220->257 258 11d481b 221->258 259 11d4820-11d4832 221->259 222->213 223->213 250 11d4665-11d466c 224->250 251 11d4654-11d4663 224->251 252 11d47dc-11d47ee 225->252 253 11d47d7 225->253 242 11d4767-11d476e 226->242 243 11d4756-11d4765 226->243 260 11d4997-11d49b3 227->260 261 11d4992 227->261 248 11d491d-11d4924 228->248 249 11d490c-11d491b 228->249 240 11d470e 229->240 241 11d4713-11d472f 229->241 230->213 231->213 232->213 233->213 234->213 235->213 236->213 237->213 266 11d4635-11d464c 238->266 239->213 240->241 241->213 262 11d4775-11d477b 242->262 243->262 244->213 245->244 263 11d47be-11d47c4 246->263 247->263 267 11d492b-11d4931 248->267 249->267 268 11d4673-11d4679 250->268 251->268 252->213 253->252 254->255 255->213 277 11d46bd 256->277 278 11d46c2-11d46e1 256->278 257->256 258->259 259->213 260->213 261->260 262->213 263->213 266->213 267->213 268->213 277->278 278->213
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: c7394800d7ba1ef55e629bc5d32bad805bc569e6a9cf5b13ce3ddb2ad5cd731f
                                          • Instruction ID: 1da93f71d846ab0d8ad1393d207f78dcc740922ab84f0459e4d456e413beea8e
                                          • Opcode Fuzzy Hash: c7394800d7ba1ef55e629bc5d32bad805bc569e6a9cf5b13ce3ddb2ad5cd731f
                                          • Instruction Fuzzy Hash: E9F1D3B5D0420ACFCB09CFA9C4808AEFBB1FF89310B55D569C416ABA15D735E942CF92
                                          Function 011D4481 Relevance: 5.4, Strings: 4, Instructions: 361COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 282 11d4481-11d45a5 284 11d45ac-11d45f2 call 11d4bc0 282->284 285 11d45a7 282->285 288 11d45f5 284->288 285->284 289 11d45fc-11d4618 288->289 290 11d461a 289->290 291 11d4621-11d4622 289->291 290->288 290->291 292 11d49b8-11d49bf 290->292 293 11d4799-11d479d 290->293 294 11d4950-11d495c 290->294 295 11d48d2-11d48de 290->295 296 11d4692-11d469e 290->296 297 11d480d-11d4819 290->297 298 11d488f-11d48bb 290->298 299 11d484e-11d486e 290->299 300 11d464e-11d4652 290->300 301 11d47c9-11d47d5 290->301 302 11d474b-11d4754 290->302 303 11d4984-11d4990 290->303 304 11d4906-11d490a 290->304 305 11d4700-11d470c 290->305 306 11d48c0-11d48cd 290->306 307 11d4780-11d4794 290->307 308 11d467b-11d468d 290->308 309 11d4734-11d4746 290->309 310 11d4837-11d4849 290->310 311 11d4936-11d494b 290->311 312 11d47f3-11d4808 290->312 313 11d4873-11d488a 290->313 314 11d4627-11d462f call 11d4f08 290->314 315 11d46e6-11d46fb 290->315 291->292 322 11d479f-11d47ae 293->322 323 11d47b0-11d47b7 293->323 330 11d495e 294->330 331 11d4963-11d497f 294->331 320 11d48e5-11d4901 295->320 321 11d48e0 295->321 332 11d46a5-11d46bb 296->332 333 11d46a0 296->333 334 11d481b 297->334 335 11d4820-11d4832 297->335 298->289 299->289 326 11d4665-11d466c 300->326 327 11d4654-11d4663 300->327 328 11d47dc-11d47ee 301->328 329 11d47d7 301->329 318 11d4767-11d476e 302->318 319 11d4756-11d4765 302->319 336 11d4997-11d49b3 303->336 337 11d4992 303->337 324 11d491d-11d4924 304->324 325 11d490c-11d491b 304->325 316 11d470e 305->316 317 11d4713-11d472f 305->317 306->289 307->289 308->289 309->289 310->289 311->289 312->289 313->289 342 11d4635-11d464c 314->342 315->289 316->317 317->289 338 11d4775-11d477b 318->338 319->338 320->289 321->320 339 11d47be-11d47c4 322->339 323->339 343 11d492b-11d4931 324->343 325->343 344 11d4673-11d4679 326->344 327->344 328->289 329->328 330->331 331->289 353 11d46bd 332->353 354 11d46c2-11d46e1 332->354 333->332 334->335 335->289 336->289 337->336 338->289 339->289 342->289 343->289 344->289 353->354 354->289
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 383c401eb8f65ba9e5cec75756184ccd6622e66bc9f7fd372adf4c22e1507570
                                          • Instruction ID: 18162e9e7ea05841b23a155e2b27bbc4665db9d9c51c25c5980b87ce073bf75c
                                          • Opcode Fuzzy Hash: 383c401eb8f65ba9e5cec75756184ccd6622e66bc9f7fd372adf4c22e1507570
                                          • Instruction Fuzzy Hash: 03F1E2B5D0420ACFCB09CFA9C4808AEFBB1FF89310B55D569C442ABA15D735E942CF92
                                          Function 011D4580 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 358 11d4580-11d45a5 359 11d45ac-11d45f2 call 11d4bc0 358->359 360 11d45a7 358->360 363 11d45f5 359->363 360->359 364 11d45fc-11d4618 363->364 365 11d461a 364->365 366 11d4621-11d4622 364->366 365->363 365->366 367 11d49b8-11d49bf 365->367 368 11d4799-11d479d 365->368 369 11d4950-11d495c 365->369 370 11d48d2-11d48de 365->370 371 11d4692-11d469e 365->371 372 11d480d-11d4819 365->372 373 11d488f-11d48bb 365->373 374 11d484e-11d486e 365->374 375 11d464e-11d4652 365->375 376 11d47c9-11d47d5 365->376 377 11d474b-11d4754 365->377 378 11d4984-11d4990 365->378 379 11d4906-11d490a 365->379 380 11d4700-11d470c 365->380 381 11d48c0-11d48cd 365->381 382 11d4780-11d4794 365->382 383 11d467b-11d468d 365->383 384 11d4734-11d4746 365->384 385 11d4837-11d4849 365->385 386 11d4936-11d494b 365->386 387 11d47f3-11d4808 365->387 388 11d4873-11d488a 365->388 389 11d4627-11d462f call 11d4f08 365->389 390 11d46e6-11d46fb 365->390 366->367 397 11d479f-11d47ae 368->397 398 11d47b0-11d47b7 368->398 405 11d495e 369->405 406 11d4963-11d497f 369->406 395 11d48e5-11d4901 370->395 396 11d48e0 370->396 407 11d46a5-11d46bb 371->407 408 11d46a0 371->408 409 11d481b 372->409 410 11d4820-11d4832 372->410 373->364 374->364 401 11d4665-11d466c 375->401 402 11d4654-11d4663 375->402 403 11d47dc-11d47ee 376->403 404 11d47d7 376->404 393 11d4767-11d476e 377->393 394 11d4756-11d4765 377->394 411 11d4997-11d49b3 378->411 412 11d4992 378->412 399 11d491d-11d4924 379->399 400 11d490c-11d491b 379->400 391 11d470e 380->391 392 11d4713-11d472f 380->392 381->364 382->364 383->364 384->364 385->364 386->364 387->364 388->364 417 11d4635-11d464c 389->417 390->364 391->392 392->364 413 11d4775-11d477b 393->413 394->413 395->364 396->395 414 11d47be-11d47c4 397->414 398->414 418 11d492b-11d4931 399->418 400->418 419 11d4673-11d4679 401->419 402->419 403->364 404->403 405->406 406->364 428 11d46bd 407->428 429 11d46c2-11d46e1 407->429 408->407 409->410 410->364 411->364 412->411 413->364 414->364 417->364 418->364 419->364 428->429 429->364
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 508a38037ca02d964d32280fefbe62c0bd1c61a28dd1624b0c6be49397972340
                                          • Instruction ID: c60894ab72fa7fd198552c77b7918c405831899ab1d7f75f9ffdc04b23151d93
                                          • Opcode Fuzzy Hash: 508a38037ca02d964d32280fefbe62c0bd1c61a28dd1624b0c6be49397972340
                                          • Instruction Fuzzy Hash: D2D15C70E0520ADFCB08CF99C5808AEFBB2FF89301B55D569D416ABA14D734EA42CF95
                                          Function 011DB9A8 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 433 11db9a8-11db9cd 434 11db9cf 433->434 435 11db9d4-11db9f1 433->435 434->435 436 11db9f9 435->436 437 11dba00-11dba1c 436->437 438 11dba1e 437->438 439 11dba25-11dba26 437->439 438->436 438->439 440 11dbd3d-11dbd6b 438->440 441 11dbb9f-11dbbab 438->441 442 11dbad9-11dbae5 438->442 443 11dbc91-11dbc9a 438->443 444 11dbc31-11dbc35 438->444 445 11dbd70-11dbd77 438->445 446 11dbb10-11dbb1d 438->446 447 11dbbf0-11dbc02 438->447 448 11dba8d-11dbaa4 438->448 449 11dbb4f-11dbb67 438->449 450 11dbaa9-11dbaad 438->450 451 11dbce9-11dbcf5 438->451 452 11dba2b-11dba42 438->452 453 11dbb85-11dbb9a 438->453 454 11dbc07-11dbc2c 438->454 455 11dbcc6-11dbce4 438->455 456 11dbc61-11dbc65 438->456 457 11dba63-11dba6f 438->457 458 11dbb22-11dbb2e 438->458 439->445 440->437 459 11dbbad 441->459 460 11dbbb2-11dbbc8 441->460 465 11dbaec-11dbb0b 442->465 466 11dbae7 442->466 473 11dbcad-11dbcb4 443->473 474 11dbc9c-11dbcab 443->474 467 11dbc48-11dbc4f 444->467 468 11dbc37-11dbc46 444->468 446->437 447->437 448->437 475 11dbb6e-11dbb80 449->475 476 11dbb69 449->476 463 11dbaaf-11dbabe 450->463 464 11dbac0-11dbac7 450->464 477 11dbcfc-11dbd12 451->477 478 11dbcf7 451->478 479 11dba4a-11dba61 452->479 453->437 454->437 455->437 469 11dbc78-11dbc7f 456->469 470 11dbc67-11dbc76 456->470 461 11dba76-11dba88 457->461 462 11dba71 457->462 471 11dbb35-11dbb4a 458->471 472 11dbb30 458->472 459->460 495 11dbbcf-11dbbeb 460->495 496 11dbbca 460->496 461->437 462->461 480 11dbace-11dbad4 463->480 464->480 465->437 466->465 483 11dbc56-11dbc5c 467->483 468->483 484 11dbc86-11dbc8c 469->484 470->484 471->437 472->471 485 11dbcbb-11dbcc1 473->485 474->485 475->437 476->475 493 11dbd19-11dbd38 477->493 494 11dbd14 477->494 478->477 479->437 480->437 483->437 484->437 485->437 493->437 494->493 495->437 496->495
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: t701$t701+j$vBjT
                                          • API String ID: 0-3425911971
                                          • Opcode ID: 19c8b77ba504e2f5a456a043fca312166f2517f37cb76ececb42af0701533026
                                          • Instruction ID: f740a0719908c3f953928709aba54e3bb95eb3c1c68bf3f1e1cb45c2866b49f9
                                          • Opcode Fuzzy Hash: 19c8b77ba504e2f5a456a043fca312166f2517f37cb76ececb42af0701533026
                                          • Instruction Fuzzy Hash: BEC14870D04219DFCB18CF99C5808AEFBB2FF89301F169559D416AB218D735AA82CF95
                                          Function 0AD3341B Relevance: 2.9, Strings: 2, Instructions: 351COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 571 ad3341b-ad33421 572 ad33423-ad33450 571->572 573 ad33404-ad33405 571->573 576 ad33452-ad33459 572->576 577 ad3346b-ad33473 572->577 574 ad3340e-ad33417 573->574 578 ad33462-ad33469 576->578 579 ad3345b-ad33460 576->579 580 ad33476-ad33486 577->580 578->580 579->580 583 ad33497 580->583 584 ad33488-ad3348a 580->584 587 ad3349f-ad334a5 583->587 585 ad33490-ad33495 584->585 586 ad3348c-ad3348e 584->586 585->587 586->587 588 ad334ab-ad334ad 587->588 589 ad33cd8 587->589 588->589 590 ad334b3-ad334b9 588->590 591 ad33cdd-ad33d28 589->591 592 ad33c8b-ad33c8f 590->592 593 ad334bf 590->593 599 ad33d2a-ad33d5b 591->599 600 ad33d5f-ad33fa2 591->600 594 ad33c91-ad33c94 592->594 595 ad33c96-ad33cd7 592->595 593->592 594->591 594->595 599->600
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xaq$Xaq
                                          • API String ID: 0-1488805882
                                          • Opcode ID: 7157c4e57da02169cc674be172d1f490939ee150d4690705a614d5f19a776b1b
                                          • Instruction ID: 0e4faa59bfd375d4ae948dcee752675caff57acbfb406d2386f5c4d3d4cd439e
                                          • Opcode Fuzzy Hash: 7157c4e57da02169cc674be172d1f490939ee150d4690705a614d5f19a776b1b
                                          • Instruction Fuzzy Hash: 1AD19F35A491A98BEF5B0B3985A82D3FFF39F433117A9A5E4C0D09B25BC62144C6DF21
                                          Function 011D22D0 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 604 11d22d0-11d23ab 605 11d23ad 604->605 606 11d23b2-11d2432 call 11d00e4 604->606 605->606 613 11d2435 606->613 614 11d243c-11d2458 613->614 615 11d245a 614->615 616 11d2461-11d2462 614->616 615->613 615->616 617 11d264d-11d26cb call 11d00f4 615->617 618 11d261d-11d2621 615->618 619 11d253d-11d254f 615->619 620 11d2578-11d258a 615->620 621 11d2554-11d2573 615->621 622 11d24f2-11d250a 615->622 623 11d258f-11d25c3 615->623 624 11d2489-11d24a4 615->624 625 11d25c8-11d25df 615->625 626 11d25e4-11d2618 615->626 627 11d2467-11d246f call 11d2be2 615->627 628 11d24a6-11d24bd 615->628 629 11d24c2-11d24c6 615->629 616->617 651 11d26cd call 11d3638 617->651 652 11d26cd call 11d35eb 617->652 653 11d26cd call 11d3a45 617->653 630 11d2634-11d263b 618->630 631 11d2623-11d2632 618->631 619->614 620->614 621->614 643 11d251d-11d2524 622->643 644 11d250c-11d251b 622->644 623->614 624->614 625->614 626->614 635 11d2475-11d2487 627->635 628->614 632 11d24d9-11d24e0 629->632 633 11d24c8-11d24d7 629->633 634 11d2642-11d2648 630->634 631->634 640 11d24e7-11d24ed 632->640 633->640 634->614 635->614 640->614 645 11d252b-11d2538 643->645 644->645 645->614 650 11d26d3-11d26dd 651->650 652->650 653->650
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: 438c7f84a8b28e4f0fd49ea8896429aa3f19e8e6782808273ff2b61d32210397
                                          • Instruction ID: 51fe9471b5dc9ea16193d29dd63d88262e52ff63a2617a08dffc0a0d062ee32a
                                          • Opcode Fuzzy Hash: 438c7f84a8b28e4f0fd49ea8896429aa3f19e8e6782808273ff2b61d32210397
                                          • Instruction Fuzzy Hash: 25C104B4E05319CFCB08CFA9C980AAEBBB2FF89310F608529D815AB259D7359905CB55
                                          Function 011D2388 Relevance: 2.8, Strings: 2, Instructions: 251COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 655 11d2388-11d23ab 656 11d23ad 655->656 657 11d23b2-11d2432 call 11d00e4 655->657 656->657 664 11d2435 657->664 665 11d243c-11d2458 664->665 666 11d245a 665->666 667 11d2461-11d2462 665->667 666->664 666->667 668 11d264d-11d26cb call 11d00f4 666->668 669 11d261d-11d2621 666->669 670 11d253d-11d254f 666->670 671 11d2578-11d258a 666->671 672 11d2554-11d2573 666->672 673 11d24f2-11d250a 666->673 674 11d258f-11d25c3 666->674 675 11d2489-11d24a4 666->675 676 11d25c8-11d25df 666->676 677 11d25e4-11d2618 666->677 678 11d2467-11d246f call 11d2be2 666->678 679 11d24a6-11d24bd 666->679 680 11d24c2-11d24c6 666->680 667->668 702 11d26cd call 11d3638 668->702 703 11d26cd call 11d35eb 668->703 704 11d26cd call 11d3a45 668->704 681 11d2634-11d263b 669->681 682 11d2623-11d2632 669->682 670->665 671->665 672->665 694 11d251d-11d2524 673->694 695 11d250c-11d251b 673->695 674->665 675->665 676->665 677->665 686 11d2475-11d2487 678->686 679->665 683 11d24d9-11d24e0 680->683 684 11d24c8-11d24d7 680->684 685 11d2642-11d2648 681->685 682->685 691 11d24e7-11d24ed 683->691 684->691 685->665 686->665 691->665 696 11d252b-11d2538 694->696 695->696 696->665 701 11d26d3-11d26dd 702->701 703->701 704->701
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: 147400d8bf65e009bdac0593e954804baa89a01ca17941a88674e9995ddeada1
                                          • Instruction ID: a120ef1932f7af1361c5e954e28caef9032af8a909ec201cc54fb229e55e1dfb
                                          • Opcode Fuzzy Hash: 147400d8bf65e009bdac0593e954804baa89a01ca17941a88674e9995ddeada1
                                          • Instruction Fuzzy Hash: E8B1CEB4E05219DFDB08CFA9C980AAEBBB2FF89300F608529D919BB355D7319901CF55
                                          Function 011D9F60 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 706 11d9f60-11d9f91 707 11d9f98-11d9fbd 706->707 708 11d9f93 706->708 709 11d9fbf 707->709 710 11d9fc4-11d9fda 707->710 708->707 709->710 711 11d9fdc 710->711 712 11d9fe1-11da009 710->712 711->712 713 11da00c 712->713 714 11da013-11da02f 713->714 715 11da038-11da039 714->715 716 11da031 714->716 719 11da15e-11da162 715->719 716->713 716->715 717 11da0bc-11da0d3 716->717 718 11da0ef-11da106 716->718 716->719 720 11da03e-11da048 716->720 721 11da0d8-11da0ea 716->721 722 11da13b-11da159 716->722 723 11da10b-11da10f 716->723 724 11da070-11da073 716->724 725 11da0a2-11da0b7 716->725 717->714 718->714 728 11da04f-11da06e 720->728 729 11da04a 720->729 721->714 722->714 726 11da111-11da120 723->726 727 11da122-11da129 723->727 734 11da076 call 11da190 724->734 735 11da076 call 11da1a0 724->735 725->714 731 11da130-11da136 726->731 727->731 728->714 729->728 730 11da07c-11da09d 730->714 731->714 734->730 735->730
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BLO[${5\b
                                          • API String ID: 0-2738392615
                                          • Opcode ID: febaabc04042a9ec2a39831857364492473a95b394fd89b2f5c66454af592256
                                          • Instruction ID: c29c0eb800350088159922f10bb38903a638248f6389b99f9ff686432344581e
                                          • Opcode Fuzzy Hash: febaabc04042a9ec2a39831857364492473a95b394fd89b2f5c66454af592256
                                          • Instruction Fuzzy Hash: 65514670E056098FCB08CFA9D9406EEFBF2FF89300F14D16AD419A7255D7389A41CBA6
                                          Function 0AD37198 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 842 ad37198-ad37252 844 ad3730a-ad3731f 842->844 845 ad37258-ad37293 842->845 846 ad37325-ad3736b 844->846 847 ad373cf-ad373d3 844->847 859 ad37295-ad3729d 845->859 860 ad372cb-ad372dc 845->860 865 ad373a9-ad373b4 846->865 866 ad3736d-ad37375 846->866 848 ad373d5-ad37417 847->848 849 ad3741d-ad3746e 847->849 848->849 852 ad37526-ad37538 849->852 853 ad37474-ad374af 849->853 856 ad37555-ad37567 852->856 857 ad3753a-ad37552 852->857 886 ad374b1-ad374b9 853->886 887 ad374e7-ad374f8 853->887 862 ad37584-ad375fa CreateProcessW 856->862 863 ad37569-ad37581 856->863 857->856 867 ad372c0-ad372c9 859->867 868 ad3729f-ad372a9 859->868 875 ad372e2-ad37302 860->875 869 ad37603-ad37644 862->869 870 ad375fc-ad37602 862->870 863->862 884 ad373ba-ad373c9 865->884 871 ad37377-ad37381 866->871 872 ad37398-ad373a7 866->872 867->875 873 ad372ab 868->873 874 ad372ad-ad372bc 868->874 888 ad37646-ad37655 869->888 889 ad3765b-ad37672 869->889 870->869 881 ad37383 871->881 882 ad37385-ad37394 871->882 872->884 873->874 874->874 883 ad372be 874->883 875->844 881->882 882->882 890 ad37396 882->890 883->867 884->847 891 ad374bb-ad374c5 886->891 892 ad374dc-ad374e5 886->892 895 ad374fe-ad3751e 887->895 888->889 900 ad37674-ad37680 889->900 901 ad3768b-ad3769b 889->901 890->872 893 ad374c7 891->893 894 ad374c9-ad374d8 891->894 892->895 893->894 894->894 897 ad374da 894->897 895->852 897->892 900->901 902 ad376b2-ad376f5 901->902 903 ad3769d-ad376ac 901->903 908 ad376f7-ad376fb 902->908 909 ad37705-ad37709 902->909 903->902 908->909 910 ad376fd 908->910 911 ad3770b-ad3770f 909->911 912 ad37719-ad3771d 909->912 910->909 911->912 913 ad37711 911->913 914 ad3771f-ad37723 912->914 915 ad3772d 912->915 913->912 914->915 916 ad37725 914->916 917 ad3772e 915->917 916->915 917->917
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0AD375E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 64fbf2204dafc434edeec3aa87b4031a1776e34d3c4b7fbef288cadea4fa3a40
                                          • Instruction ID: 6dc8a700c4093eaafd344e947bf0948183038266a79e819c9143b9d4a54800e9
                                          • Opcode Fuzzy Hash: 64fbf2204dafc434edeec3aa87b4031a1776e34d3c4b7fbef288cadea4fa3a40
                                          • Instruction Fuzzy Hash: 9B02E0B5E01229DFDB64CFA9C880B9DBBF1BF49304F1181AAE419B7250DB349A85CF54
                                          Function 0AD3718C Relevance: 1.9, APIs: 1, Instructions: 390COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 918 ad3718c-ad37192 919 ad37196-ad37252 918->919 920 ad37194 918->920 923 ad3730a-ad3731f 919->923 924 ad37258-ad37293 919->924 920->919 925 ad37325-ad3736b 923->925 926 ad373cf-ad373d3 923->926 938 ad37295-ad3729d 924->938 939 ad372cb-ad372dc 924->939 944 ad373a9-ad373b4 925->944 945 ad3736d-ad37375 925->945 927 ad373d5-ad37417 926->927 928 ad3741d-ad3746e 926->928 927->928 931 ad37526-ad37538 928->931 932 ad37474-ad374af 928->932 935 ad37555-ad37567 931->935 936 ad3753a-ad37552 931->936 965 ad374b1-ad374b9 932->965 966 ad374e7-ad374f8 932->966 941 ad37584-ad375fa CreateProcessW 935->941 942 ad37569-ad37581 935->942 936->935 946 ad372c0-ad372c9 938->946 947 ad3729f-ad372a9 938->947 954 ad372e2-ad37302 939->954 948 ad37603-ad37644 941->948 949 ad375fc-ad37602 941->949 942->941 963 ad373ba-ad373c9 944->963 950 ad37377-ad37381 945->950 951 ad37398-ad373a7 945->951 946->954 952 ad372ab 947->952 953 ad372ad-ad372bc 947->953 967 ad37646-ad37655 948->967 968 ad3765b-ad37672 948->968 949->948 960 ad37383 950->960 961 ad37385-ad37394 950->961 951->963 952->953 953->953 962 ad372be 953->962 954->923 960->961 961->961 969 ad37396 961->969 962->946 963->926 970 ad374bb-ad374c5 965->970 971 ad374dc-ad374e5 965->971 974 ad374fe-ad3751e 966->974 967->968 979 ad37674-ad37680 968->979 980 ad3768b-ad3769b 968->980 969->951 972 ad374c7 970->972 973 ad374c9-ad374d8 970->973 971->974 972->973 973->973 976 ad374da 973->976 974->931 976->971 979->980 981 ad376b2-ad376f5 980->981 982 ad3769d-ad376ac 980->982 987 ad376f7-ad376fb 981->987 988 ad37705-ad37709 981->988 982->981 987->988 989 ad376fd 987->989 990 ad3770b-ad3770f 988->990 991 ad37719-ad3771d 988->991 989->988 990->991 992 ad37711 990->992 993 ad3771f-ad37723 991->993 994 ad3772d 991->994 992->991 993->994 995 ad37725 993->995 996 ad3772e 994->996 995->994 996->996
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e66c4423257fcb6e221b1bedf98cd260c3f7900add46a34d23e1b8de70a5a93
                                          • Instruction ID: 246028fdc2f39d037d9db3290ae71dca726336070d006a130bac46e51adf1bd6
                                          • Opcode Fuzzy Hash: 5e66c4423257fcb6e221b1bedf98cd260c3f7900add46a34d23e1b8de70a5a93
                                          • Instruction Fuzzy Hash: DBF1E0B5D01219DFEB24CFA9C880B9DBBB1FF49304F1181AAE419B7250DB349985CF54
                                          Function 0AD382E9 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd240f9c2f673655db7b4e70f2c87662166a13907a1a1c4c0980cda401d2b9e4
                                          • Instruction ID: 484cccfe8d4c2cef9d3577b6fe7debc6f228da1b4aa386c69592337f378388fe
                                          • Opcode Fuzzy Hash: bd240f9c2f673655db7b4e70f2c87662166a13907a1a1c4c0980cda401d2b9e4
                                          • Instruction Fuzzy Hash: 11515FB5C0A3D89FCB02DFB8D9605CDBFB4EF56310F058097D094AB252D678990ACBA5
                                          Function 0AD38340 Relevance: 1.6, APIs: 1, Instructions: 145nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 0AD38459
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 657bf5281e32a17e3ac82e8d77d055d875007e466523cb2e6978838fb788a527
                                          • Instruction ID: 22d522dd7957e667384c97a7bd098e8c45579ae1676239fd8390075e057e1fc7
                                          • Opcode Fuzzy Hash: 657bf5281e32a17e3ac82e8d77d055d875007e466523cb2e6978838fb788a527
                                          • Instruction Fuzzy Hash: A9414BB5C0A3989FCB02CFA8D9A09DDBFB0FF46310F058096D454AB252D7789946CBA5
                                          Function 0AD385E9 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0AD386C0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: 22a33f167994b4c50cde0e57e4a4e67a51e758da2bf03b6b181dc409bee57c99
                                          • Instruction ID: 1ac4565b9e9b4654ee8d2aa625cb4c291b3029a09277642a15c29404732bfea5
                                          • Opcode Fuzzy Hash: 22a33f167994b4c50cde0e57e4a4e67a51e758da2bf03b6b181dc409bee57c99
                                          • Instruction Fuzzy Hash: 6441BCB5D012589FCB00CFA9D984AEEFBF1FB49310F14902AE819B7210D779A945CF64
                                          Function 0AD385F0 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0AD386C0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: 1200338e2a0badeb308461dccf7ab1a3a47748893ce4130f69c964d9ddfbb9ed
                                          • Instruction ID: c767431c6e8617687812a44507d5e6ea61cac510185924168e4b871a9b1f7dd4
                                          • Opcode Fuzzy Hash: 1200338e2a0badeb308461dccf7ab1a3a47748893ce4130f69c964d9ddfbb9ed
                                          • Instruction Fuzzy Hash: 5741ABB5D012589FCF00CFA9D984AEEFBF1BB49310F10902AE819B7210D779AA45CF64
                                          Function 0AD37E10 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0AD37ECA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: 47d31f3f1b477b60af7b9f77ee8e0dbb8ffcf03725e9ba78fa6a94a7a74d6190
                                          • Instruction ID: 939ed0f7d2d391043dcf5cf73d9dc3e3d5c403817b0b5dd099b7aeaf802d334e
                                          • Opcode Fuzzy Hash: 47d31f3f1b477b60af7b9f77ee8e0dbb8ffcf03725e9ba78fa6a94a7a74d6190
                                          • Instruction Fuzzy Hash: 7E41BAB9D002599FCF10CFA9D980AEEFBB1BF49310F14942AE815B7200D735A946CF64
                                          Function 0AD37E18 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0AD37ECA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: 89b3687e869a69686ebfd8fcb36c5aaa06c9b82192dc149da6b2cd4cb42b164e
                                          • Instruction ID: bfce6e073e4efb15246dcb2af464316dd87ef956d0f94af5de903782422bb764
                                          • Opcode Fuzzy Hash: 89b3687e869a69686ebfd8fcb36c5aaa06c9b82192dc149da6b2cd4cb42b164e
                                          • Instruction Fuzzy Hash: 2641AAB9D002589FCF10CFA9D980AEEFBB1BF09310F10942AE815B7210C735A945CF64
                                          Function 0AD38790 Relevance: 1.6, APIs: 1, Instructions: 99nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 0AD38847
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: fad62533282cdbcd49af332036a2b7b6fdf66a85f20579c7f55d603d824f0fe4
                                          • Instruction ID: f61257b9fd13e2ead9934c84a24095e4a23ad3b97a4d81c7482cf38c0b328530
                                          • Opcode Fuzzy Hash: fad62533282cdbcd49af332036a2b7b6fdf66a85f20579c7f55d603d824f0fe4
                                          • Instruction Fuzzy Hash: C041ACB5D002589FDB10DFAAD984AEEBBF1FF49310F14842AE419B7240D778A945CFA4
                                          Function 0AD38798 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 0AD38847
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: a72181c5fb00d5e1c0c397e7ec527dee97867366265be67bb24110876407dd02
                                          • Instruction ID: 9bed30ae852ef310f21b161d529627dbe5049542008757bba4f3e0e3efda35a9
                                          • Opcode Fuzzy Hash: a72181c5fb00d5e1c0c397e7ec527dee97867366265be67bb24110876407dd02
                                          • Instruction Fuzzy Hash: 1C31BBB5D002589FCB10DFAAD984AEEFBF1BF49310F14802AE419B7240C778A945CF64
                                          Function 0AD383D0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 0AD38459
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7ea01fc1e5837cb4a80d13f0872af9ada230fba6ff3cdfa765df787fd460e9cb
                                          • Instruction ID: 4a2915ade9e5fe8892a393e788d0f1ea5dcc3049eb569892c4f30559eddcc598
                                          • Opcode Fuzzy Hash: 7ea01fc1e5837cb4a80d13f0872af9ada230fba6ff3cdfa765df787fd460e9cb
                                          • Instruction Fuzzy Hash: D23199B5D01218AFCB10DFA9D984A9EFBF5FB49310F10942AE819B7200D779A945CFA4
                                          Function 0E06C9E0 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: J^Dn
                                          • API String ID: 0-2379260577
                                          • Opcode ID: 883c2b713a39ef8d3eff432cc1fe95d5a57018714c37149fad98f9a5e1a659a6
                                          • Instruction ID: f404061a7996eb06dbfff5d6a9eba0cb483061596738e69bf781258a6b6231d5
                                          • Opcode Fuzzy Hash: 883c2b713a39ef8d3eff432cc1fe95d5a57018714c37149fad98f9a5e1a659a6
                                          • Instruction Fuzzy Hash: F3A1F374E05218DBDB18DFA6D9846DDFBB2FF89310F14942AD44AB7258EB349801CB24
                                          Function 011D91B0 Relevance: .2, Instructions: 233COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f5b31d9b7503f766b884a45b2b449fe59f78f778c30c70a6eab9dd3ffae2b3b
                                          • Instruction ID: ec9043c90d9a152c4856acaf9c1b8afb2ff87669bfba13579c0c4766de7819f9
                                          • Opcode Fuzzy Hash: 5f5b31d9b7503f766b884a45b2b449fe59f78f778c30c70a6eab9dd3ffae2b3b
                                          • Instruction Fuzzy Hash: 7AA1CEB4E04219DFDB18CFE9C9849AEBBF2FB89300F20852AD419BB254D7359941CF55
                                          Function 011D91A0 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a9d374d9a0d5a4cbaf2d38b26ddfd68f9bce657ccb70203a6de082be4e146d7
                                          • Instruction ID: 467eabf6f4e12af6075493da227149cb6a68c20dd922d788b191fd393c0e04be
                                          • Opcode Fuzzy Hash: 0a9d374d9a0d5a4cbaf2d38b26ddfd68f9bce657ccb70203a6de082be4e146d7
                                          • Instruction Fuzzy Hash: DFA1DEB4E05219DFDB08CFA9C9849EEBBF2FB89300F20852AD419BB254D7359941CF65
                                          Function 011D80F0 Relevance: .2, Instructions: 224COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c43eadd2cbebf91b94d852f6185db66ef67f72afae2b6cfa78aebafd8b08c98f
                                          • Instruction ID: 1f5791c7a09d9ffff65ff19dac579b96ab79d09af103a9b456ef73821e4e2535
                                          • Opcode Fuzzy Hash: c43eadd2cbebf91b94d852f6185db66ef67f72afae2b6cfa78aebafd8b08c98f
                                          • Instruction Fuzzy Hash: 20A11274E00218DFDB18DFA9D9849ADBBF2FF88301F14812AE859AB355DB349942CF51
                                          Function 011D8100 Relevance: .2, Instructions: 220COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47c1cf69fbede7a936d0851a8668baa383d9aaed2efa3870d8662f13742542f9
                                          • Instruction ID: 3623c074c87f160c3cb68b35ffe48104b8537d95176e931df454332ecbfaf62e
                                          • Opcode Fuzzy Hash: 47c1cf69fbede7a936d0851a8668baa383d9aaed2efa3870d8662f13742542f9
                                          • Instruction Fuzzy Hash: 92A1F474E00218DFDB18DFA9D98899DBBF2FF88301F148129E459AB355DB349942CF51
                                          Function 0AD3A048 Relevance: .2, Instructions: 150COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77e0bb17328e2ad067fce39764bf3cb9dd94d85a19e60314f4e1aa81379bb90e
                                          • Instruction ID: 293409df6c7aaf1a3d9e470a3a0d6ed110b304bf275af425de6a5d43f59fc29a
                                          • Opcode Fuzzy Hash: 77e0bb17328e2ad067fce39764bf3cb9dd94d85a19e60314f4e1aa81379bb90e
                                          • Instruction Fuzzy Hash: 5F51B7B5E002189FDB68DF69C840BDDBBF6BB89340F04C1AAD81CA7255DB319A818F50
                                          Function 011D2BE2 Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd6eddbceb2eaf18d5d71c3c499b996a8a16c468f20ad8e0730b02ec4b3c0b25
                                          • Instruction ID: e85870b05029db68ebdf7410929c86a0bb19132d01588a8a5c2697184588853f
                                          • Opcode Fuzzy Hash: fd6eddbceb2eaf18d5d71c3c499b996a8a16c468f20ad8e0730b02ec4b3c0b25
                                          • Instruction Fuzzy Hash: C1510AB0E056098FDB08CFEAC5406AEFBF2EF88311F14D06AD425A7254D7349A42CF95
                                          Function 011D7E9F Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35020e0b150b684ee624aac5e7ae34a322e8c3c1f380ab108ef73416dfdb0471
                                          • Instruction ID: b9ae967a7bde459c7cdd994dfae0038330ca76deee1f58769082142ee5f4d161
                                          • Opcode Fuzzy Hash: 35020e0b150b684ee624aac5e7ae34a322e8c3c1f380ab108ef73416dfdb0471
                                          • Instruction Fuzzy Hash: 2D514B70D0121ADFCB18DFE5C5805AEBBB6FF88304F108919D426BB294D7399A41CF96
                                          Function 0AD3A039 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3068a603ce2f9a682dc64784977cc0e0e7b52aff07d3a299918209a87c77ff9c
                                          • Instruction ID: 3e93c86cfd3c3dbb947289ae2a6dff9a96fcd1ec66e1326355eb29ff180bea9e
                                          • Opcode Fuzzy Hash: 3068a603ce2f9a682dc64784977cc0e0e7b52aff07d3a299918209a87c77ff9c
                                          • Instruction Fuzzy Hash: 9741BAB5E002189FDB59CF6ACC40BDDBBF6BB88340F04C1AAE408E7255EB3099818F14
                                          Function 0AD35FD0 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbe5c2c38ec8ea650ac898a4bde469feb2b7e294d2772d784d4ca7363bc70732
                                          • Instruction ID: e196e3919631089b231c8a86bc85732de3e9e608e6ff9b8150535b393506e862
                                          • Opcode Fuzzy Hash: cbe5c2c38ec8ea650ac898a4bde469feb2b7e294d2772d784d4ca7363bc70732
                                          • Instruction Fuzzy Hash: D841FD75E016199BDB68CF6AC9846DEFBF7EB89314F14C0AAD80CA7254DB319A41CF40
                                          Function 011D35EB Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bad40ef2e38ec44737ea38ffe95540b5c247f4b425db00faf218e70aeae85b3
                                          • Instruction ID: 127b5421e004bcfe327e53c2062dc56b29f710dbb9c37147aa8bfaf83a9ebe93
                                          • Opcode Fuzzy Hash: 1bad40ef2e38ec44737ea38ffe95540b5c247f4b425db00faf218e70aeae85b3
                                          • Instruction Fuzzy Hash: FE31B5B1E006198BEB18CF9AD9442DEFBF2BFC8310F14C16AD519A6258DB354A46CF81
                                          Function 011DAAD9 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a1fcbf8bbfe2cbc0553b11546de2ca0e9b6f726a33a054473ef6d8c93b0a033
                                          • Instruction ID: 843bc79d371846787835ff94c42d285f7611c1eb9a3730180207a73bb49858b7
                                          • Opcode Fuzzy Hash: 7a1fcbf8bbfe2cbc0553b11546de2ca0e9b6f726a33a054473ef6d8c93b0a033
                                          • Instruction Fuzzy Hash: CC310871E006188FEB18CFAAD8546DEBBF3EFC9310F14C06AD409A6268DB750A46CF50
                                          Function 011D3638 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04cc49563fc10d61a1779b2ff45f7a8ac11244cbcdf2b31d98d7cc834b606699
                                          • Instruction ID: b59df3d873e366c811e98799eb25f60fd8f91ce31ae2eb897baf1b7af7eeb2fe
                                          • Opcode Fuzzy Hash: 04cc49563fc10d61a1779b2ff45f7a8ac11244cbcdf2b31d98d7cc834b606699
                                          • Instruction Fuzzy Hash: 0531CAB1E006198BEB18CFAAD8442DEBBF3BFC9310F14C16AD419A6258DB750946CF40
                                          Function 011D0848 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8b53c73fd6748d18d73d7ac219837a2158063e6dfbaa16f6ebca0cc8cc3bb87
                                          • Instruction ID: 99faf698ca2c999602bc421a62155d367a8fbe4852210655ab909891b886eb5b
                                          • Opcode Fuzzy Hash: c8b53c73fd6748d18d73d7ac219837a2158063e6dfbaa16f6ebca0cc8cc3bb87
                                          • Instruction Fuzzy Hash: D711C971E016199BEB1CCF6BD84469EFAF3AFC8301F08C076D918A6228EB3549559E51
                                          Function 011D0838 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ea629bf4877b10438eaf741deef2659c5e8eeb2d885b303bf2ff4512523d759
                                          • Instruction ID: 7cfbd8152b294f4af398a6fa8819330249801cc7a3c5accc3798ccf39b0804bd
                                          • Opcode Fuzzy Hash: 9ea629bf4877b10438eaf741deef2659c5e8eeb2d885b303bf2ff4512523d759
                                          • Instruction Fuzzy Hash: FC11D871E016199BDB1DCF6BDC4469EBAF3AFC8300F08C17AD818A6268EB3449429F50
                                          Function 0E06D150 Relevance: 4.0, Strings: 3, Instructions: 256COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 500 e06d150-e06d17b 501 e06d182-e06d19f 500->501 502 e06d17d 500->502 503 e06d1a0 501->503 502->501 504 e06d1a7-e06d1c3 503->504 505 e06d1c5 504->505 506 e06d1cc-e06d1cd 504->506 505->503 505->506 507 e06d502-e06d506 505->507 508 e06d1d2-e06d1d9 505->508 509 e06d363-e06d367 505->509 510 e06d200-e06d206 505->510 511 e06d54c-e06d555 505->511 512 e06d39a-e06d40b call e069cc8 505->512 513 e06d539-e06d547 505->513 506->511 516 e06d508-e06d517 507->516 517 e06d519-e06d520 507->517 569 e06d1dc call ad35b20 508->569 570 e06d1dc call ad35b0f 508->570 514 e06d37a-e06d381 509->514 515 e06d369-e06d378 509->515 565 e06d209 call ad328d0 510->565 566 e06d209 call ad328c0 510->566 530 e06d412-e06d419 512->530 531 e06d40d 512->531 513->504 520 e06d388-e06d395 514->520 515->520 521 e06d527-e06d534 516->521 517->521 519 e06d20f-e06d268 562 e06d26b call ad333d3 519->562 563 e06d26b call ad333e0 519->563 564 e06d26b call ad3341b 519->564 520->504 521->504 523 e06d1e2-e06d1fe 523->504 532 e06d420-e06d4a6 530->532 533 e06d41b 530->533 531->530 545 e06d4ad-e06d4e5 call e06dc08 532->545 546 e06d4a8 532->546 533->532 534 e06d271-e06d2b2 567 e06d2b8 call ad342b0 534->567 568 e06d2b8 call ad33fa5 534->568 538 e06d2be-e06d2ff 559 e06d305 call ad35810 538->559 560 e06d305 call ad357ff 538->560 548 e06d4eb-e06d4fd 545->548 546->545 547 e06d30b-e06d316 549 e06d325-e06d329 547->549 550 e06d318-e06d31c 547->550 548->504 553 e06d330-e06d335 549->553 554 e06d32b 549->554 551 e06d323 550->551 552 e06d31e 550->552 551->553 552->551 555 e06d337 553->555 556 e06d33c-e06d348 553->556 554->553 555->556 557 e06d34f-e06d35e 556->557 558 e06d34a 556->558 557->504 558->557 559->547 560->547 562->534 563->534 564->534 565->519 566->519 567->538 568->538 569->523 570->523
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: _(&$j~1$j~1
                                          • API String ID: 0-1292197734
                                          • Opcode ID: f4c0dae10ca4adba889726364ab925c4df7810ac6d659836a94f5ad5689b853a
                                          • Instruction ID: 93f22e9501d4d0fa9f5b8ca97ce9fcf621722591ee1e73b6cd7eceb7dfbb4b67
                                          • Opcode Fuzzy Hash: f4c0dae10ca4adba889726364ab925c4df7810ac6d659836a94f5ad5689b853a
                                          • Instruction Fuzzy Hash: 8BC1E074E01218CFDB64DFA9D994B9DBBF2BB88300F1081AAD849A7355DB709E85CF11
                                          Function 0E06D5F0 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 807 e06d5f0-e06d611 808 e06d617-e06d619 807->808 809 e06d693-e06d6eb 807->809 810 e06d634-e06d68c 808->810 811 e06d61b-e06d61d 808->811 815 e06d6f2-e06d6f5 809->815 810->809 812 e06d61f-e06d622 811->812 813 e06d628-e06d62a 811->813 812->813 812->815 816 e06d73f-e06d745 813->816 818 e06d6f7-e06d6fa 815->818 819 e06d70d-e06d70f 815->819 821 e06d700-e06d70b 818->821 822 e06d62f 818->822 824 e06d711-e06d715 819->824 825 e06d71b-e06d71d 819->825 821->819 822->810 824->825 827 e06d717-e06d719 824->827 825->816 827->825 830 e06d71f-e06d722 827->830 832 e06d727-e06d72e 830->832 833 e06d724 830->833 835 e06d736 832->835 833->832 835->816
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Haq$Haq
                                          • API String ID: 0-4016896955
                                          • Opcode ID: 7cdc9b55e3488b83b173be852b175313b3d659eb4778c8d35c6b3b02a621236b
                                          • Instruction ID: b653c6d2f103279aa485acc32b145521fce9fcf4f67a6d233995ea3b29c92189
                                          • Opcode Fuzzy Hash: 7cdc9b55e3488b83b173be852b175313b3d659eb4778c8d35c6b3b02a621236b
                                          • Instruction Fuzzy Hash: 0731CF30F001019BC788AE7D95243BF69A7ABC4390B24C628D859CF394EE34DD0287D2
                                          Function 0AD384C8 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AD3857A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f0481ba58d240e31287d43eab3ce73d29fee5f44f6267c2183464c48a7c47686
                                          • Instruction ID: 873a649fd8a5c3cbe49e8ae2bb87bf72cee4c8f3577b02cdf6a806394b830988
                                          • Opcode Fuzzy Hash: f0481ba58d240e31287d43eab3ce73d29fee5f44f6267c2183464c48a7c47686
                                          • Instruction Fuzzy Hash: 353196B9D01258DBCF10CFA9D980AEEFBB1FB59310F10942AE819B7210D735A942CF64
                                          Function 0AD384D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AD3857A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 120fd08689c99ff6528ad1604b8d704869399fb4cd5fdc0562838516f9cbc729
                                          • Instruction ID: 4b45b7ebfa7fe5664fd59b9994059f4e78a80fa10f36fae26fe42c4a65edafef
                                          • Opcode Fuzzy Hash: 120fd08689c99ff6528ad1604b8d704869399fb4cd5fdc0562838516f9cbc729
                                          • Instruction Fuzzy Hash: AA3176B9D012589BCF10CFA9D980AAEFBB5BB59310F10942AE819B7210D735A946CF64
                                          Function 0E06DC08 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (aq
                                          • API String ID: 0-600464949
                                          • Opcode ID: b570a80e64a1daea0f6dc49c24d8e4cad3c7076ef79a5791b672f68fab84f8e2
                                          • Instruction ID: 1afbb04a8fc99175b6c35ff4cd7c631623cb4cd1375074557a7bd8a4da0c9355
                                          • Opcode Fuzzy Hash: b570a80e64a1daea0f6dc49c24d8e4cad3c7076ef79a5791b672f68fab84f8e2
                                          • Instruction Fuzzy Hash: 8C31E475F002089FCB49AF7C94647BE7AA7EBC4310F24C569D80A9B395DE398D428791
                                          Function 011D2DFA Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: 833271dcdddcf75be99f054999d3fff1df37e47b47f9ca9781f737ce9ba6484d
                                          • Instruction ID: 3ef29ec080256723821bc576415c1dcc77d782f399c6f79d0e7951ea0027a8dc
                                          • Opcode Fuzzy Hash: 833271dcdddcf75be99f054999d3fff1df37e47b47f9ca9781f737ce9ba6484d
                                          • Instruction Fuzzy Hash: 8C41D5B4E1421A9FCB48CFA9C4805AEBBF2FB89300F10856AD429E7715D334AA42CF51
                                          Function 011D2E08 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: da4dfc14d2d0671e14b51d55dde9a761d7542384804b557b5feefbb216eef366
                                          • Instruction ID: 650ee7d09d53823a1df6c558dcb0e4e11c2090925d79c710018209936e6bbaa6
                                          • Opcode Fuzzy Hash: da4dfc14d2d0671e14b51d55dde9a761d7542384804b557b5feefbb216eef366
                                          • Instruction Fuzzy Hash: CB31B9B4E14219DFCB48CFA9C5805AEFBF2FB89300F10956AD429A7754E334AA41CF55
                                          Function 011D4BC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: b|+W
                                          • API String ID: 0-1862224030
                                          • Opcode ID: 8da80aa8bf72c80e179ec13af1e22b6752fd1eb8a5da48f12d34ee45d4d73a7f
                                          • Instruction ID: 959a7715438085f02f3639a36f2cbba01b9f9cce041c0aced6a3a4535bdca526
                                          • Opcode Fuzzy Hash: 8da80aa8bf72c80e179ec13af1e22b6752fd1eb8a5da48f12d34ee45d4d73a7f
                                          • Instruction Fuzzy Hash: 572126B0D05209DFCB48CFA9C5806AEBFF2FF89200F21C5AAD419A7615E3349A41CB41
                                          Function 011DA330 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: _Po
                                          • API String ID: 0-3094450229
                                          • Opcode ID: 2b374252df6e3af6586fef28c39ca57384eb7c16aff23de32ebc79aab19a46ea
                                          • Instruction ID: d283ebacc6b5a1999d5902e307f307383dfd9dc11fde0e36f50b1d6b0c70dda2
                                          • Opcode Fuzzy Hash: 2b374252df6e3af6586fef28c39ca57384eb7c16aff23de32ebc79aab19a46ea
                                          • Instruction Fuzzy Hash: 3F21F570E1420ADFCB48CFA9D5409AEBBF2FF89300F25C5AAC418E7225D7749A41CB91
                                          Function 011D0DA0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q
                                          • API String ID: 0-1007455737
                                          • Opcode ID: 8eab1cd9ab992495cbc939c6df2ab6f622296d96cb80b52dd0a1ad2acc12ac5c
                                          • Instruction ID: f01ad57d0cf7c465b097ae5041a867481e8c56be13d0a01a5c21fdadef95b3f6
                                          • Opcode Fuzzy Hash: 8eab1cd9ab992495cbc939c6df2ab6f622296d96cb80b52dd0a1ad2acc12ac5c
                                          • Instruction Fuzzy Hash: E011A474D0021CCFCB29DFA5C940ADDBBB2BF58300F1045AAD489A7224DB749A81CF91
                                          Function 011D876E Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 745f80b8e069c4cdf0f461eee80cbb8c5c260fa8fb40d59cfe8433cf01400aa7
                                          • Instruction ID: 977b0f814250d9266ae888bf0ec4fc8972c6792c7b608ff3df4b695b4fd32ae0
                                          • Opcode Fuzzy Hash: 745f80b8e069c4cdf0f461eee80cbb8c5c260fa8fb40d59cfe8433cf01400aa7
                                          • Instruction Fuzzy Hash: F651C070A02214CFD7A4DB58C584A8AFBB2FF49356F9AD194E0499B212D730EDC4CF96
                                          Function 011DA190 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6171e3d6261f283e95888a846deaf09881dc1aa26ee1c107fe3105559ad8601b
                                          • Instruction ID: 2583987b47dd97dfafa3786121cacf13dba3f41b4f542caedf3cb09a0884dff2
                                          • Opcode Fuzzy Hash: 6171e3d6261f283e95888a846deaf09881dc1aa26ee1c107fe3105559ad8601b
                                          • Instruction Fuzzy Hash: CB41C4B4E0421A9FCB48CFAAD4809AEBBF2BF89340B50956AD815E7354D3799A41CF50
                                          Function 011DA1A0 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd3565a7001fdb8c520ce288cc98edb4c4de05f8361925cd9fab6228bfcea042
                                          • Instruction ID: 87c37f17ee4186f8ed0ef6909bd1cef41cca45e42ca955df3a7138a07d6b9ad0
                                          • Opcode Fuzzy Hash: fd3565a7001fdb8c520ce288cc98edb4c4de05f8361925cd9fab6228bfcea042
                                          • Instruction Fuzzy Hash: 8E31C5B4E0421A9FCB48CFAAD5805AEFBF2BF89340F50D56AD815A7314D3799A41CF50
                                          Function 011D4F08 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55cc6ac33e91779b251127436541bb0210db7015e7ec938ba311ae3c0b89556d
                                          • Instruction ID: aa66eb2ce8377b7ca1cb30f48fbac78082e112e11bd94f1467e7ae4b2c6d7a85
                                          • Opcode Fuzzy Hash: 55cc6ac33e91779b251127436541bb0210db7015e7ec938ba311ae3c0b89556d
                                          • Instruction Fuzzy Hash: D7314AB0E1520ACFCB48CFA9C4845AEFBB2FF89300F15C5AAC415A7625E3749A41CF91
                                          Function 011D2F4A Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05de77e714a1e56091d463f39e566a5b03796649c123534bd94a8769382ba737
                                          • Instruction ID: 1806ed78190595ce90633aa7bdbb07dab473098bffce22f3a129dd7bf4e989c3
                                          • Opcode Fuzzy Hash: 05de77e714a1e56091d463f39e566a5b03796649c123534bd94a8769382ba737
                                          • Instruction Fuzzy Hash: 8931F470E04209DFCB48CFA9C5809AEBBF2BF89300B6589AAD414E7225D3349A458F52
                                          Function 011D1477 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70b4655ee2373e73974e833b695d21eeb160df31e736f1b1fa0a1d8420203b41
                                          • Instruction ID: 41add91b0480e258be6ce381d6d34f3ca298e6b829b5df207cd60468ca9a28e8
                                          • Opcode Fuzzy Hash: 70b4655ee2373e73974e833b695d21eeb160df31e736f1b1fa0a1d8420203b41
                                          • Instruction Fuzzy Hash: 3F317C74E012289FCB28DF25C984B99BBB2BF49304F1081E9D94EA7355DB305E86CF45
                                          Function 011D14B3 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66aceaa678f150279da01acdc5d06e80a2fc5ecc45f00a4682fc7fa7256659ad
                                          • Instruction ID: 61d4ce4ac3c1d92a55e8385c39bc0cb7208ad6caf60ff9fbf0259cfa5ccad4f3
                                          • Opcode Fuzzy Hash: 66aceaa678f150279da01acdc5d06e80a2fc5ecc45f00a4682fc7fa7256659ad
                                          • Instruction Fuzzy Hash: DB316574E012288FCB64DF29C984B99BBB2BB49300F1081E9D94EA7315EB349E81CF45
                                          Function 011D8946 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c562fe6a0586b8ff311a849704dd3f65e221f2b6983a2c3d8a29027c028bd29
                                          • Instruction ID: efa4980be97c2a3d1d0eb3b7a985de7e37be9c5d66de256fe00fe978bacba495
                                          • Opcode Fuzzy Hash: 6c562fe6a0586b8ff311a849704dd3f65e221f2b6983a2c3d8a29027c028bd29
                                          • Instruction Fuzzy Hash: 97015E74905258DFCF18CFA8D98078EFBB2FF94320F1891A5D4999B216D3309945CF22
                                          Function 011D4CB8 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e1b28067caf551f4c1e75820d080f726bc679b570fbfe3d65e85401ae500441
                                          • Instruction ID: 72b2468c2a82db074e451b83de9a766f17c40ea5056fd5dda708f2dc5f507f47
                                          • Opcode Fuzzy Hash: 1e1b28067caf551f4c1e75820d080f726bc679b570fbfe3d65e85401ae500441
                                          • Instruction Fuzzy Hash: A201E234E04208AFCB09DFA9D594A9DBFF1EF48310F05C1A9D8889B265D7359941CF41
                                          Function 011D185A Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66fb0ec0c4a8e4de2035a9b16f54dfc0e2013db673fade9878d295bd911c808c
                                          • Instruction ID: 2d6d3ac8fb1c1cede6887f1f2b98abb7e283a0937f22e3feae3fb66c503d24ce
                                          • Opcode Fuzzy Hash: 66fb0ec0c4a8e4de2035a9b16f54dfc0e2013db673fade9878d295bd911c808c
                                          • Instruction Fuzzy Hash: 98113970E002699FDB54DF68D980B68BBB5FF89200F0085DAD449BB215CB309E85CF21
                                          Function 011D892E Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8c6cda8820690272ea1926167909fb8c56f57ae2b963e196cc6d1bd3790be0d
                                          • Instruction ID: 1fd216f4b3f100c306de401d2bcb5e12e683b4bfdd8deea73311b2c64cb44f1e
                                          • Opcode Fuzzy Hash: b8c6cda8820690272ea1926167909fb8c56f57ae2b963e196cc6d1bd3790be0d
                                          • Instruction Fuzzy Hash: 1A01D275E02219AFDB18CFA4DD44BAEBBF6FB98300F0044A9E509A7254D7309A40CF12
                                          Function 011D1022 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f098d536a9af4c1fa6e2577b226088c731ce94bbe221b8948efcdeeeb5e2756
                                          • Instruction ID: 9c2bd64a56ca9ab75254b14b35762dcf4d3a3dfbf1779ac59e8d5b61ddc0effc
                                          • Opcode Fuzzy Hash: 2f098d536a9af4c1fa6e2577b226088c731ce94bbe221b8948efcdeeeb5e2756
                                          • Instruction Fuzzy Hash: D901A230A022598FDB5CCB34C8917E97776BF84305F6484E885096B241CA318E82CF96
                                          Function 011DC098 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 417f0142337f82605c0c240b388e5df69258c9138c9209b27235d46376e9c0a6
                                          • Instruction ID: 562f22440f82921623b85fa1995c9101b60736e48f386be26bee9964cf1a0bd3
                                          • Opcode Fuzzy Hash: 417f0142337f82605c0c240b388e5df69258c9138c9209b27235d46376e9c0a6
                                          • Instruction Fuzzy Hash: 7F019D78E00208AFDB04EFA9D588A99BBF1AB48310F05C0A9E449AB365D7359951CF80
                                          Function 011D4CC8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 754522ce2daa912c324915a199dea1f2dbe04ca8f6b15a7933c8c96bf5050a13
                                          • Instruction ID: 32bbbc6dae47b0c50173eaad129233e9963be517a59885cb59cb52f5ed1e91ed
                                          • Opcode Fuzzy Hash: 754522ce2daa912c324915a199dea1f2dbe04ca8f6b15a7933c8c96bf5050a13
                                          • Instruction Fuzzy Hash: 6401AF78E00208AFCB08DFA9D588A9DBFF1AF48300F05C1A5A948AB365DB35E951CF40
                                          Function 011D899A Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 834f29628eebf11962be67ce1c47982c5bfc28c09e76ebd3aaf3c544a306a50e
                                          • Instruction ID: 45e2e68b8ab313c1351a6be49bd26af3230f57de5238dbeea6aa413e6462c6b3
                                          • Opcode Fuzzy Hash: 834f29628eebf11962be67ce1c47982c5bfc28c09e76ebd3aaf3c544a306a50e
                                          • Instruction Fuzzy Hash: 0901D674E012199FDB14CFA4CD54BAEBBF6FF98300F008498E509A7244D7355A40CF12
                                          Function 0E06C158 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4e43931f85033d605bd9b6b81616fed17e7439f1c9b3c80ab243af633276ff4
                                          • Instruction ID: 611960f6f9a07883270c368659a8c0825a923d4c7f6de872793c4f3c8640d582
                                          • Opcode Fuzzy Hash: c4e43931f85033d605bd9b6b81616fed17e7439f1c9b3c80ab243af633276ff4
                                          • Instruction Fuzzy Hash: D8F0C9B4D00218DFCB44DFA8D945AADBBF0FB08310F1085AAE854A7311D7719A50DF91
                                          Function 0E06FDE0 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f91ce959bcccb6d2f86147d5151d78929306502bcf8370a29f097e87a610370
                                          • Instruction ID: a8db2d933c6bd423f6b0c16879c220d8e058079cdb66bf208d2f14a238f189cc
                                          • Opcode Fuzzy Hash: 8f91ce959bcccb6d2f86147d5151d78929306502bcf8370a29f097e87a610370
                                          • Instruction Fuzzy Hash: FCE0ECB0E002099FCB84EFA9D54676EBFF4AB48200F10816AD408D6344E7705A508BC1
                                          Function 011D0F29 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c70241d334ff193491e02651fb536a3e7f94f9ff89231761f237a90b43e53ba2
                                          • Instruction ID: 10690a50af545a0ef73d823b71339628ec4f7398fde124bf4b231e0b99896f85
                                          • Opcode Fuzzy Hash: c70241d334ff193491e02651fb536a3e7f94f9ff89231761f237a90b43e53ba2
                                          • Instruction Fuzzy Hash: A0D0127496121DEFCB19CF15E985AD8B7B6FF45300F209664D005D7118E7345E01CF50
                                          Function 011DB12B Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5778308e1151c08b290c728a27c1b23944795804ec6d03d2f7fb196ecb8908d3
                                          • Instruction ID: 403ca015fe37dcca30bc7989bcbfef51564cd7f83302358eaa862995d7024a8a
                                          • Opcode Fuzzy Hash: 5778308e1151c08b290c728a27c1b23944795804ec6d03d2f7fb196ecb8908d3
                                          • Instruction Fuzzy Hash: 54D0C974A01355DFD76DDBA0C684848BBB2EF49311B10885894069B668C739DA8ACF00
                                          Function 011D3A45 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 909210e8331372a677afd84b19792b8dbbedd25ee900c00baaf1415504b6cac4
                                          • Instruction ID: 8eb2f8baa8bec41ed19b144a2fee3aa82f012aca8f4e5d75381c1e12afdce259
                                          • Opcode Fuzzy Hash: 909210e8331372a677afd84b19792b8dbbedd25ee900c00baaf1415504b6cac4
                                          • Instruction Fuzzy Hash: B8D0C972906B58CFC718CBA0C98558CBBB2FB49312B615459E10A9B228D735E941CB01

                                          Non-executed Functions

                                          Function 0E0651E8 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8f/$OH7]$Te]q$Te]q
                                          • API String ID: 0-1823564119
                                          • Opcode ID: 6a77f49e055a165e5ecd95418589f42c8208ea2ce2bfa692d98c5c5b89188f85
                                          • Instruction ID: 8b58af39342574f2ccf7cb25679098b0cb4fe6f99f789a8f65fabf0951cb7cef
                                          • Opcode Fuzzy Hash: 6a77f49e055a165e5ecd95418589f42c8208ea2ce2bfa692d98c5c5b89188f85
                                          • Instruction Fuzzy Hash: 95A1A0B4E05219CFDB08CFE9C984AAEBBF2FB8A300F648529D515BB354D7359901CB54
                                          Function 011D5FD0 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: X1H$X1H$X1H
                                          • API String ID: 0-1333690796
                                          • Opcode ID: f2993cf4163a08984b8b745d641ad6a6e9fb9f6d21338fbdb8ba1f32c0f9617c
                                          • Instruction ID: d92ab0adbc429d213f3340dd43c535c345eab97796bbb91d1c7f4151ce3e58b5
                                          • Opcode Fuzzy Hash: f2993cf4163a08984b8b745d641ad6a6e9fb9f6d21338fbdb8ba1f32c0f9617c
                                          • Instruction Fuzzy Hash: 057102B4E0020ADFCB08CFA9C5819AEFBB2FF89310F15851AD515AB215D334A982CF91
                                          Function 011D5FC0 Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: X1H$X1H$X1H
                                          • API String ID: 0-1333690796
                                          • Opcode ID: 89b54551d114bf89a1d14961c94fc21f9ea36c1cd9966c674452c081d4ee5eda
                                          • Instruction ID: 8adddbd2ce7be75d45a5a7920deeb9975f5acad56a4d0cce941af6aeade5a198
                                          • Opcode Fuzzy Hash: 89b54551d114bf89a1d14961c94fc21f9ea36c1cd9966c674452c081d4ee5eda
                                          • Instruction Fuzzy Hash: 1B61F574E0420ADFCB08CFA9C5819AEFBF2FF89310F158566D515A7215D334AA82CF91
                                          Function 0AD32E00 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GL_9
                                          • API String ID: 0-1008796335
                                          • Opcode ID: 80765f9aedbd97ebf5a50c5b54e0f093a976589c5eb2eaf4e921ede3ee5eaa17
                                          • Instruction ID: 53e4dba9f454997f6eef246498539e23020ba3a92969c98545bf7de5f56a1658
                                          • Opcode Fuzzy Hash: 80765f9aedbd97ebf5a50c5b54e0f093a976589c5eb2eaf4e921ede3ee5eaa17
                                          • Instruction Fuzzy Hash: F8F14775E042299FCB14CFA9C984A9EFBB2FF88304F25C659D055AB259D730A942CF90
                                          Function 011DDBE8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: vUy
                                          • API String ID: 0-2696891511
                                          • Opcode ID: 6a7bec785d80c5b949bd285743f4270688ae444229202c6f35ea2fcf5d04bc20
                                          • Instruction ID: 7aedfa0a42d32aab5c5dcbec44dc6293c066e6e6b1bac680c02e54a0d01232f6
                                          • Opcode Fuzzy Hash: 6a7bec785d80c5b949bd285743f4270688ae444229202c6f35ea2fcf5d04bc20
                                          • Instruction Fuzzy Hash: 9771E374E05219CFCF08CFE9D5819EEFBF2FB89210F24952AD415BB254D370AA418B69
                                          Function 011DD328 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: zM@<
                                          • API String ID: 0-2190652149
                                          • Opcode ID: 8864404688f3720a8c1dfdf5d4dc7813b9fc78486a88660339a22c55f7f80946
                                          • Instruction ID: 6bbc971e682e4287c795cd3fa8b606be979e7593275d99886e7fadeae28bc3ee
                                          • Opcode Fuzzy Hash: 8864404688f3720a8c1dfdf5d4dc7813b9fc78486a88660339a22c55f7f80946
                                          • Instruction Fuzzy Hash: 7171F2B4E0520AEFCF08CFD9D5809AEFBB2BF49310F16851AD415A7254D734AA42CF95
                                          Function 0E0635B1 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <
                                          • API String ID: 0-4251816714
                                          • Opcode ID: 0d36fcd72f5b302ba73ada1e80b42011b39e2c731b72c64b340cb36f86b02ec6
                                          • Instruction ID: bce35dabbb60619b37ddb3d510df16b4e1fb16caf3ecf4c3b525f94b42de4fd7
                                          • Opcode Fuzzy Hash: 0d36fcd72f5b302ba73ada1e80b42011b39e2c731b72c64b340cb36f86b02ec6
                                          • Instruction Fuzzy Hash: A9510875D016589FDB68CFAADD446DEBBF2AFC9300F14C0AAD408AB225DB345A81CF50
                                          Function 011D664A Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: As24
                                          • API String ID: 0-2560595593
                                          • Opcode ID: 694710a4cedb3a50c51653af6f1ec796782d8cfaa535222b216eaf17eeda1fb1
                                          • Instruction ID: 56b92a18fd9fe212537a08e79fd4ce314465d375264d577cb20bf399461071b4
                                          • Opcode Fuzzy Hash: 694710a4cedb3a50c51653af6f1ec796782d8cfaa535222b216eaf17eeda1fb1
                                          • Instruction Fuzzy Hash: 4341D4B0E1460A8FCF48CFAAC4805AEFBF2BF88310F15D46AC515A7254E7349A51CF95
                                          Function 0E0694F8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ShWf
                                          • API String ID: 0-4011059766
                                          • Opcode ID: 6b17233ebeabc224311d18ca44c0fa2484a46b6b6ec31dfe8d0f3aa546e6e16e
                                          • Instruction ID: 11099f9827fc27b44d8f7593f9ef2645b3430497618fb17f4627121bc6745eee
                                          • Opcode Fuzzy Hash: 6b17233ebeabc224311d18ca44c0fa2484a46b6b6ec31dfe8d0f3aa546e6e16e
                                          • Instruction Fuzzy Hash: BF41E670D0520ACFDB44CFAAC4816EEFBF2BB88304F64C02AD415A7654E7349A81CF94
                                          Function 011D6658 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: As24
                                          • API String ID: 0-2560595593
                                          • Opcode ID: de2cc265b14be9edee90046b008500ee38440238ee1baf926b159f35b14cbb59
                                          • Instruction ID: b1575ab22456041cda03da3fb374ff42cff7d42700335629a4091f346e01b8ff
                                          • Opcode Fuzzy Hash: de2cc265b14be9edee90046b008500ee38440238ee1baf926b159f35b14cbb59
                                          • Instruction Fuzzy Hash: 0A41D3B0E1460A8BDF48CFAAC4805AEFBF2BF88300F25D46AC515A7254E7349A55CF95
                                          Function 0E06462F Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: p
                                          • API String ID: 0-2181537457
                                          • Opcode ID: bfd2ababed40a7b652edd4eba6057739bbf23df9e0d60644301f6c839d743922
                                          • Instruction ID: 3114511aaa7c4f4aab04e479f1b4ebc13aaf4e6af23726e2f5988d2e42845b71
                                          • Opcode Fuzzy Hash: bfd2ababed40a7b652edd4eba6057739bbf23df9e0d60644301f6c839d743922
                                          • Instruction Fuzzy Hash: B7211D71E056488FEB19CFAB98406DEFBF3AFC9200F04C1BAD818AA265D7350945CF51
                                          Function 0E0672F0 Relevance: .3, Instructions: 302COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4cea5bcbb7ff3ebcd029fb67b2812f35f925696905a58a9cd3e45dcc0c40649
                                          • Instruction ID: 93e4be578f73912c9a12fa44769d0206acdc753e2ace315c39a60621c385a132
                                          • Opcode Fuzzy Hash: f4cea5bcbb7ff3ebcd029fb67b2812f35f925696905a58a9cd3e45dcc0c40649
                                          • Instruction Fuzzy Hash: 48D13A70E0521ADFCB08CF96C4859AEFBB2FF89344B58D556D405AB228D734EA42CF90
                                          Function 0E068220 Relevance: .2, Instructions: 202COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 823074e359a05f54bfbd7deb6bd11ada5d1f2b82dcdce41b0e9eeec85a9aae17
                                          • Instruction ID: ead41a9cf144dab6d4da5921ff7daff97ae18d5216e1a91d3b353bd7e02b20cc
                                          • Opcode Fuzzy Hash: 823074e359a05f54bfbd7deb6bd11ada5d1f2b82dcdce41b0e9eeec85a9aae17
                                          • Instruction Fuzzy Hash: 4791E274A1621ACFCB08CF99C5849AEFBF2FF88310F149569D415AB224D374AE42CF61
                                          Function 011D5470 Relevance: .2, Instructions: 196COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9dedaf0936dddbebc3fdce11f6f7ae568969d2fbdec077c51ecc260d927b5308
                                          • Instruction ID: ba9331227a5f737482301b98f2768e57447a2dfba2e2d7b0166d34897d730393
                                          • Opcode Fuzzy Hash: 9dedaf0936dddbebc3fdce11f6f7ae568969d2fbdec077c51ecc260d927b5308
                                          • Instruction Fuzzy Hash: C791F174E15219DFCB48CFA9C58489EFBF2FF89310B25945AD415AB324D334AA42CF91
                                          Function 011D5462 Relevance: .2, Instructions: 192COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3426f1d243baf1b58c6c9d6fa5275aa5365dc1aeabbde113218904dd4cf5294
                                          • Instruction ID: 5199f0ae16abbbe250ed051bc5f42deb2c510206b71ad15d0add6d105e242c53
                                          • Opcode Fuzzy Hash: a3426f1d243baf1b58c6c9d6fa5275aa5365dc1aeabbde113218904dd4cf5294
                                          • Instruction Fuzzy Hash: 62810334E15219DFCB48CFA9C58099EFBF2FF89310B15946AD419AB324D334AA42CF91
                                          Function 0E069718 Relevance: .2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 165ea074b180ae93a56cd56443d6313f9159e9cf53032f203366b598613508d4
                                          • Instruction ID: 4da17a3685757a546c8d356b96069981e8d6dd71302833a6b93f494c835d144e
                                          • Opcode Fuzzy Hash: 165ea074b180ae93a56cd56443d6313f9159e9cf53032f203366b598613508d4
                                          • Instruction Fuzzy Hash: C471D474E05209CFCB04CFAAC5815DEFBF2FF89250F64942AD416BB624D334AA428F65
                                          Function 011DC7D8 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6dd6e7c41518eaa7d10f9b453b6f55a7e4284dd5a12d680c5385aa6dd286a85b
                                          • Instruction ID: 300c7416dadd1d0dffddffdd89b5473b9a5cc1f219c31de5fddde80435e8a015
                                          • Opcode Fuzzy Hash: 6dd6e7c41518eaa7d10f9b453b6f55a7e4284dd5a12d680c5385aa6dd286a85b
                                          • Instruction Fuzzy Hash: 9E712474E012099FCB08CFA9D585AAEFBF1FF88310F14856AE415EB224D734AA41CF95
                                          Function 0E068E58 Relevance: .2, Instructions: 166COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2bb72c4dccfb66184bb15d6f3fc12efa3f8468f6878e7e7f43acd60ab795f82
                                          • Instruction ID: 22ea5e95aa0005050648f5946b4fa055d65d486c16838f4a1a289e30409f4458
                                          • Opcode Fuzzy Hash: d2bb72c4dccfb66184bb15d6f3fc12efa3f8468f6878e7e7f43acd60ab795f82
                                          • Instruction Fuzzy Hash: 0E71E7B0D1520ADFDB08CF9AC980AAEFBF2BF88310F54C515D415A7214D7309981CFA5
                                          Function 011D62D8 Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96ea31852875a69a84864479027b9efcbdc120f8d308d67981284eb6ae3b71ab
                                          • Instruction ID: 1c2f0a6a30fca6a7c7e5d5f0b763bd520e6458b4a1b8b2cb3faa5cc13b47c72b
                                          • Opcode Fuzzy Hash: 96ea31852875a69a84864479027b9efcbdc120f8d308d67981284eb6ae3b71ab
                                          • Instruction Fuzzy Hash: 6F612874E0520ADFCB08CFA9C5819AEFBB2FF49300F15812AD459A7205D7349A52CF95
                                          Function 011D6868 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbdbb86c960f097ebd168a16ea9c5204adc73cecc8a46f569700874f5709fc91
                                          • Instruction ID: 64c1642011169c1f08f9b5ab4d1233997ba6008914177841cfab370047ad0922
                                          • Opcode Fuzzy Hash: bbdbb86c960f097ebd168a16ea9c5204adc73cecc8a46f569700874f5709fc91
                                          • Instruction Fuzzy Hash: 436101B5E052198FCB08CFA9C5819EEFBF2FF89210F24942AD545B7224D3349A42CF65
                                          Function 011D6878 Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 096b39ff50c6d38fe46b3e984d12a456eb82a4422741c5fbb89bd37cd2cac473
                                          • Instruction ID: 57b97d66b7a4117e7e7b6ce21e68eeef2e8141471e1cffa5febdcc60d08054e5
                                          • Opcode Fuzzy Hash: 096b39ff50c6d38fe46b3e984d12a456eb82a4422741c5fbb89bd37cd2cac473
                                          • Instruction Fuzzy Hash: 8D61CFB5E05219DFCB08CFAAD5819DEFBF2BF88210F24942AD515B7224D3349A42CF65
                                          Function 011D7230 Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a3b63480dc04c4b46d34f28519180fdd5856643c395765b3c75a687919a5e90
                                          • Instruction ID: 72d592fd421252e5bbb8e3f140082046670e2a1350043c5e43458cc9f81292d8
                                          • Opcode Fuzzy Hash: 5a3b63480dc04c4b46d34f28519180fdd5856643c395765b3c75a687919a5e90
                                          • Instruction Fuzzy Hash: 5451EDB0D14399DFCB09CFB9D88059DBBF2BF86324F14866AD444AB2A5E7308901CB41
                                          Function 0E060040 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e59aeb1054bbf5620df96b54ef7a3f596f45304c6c2a80a627c05e6d19625e65
                                          • Instruction ID: 2e157948b252a44c78eadaf9a1f6d4f118f05dd37200b366d1319b781a56db59
                                          • Opcode Fuzzy Hash: e59aeb1054bbf5620df96b54ef7a3f596f45304c6c2a80a627c05e6d19625e65
                                          • Instruction Fuzzy Hash: FA412271E116188BEB6DCF6B8D4479AFAF7AFC9200F14C1BAD50CAA215DB741A428F11
                                          Function 0E0699C0 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c29cfef52bae00a6bcbd40a0b8574e5c4ae1aa4c53410a8cd0813fbcd6cd3f58
                                          • Instruction ID: ea684c01be9e34b570f62641e3853ec2b6770490a6b518876163e68f6414c11b
                                          • Opcode Fuzzy Hash: c29cfef52bae00a6bcbd40a0b8574e5c4ae1aa4c53410a8cd0813fbcd6cd3f58
                                          • Instruction Fuzzy Hash: 78410874E0520ADFDB48CFAAC5816AEFBF2BF88340F64D569C405B7614D7349A41CB98
                                          Function 011D6AA9 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7118309117a008f81e1df5cf0d801b8b62dfd84a7f651aafb3825d779e9e3eca
                                          • Instruction ID: 02a29ffbda4c82b541e44b35cc7d03c112aa091aca08b40a7105606321530a55
                                          • Opcode Fuzzy Hash: 7118309117a008f81e1df5cf0d801b8b62dfd84a7f651aafb3825d779e9e3eca
                                          • Instruction Fuzzy Hash: 2F41F5B0E0560ADFCB48CFA9C5804AEFBF2BF89310F24C16AC405E7254D7309A41CBA5
                                          Function 011D7290 Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f06f2f0d248f375ee91f48da03d299406d751f2c08c217fe3b1da4aeff37163
                                          • Instruction ID: 58d468a2abef58acda3f9049a37f93aaca88a884d22dcbf0210566ea78095971
                                          • Opcode Fuzzy Hash: 2f06f2f0d248f375ee91f48da03d299406d751f2c08c217fe3b1da4aeff37163
                                          • Instruction Fuzzy Hash: 84415E74E04219DBDB18CFAAE9819DEFBF2FF88314F14C62AD918A7254DB309512CB41
                                          Function 011D8498 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4888f359e6b669204942689e6ac08ad21191f248ebb5dc9dd905d5592e2862d
                                          • Instruction ID: a71a8217a088b1513a30e22c541b85d9832a448e8c2c59c43d77ba4a61ffa219
                                          • Opcode Fuzzy Hash: a4888f359e6b669204942689e6ac08ad21191f248ebb5dc9dd905d5592e2862d
                                          • Instruction Fuzzy Hash: 24413570E056199FDB59CFAAD8007DEBBF2AF89300F04C0AAD448AB255EB354986CF51
                                          Function 011DDE78 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1ac3dca6c1c498d3c4586aa1751d3996185c13e94f64cefd5702d88f57b4101
                                          • Instruction ID: 2902d986d6fbb531cf8fcbc46fe8c2c0f3f46c942ddf8c142849c3fd57152148
                                          • Opcode Fuzzy Hash: a1ac3dca6c1c498d3c4586aa1751d3996185c13e94f64cefd5702d88f57b4101
                                          • Instruction Fuzzy Hash: FF41F874E0561ACFCF08CFA9D5805AEFBF2BF88300F24D569D415B7254D7349A418B96
                                          Function 011D6AB8 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 421ba52d9e1c05857ca0ec0284fd538c93826c9ed2468e61bc326dfa557c6e97
                                          • Instruction ID: 36ec3096354d9c72b895aa8ef243fd8ba3f79b741270adcfd8160951fe8645da
                                          • Opcode Fuzzy Hash: 421ba52d9e1c05857ca0ec0284fd538c93826c9ed2468e61bc326dfa557c6e97
                                          • Instruction Fuzzy Hash: 5B41F6B0E0160ADBDB48CFAAC5804AEFBF2BB89310F24C16AC519B7254D7349A41CB95
                                          Function 011DD9C8 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2035611943.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11d0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73e4001e7245659559f63555c0adff4b8145db708603417f153dda88abadd4b8
                                          • Instruction ID: 26e7adf6b72893e7a55c0bbc73ac0be1c85785d34642ba458a13ee244a7852fd
                                          • Opcode Fuzzy Hash: 73e4001e7245659559f63555c0adff4b8145db708603417f153dda88abadd4b8
                                          • Instruction Fuzzy Hash: A041D6B0D1520ACFCB48CFEAD4816AEFBF2AB88300F14D52AC415B7254E7349A41CFA5
                                          Function 0E06C268 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040830306.000000000E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E060000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e060000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e841c0ca4fb4b4ae137f7e7d67c1d0772ed4f11fec69b55609eb8712721114e
                                          • Instruction ID: de0065f2a5efe8aef1dd72f5e3fe9d7d18cedb29c11990e25c2221d9d93fdcd7
                                          • Opcode Fuzzy Hash: 3e841c0ca4fb4b4ae137f7e7d67c1d0772ed4f11fec69b55609eb8712721114e
                                          • Instruction Fuzzy Hash: 9941B3B5E00618CFEB58CFAAD88469DFBF2BF88300F14C16AD459A7215EB305941CF51
                                          Function 0AD38948 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bdb531b90e58f25593f3a4023f4d33c8d37fa1908b6a8ee8d3a691a981776956
                                          • Instruction ID: 5680e4c70e52419a07d6d98c75622eae144dc3fa7c7de75a2b81f1d55dfd6a69
                                          • Opcode Fuzzy Hash: bdb531b90e58f25593f3a4023f4d33c8d37fa1908b6a8ee8d3a691a981776956
                                          • Instruction Fuzzy Hash: BD21EB72E046199BDB58CF6BDC406DEBAF7ABC8300F14C0BAD809A6214DB7149419B50
                                          Function 0AD35FC0 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3abe231405aed4e26fdebb9aa7ed27cd6da613d8a3ed06ce8682c29e208344ca
                                          • Instruction ID: 74aa08330bb7f8bc912053c261eed819aed5211270e8af80c9c03bdb372d7af8
                                          • Opcode Fuzzy Hash: 3abe231405aed4e26fdebb9aa7ed27cd6da613d8a3ed06ce8682c29e208344ca
                                          • Instruction Fuzzy Hash: 1221C971E016199BDB68CF6BC8446DEFBF7AFC9300F04C1BA9848A6214EB3059429F40
                                          Function 0AD38938 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2040506927.000000000AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ad30000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87dfb5afc9d44432a78333d6032cc812bf989dc894568032688115b1336a330d
                                          • Instruction ID: 96cf1d2a23a90a2feb6327276bb34cd059c5ad572e60dd04a7ba9134fdc864e6
                                          • Opcode Fuzzy Hash: 87dfb5afc9d44432a78333d6032cc812bf989dc894568032688115b1336a330d
                                          • Instruction Fuzzy Hash: 4C21DB71E006699BDB68CF6BDC406DEFAF3ABC9300F04C1BAD818A6214DB7049819F50

                                          Executed Functions

                                          Function 00C40B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 0e6a0f22ff65247ef820dbf378fd3d46e41ff62f0da0c03ab2d30975ce83eff8
                                          • Instruction ID: 667e28e24c71436118aa1a27c26424e40248ad2eb265def51df65decc2507ee5
                                          • Opcode Fuzzy Hash: 0e6a0f22ff65247ef820dbf378fd3d46e41ff62f0da0c03ab2d30975ce83eff8
                                          • Instruction Fuzzy Hash: 3782A174900229CFCB24DF69D984BDDBBB1BF49304F1486E6D819AB265DB30AE85CF50
                                          Function 00C40A49 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e6e116958257909ca3d09ff1690b6da561934b1a50b21d081c220f33631a78e
                                          • Instruction ID: 0ab9c2185c41e87ad7e4acd3691f46776f2e75cffddd78c4a7b5a5b64e157b83
                                          • Opcode Fuzzy Hash: 6e6e116958257909ca3d09ff1690b6da561934b1a50b21d081c220f33631a78e
                                          • Instruction Fuzzy Hash: D5214871E0024E9FCF41DFA8D4509EDBFB1EF49300F4582A6D454BB265DB30A946CB90
                                          Function 00C40839 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbad8391cefbb15942aafdc45d3750f4af5604f2b33df04dc7c3c917113fdc12
                                          • Instruction ID: a8b649e5e0dcaa92f8e118bba205b8d7f61e1df3288a0e6367bc502bc2dc5aee
                                          • Opcode Fuzzy Hash: fbad8391cefbb15942aafdc45d3750f4af5604f2b33df04dc7c3c917113fdc12
                                          • Instruction Fuzzy Hash: EC210B709006099FCB05EF78E958B9D7BF5FB84304F105AE8D1059B27ADB745A49CF80
                                          Function 00C40848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 815c9f4da3421a360f7d6e389821a5428d7796ebc886dffb3830543f02f81716
                                          • Instruction ID: 5fe281d25224e59e017f5a190fd139d41d427d249a6f707a533a99b16af8f710
                                          • Opcode Fuzzy Hash: 815c9f4da3421a360f7d6e389821a5428d7796ebc886dffb3830543f02f81716
                                          • Instruction Fuzzy Hash: 11110D709006099FCB05EF68FA58A9E7BF5FB84304F109AE4D1049B279DB745A49CF80
                                          Function 00C41870 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e749d3eecf5b404874417d13b345ce533439379d57392d496be45aa49450443d
                                          • Instruction ID: 4f13d8bf6cdd72e7b4e0f2d7688009f5003e5359f00b99ea1163b405cde33bcc
                                          • Opcode Fuzzy Hash: e749d3eecf5b404874417d13b345ce533439379d57392d496be45aa49450443d
                                          • Instruction Fuzzy Hash: EEF049B4D04249CBDF11DFA6D9043EEBBF0BB49310F699069D854B7290E7394A49CF60
                                          Function 00C409DF Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4456098a8570a8b5c4685ed74da56e5ee8d0427a41fda83793c467cb78b04ced
                                          • Instruction ID: 76450bcb05b7c3ffeda97cbad2704489b96f3926080c42497237d6d6c1e93c6b
                                          • Opcode Fuzzy Hash: 4456098a8570a8b5c4685ed74da56e5ee8d0427a41fda83793c467cb78b04ced
                                          • Instruction Fuzzy Hash: 4E0114B0D00209DFCB01DFB8C8446AEBBB0FF05315F1046AEC415A72A1EB709A40DB80
                                          Function 00C409F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2023283976.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d02f9a27273b4bc933e05da6079b8e717f49762165fb7414ba06b13b1bc862d
                                          • Instruction ID: 107027d320010b6880085858d4222e4b85227c641824e2b5352d02ffe38d02a3
                                          • Opcode Fuzzy Hash: 9d02f9a27273b4bc933e05da6079b8e717f49762165fb7414ba06b13b1bc862d
                                          • Instruction Fuzzy Hash: E9F0B270D00219DFCB45EFB8D9446AEBBB4FB04314F104AAAD419A72A4EB709A40DB80

                                          Executed Functions

                                          Function 00F93660 Relevance: 8.1, Strings: 6, Instructions: 640COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Rr$(Rr$(Rr$(Rr$(Rr$(Rr
                                          • API String ID: 0-501461687
                                          • Opcode ID: 144e3b99f67e552f626da417343c1822db5a4acbf857c79decdc589dba671052
                                          • Instruction ID: fd7b085752eea4ad4d1de183d4294446f72821c4b475159ce68a3234f6ca3717
                                          • Opcode Fuzzy Hash: 144e3b99f67e552f626da417343c1822db5a4acbf857c79decdc589dba671052
                                          • Instruction Fuzzy Hash: 53629D74A01229CFDB24CF68C984BD9BBF2BF4A310F5082A5D449AB365D730AE85CF51
                                          Function 00F93650 Relevance: 4.2, Strings: 3, Instructions: 427COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Rr$(Rr$(Rr
                                          • API String ID: 0-2808380048
                                          • Opcode ID: 8a66abb71156190070a4fe23f6ab97ffca1c19cf182f10615a1bec49b91fc1b0
                                          • Instruction ID: 094e12cb3f51c1efcae160459d13536a34ecaf9699b27825affd7910787681a7
                                          • Opcode Fuzzy Hash: 8a66abb71156190070a4fe23f6ab97ffca1c19cf182f10615a1bec49b91fc1b0
                                          • Instruction Fuzzy Hash: 2A22AE74A012298FDB24CF69C984BD9BBF2BF89310F5082E5D449AB365D730AE85CF51
                                          Function 00F90B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 75e3766d7f4a7b52126c18fdb07567bc0a70f74e53561b54ff3d30f8c39198e3
                                          • Instruction ID: e7155f7b4282527786145acedfd0b97512bffff6979a91bb327d37f396cd4650
                                          • Opcode Fuzzy Hash: 75e3766d7f4a7b52126c18fdb07567bc0a70f74e53561b54ff3d30f8c39198e3
                                          • Instruction Fuzzy Hash: 88829174D00229CFDB24DFA8D984BDDBBB5BF49304F1086A6D409AB265DB30AE85DF50
                                          Function 00F92030 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (aq
                                          • API String ID: 0-600464949
                                          • Opcode ID: 325fdb30e7b098985fa60e9da5541449631ce0f7d2c2500be9b4b6bf46e76204
                                          • Instruction ID: f3674432be07bd4d239c56bc1ab19683d09f842d2bfe8902f54d2413d144825e
                                          • Opcode Fuzzy Hash: 325fdb30e7b098985fa60e9da5541449631ce0f7d2c2500be9b4b6bf46e76204
                                          • Instruction Fuzzy Hash: DEE10674E00208CFDB58DFA9C584A9DBBB6FF89310F208569D405AB365DB34AE46CF50
                                          Function 00F90B51 Relevance: .4, Instructions: 407COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d92fd163cac35829d5759c36247e56999f903959682e9612df92e012312dd2f
                                          • Instruction ID: 47e670b362e9fd9af0e6f975213747324a4c8d74c4ae6e55e8a6ae8b735b4b69
                                          • Opcode Fuzzy Hash: 6d92fd163cac35829d5759c36247e56999f903959682e9612df92e012312dd2f
                                          • Instruction Fuzzy Hash: 6C12A374D00229CFDB24CFA8D984BDDBBB1FF49314F1482A6D419AB265DB30AA85DF50
                                          Function 00F94860 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33c0d4a69355b2ad31fc283b57d597e28e7de65496cf1a2108b2407746ef35ca
                                          • Instruction ID: 856ecc97c0e06e98eec116a62d85adeee7a57ee6beb4429eced2e2e0081c9a13
                                          • Opcode Fuzzy Hash: 33c0d4a69355b2ad31fc283b57d597e28e7de65496cf1a2108b2407746ef35ca
                                          • Instruction Fuzzy Hash: C6B1AF75E00319CFDB14CFA9C584ADDBBF2BF99310F2591A9D409AB265D730AA86CF40
                                          Function 00F94248 Relevance: 4.1, Strings: 3, Instructions: 307COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Rr$(Rr$(Rr
                                          • API String ID: 0-2808380048
                                          • Opcode ID: 47376900d61e84c3f131d47a47b8bb44d0c289b77ca66307449513c2cf7924ee
                                          • Instruction ID: dba6db4b21ec893508142c7c9ec9f070062b27c01b324c961948a20eea2fd6d5
                                          • Opcode Fuzzy Hash: 47376900d61e84c3f131d47a47b8bb44d0c289b77ca66307449513c2cf7924ee
                                          • Instruction Fuzzy Hash: EFE1A074E00218CFDB14CFA9D884A9DFBF5BF49310F1482A6E819AB369D734A946DF40
                                          Function 00F942ED Relevance: 2.6, Strings: 2, Instructions: 85COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Rr$(Rr
                                          • API String ID: 0-490398145
                                          • Opcode ID: 696021637d40a82d62234c44e7807b3eb601d38c90ab17d17815f24720f59eea
                                          • Instruction ID: d2760621e7f7e666ead0bf431e42fd2f022c6a2adb35af575d334e2aaf5baabc
                                          • Opcode Fuzzy Hash: 696021637d40a82d62234c44e7807b3eb601d38c90ab17d17815f24720f59eea
                                          • Instruction Fuzzy Hash: 4E318F74E002098FDB08CFA9C584ADDBBF6FF89315F2481A6D415AB369D734A94ACF50
                                          Function 00F94731 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: h^q$h^q
                                          • API String ID: 0-4075327559
                                          • Opcode ID: e3a33215dc40bada145c0f80d0dd5e2bcfefaf0c73f3afd6c392fc1b1e5d94fc
                                          • Instruction ID: ad8b48e1e0a89418411a4efd5ba6b290e799e464efbc53f5a07851d2d1cb5172
                                          • Opcode Fuzzy Hash: e3a33215dc40bada145c0f80d0dd5e2bcfefaf0c73f3afd6c392fc1b1e5d94fc
                                          • Instruction Fuzzy Hash: 64311CB4E0025A8FCB05DFA8D9509EDBFF1FF89300B018696D455BB2A5DB34A906CF91
                                          Function 00F94129 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: h^q$h^q
                                          • API String ID: 0-4075327559
                                          • Opcode ID: 887a2b1f695c78fa9e64f33947ed0d4e9f799b7e62d023bae3a11edf4908563d
                                          • Instruction ID: d8ebdf0d1126c9b95c8a50eabb07e7e66c838572bbb2187e8945ada4c849aded
                                          • Opcode Fuzzy Hash: 887a2b1f695c78fa9e64f33947ed0d4e9f799b7e62d023bae3a11edf4908563d
                                          • Instruction Fuzzy Hash: 49213970E0014A9FCF05DFA8D5509DDBFF2EF89310F1082A6D454BB2A9DB30A946CB90
                                          Function 00F95240 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (aq
                                          • API String ID: 0-600464949
                                          • Opcode ID: 24c5920820a96d13bac23a5dd5bc419dd5673b8e3f4fe7d317792db882172c8a
                                          • Instruction ID: 5d98be6e43e45db95dc55f495abc5c4ce2d455c802a7744669c814e046848caa
                                          • Opcode Fuzzy Hash: 24c5920820a96d13bac23a5dd5bc419dd5673b8e3f4fe7d317792db882172c8a
                                          • Instruction Fuzzy Hash: D0D19F74E00259CFDB14CFA8D984A9DBBF2FF49310F1582A5E409AB36AD770A985CF50
                                          Function 00F95230 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (aq
                                          • API String ID: 0-600464949
                                          • Opcode ID: 263dbafe5a8029273c9f2fb20bb682723d4b69e73a08d0563b9bdaf7c3b243c9
                                          • Instruction ID: 446a278c900d1588b6de8f20f1ae151f7a7ec5f23ab6e2cc4079a62d615f80c6
                                          • Opcode Fuzzy Hash: 263dbafe5a8029273c9f2fb20bb682723d4b69e73a08d0563b9bdaf7c3b243c9
                                          • Instruction Fuzzy Hash: BAC1A074E00259CFDB14CFA8D984A9DBBB2FF49310F1582A5D409AB36AD770AD89CF40
                                          Function 00F920A4 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (aq
                                          • API String ID: 0-600464949
                                          • Opcode ID: 2fd7458dab1bcaa34d7466a79789332816fd23eba38b6f7633d430a4714b1a08
                                          • Instruction ID: 260a192d39d59181017d84ed60917ddc640fa229dd6f87d171bda038a7bbd646
                                          • Opcode Fuzzy Hash: 2fd7458dab1bcaa34d7466a79789332816fd23eba38b6f7633d430a4714b1a08
                                          • Instruction Fuzzy Hash: AA911674A00208CFDB19DFB8D594A9DBBB2FF89304F208569D409AB366DB35AD46CF50
                                          Function 00F92875 Relevance: .4, Instructions: 434COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 339678202aa5c78b9a7a1956926beeca285a03578c1818d67907f250108f0ae1
                                          • Instruction ID: 1c21281e525bb212b2394696551b28c3c97bfc16df4a4ca25c451f517fb0fe0f
                                          • Opcode Fuzzy Hash: 339678202aa5c78b9a7a1956926beeca285a03578c1818d67907f250108f0ae1
                                          • Instruction Fuzzy Hash: 0C51FEB4D042489FDF15CFA9C890AEEBFF1AF4A300F24906AE858BB251C7749985DF54
                                          Function 00F92838 Relevance: .4, Instructions: 429COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb258812c4757d0f1ef7eb06a650fd9e0b5402d8cb20b8533ba19370f9584830
                                          • Instruction ID: 1c20e1a2b73d2f13384f426f5c1019ed8b686fef1cedd46a861deb505aad90c6
                                          • Opcode Fuzzy Hash: bb258812c4757d0f1ef7eb06a650fd9e0b5402d8cb20b8533ba19370f9584830
                                          • Instruction Fuzzy Hash: DB510FB4D042489FDF14CFA9C890AEEBFF1AF49300F24906AE858BB250CB749985DF54
                                          Function 00F9284D Relevance: .4, Instructions: 400COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee25499b30890940c0c190651ae0181a5325a76995f5e1292e9facc045ffb317
                                          • Instruction ID: bdfa262e6de5263b958bbd7077ce0cedb7bce95cdd32a174f8063467ff90c08a
                                          • Opcode Fuzzy Hash: ee25499b30890940c0c190651ae0181a5325a76995f5e1292e9facc045ffb317
                                          • Instruction Fuzzy Hash: 7351DFB4D042489FDF14DFA9C890AEEBFF1AF49300F24906AE818BB251D7749985DF54
                                          Function 00F92EB0 Relevance: .3, Instructions: 313COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 477ef20da7f14b88bc580f825e0c47a97202ad9199ad2c8330fb59a5c8a59cf9
                                          • Instruction ID: 1f5b94b902c3471562b6dc0f6b3caa211a2d7ebcb2d4dae9d4dd1364f714caf7
                                          • Opcode Fuzzy Hash: 477ef20da7f14b88bc580f825e0c47a97202ad9199ad2c8330fb59a5c8a59cf9
                                          • Instruction Fuzzy Hash: 525181319093D95FCB03DB7CD8A09DDBFB1EF46210B1582D7C4849B2A7D634994AC791
                                          Function 00F9120B Relevance: .2, Instructions: 208COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db56eacde61c4e2a50e647b1c8e71601b10e042a2f813a835f3ede7092292281
                                          • Instruction ID: e0942cc600ecc5e4d888fcab2cd050c980119cd3c9c1a06f480d6220d50407dc
                                          • Opcode Fuzzy Hash: db56eacde61c4e2a50e647b1c8e71601b10e042a2f813a835f3ede7092292281
                                          • Instruction Fuzzy Hash: BAA1A574A00229CFDB24CF98D984BDDB7B5FF49314F1181A6D409AB265EB30AE85DF50
                                          Function 00F920E8 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b581f18f3c66355ab5f10494bba0424f1960dd1d181cdf4ff187035e928e200c
                                          • Instruction ID: 0b781cbd644e3772ad398bdaeb31882d5b34d95b6ae398c13bc9f80bc70b76ec
                                          • Opcode Fuzzy Hash: b581f18f3c66355ab5f10494bba0424f1960dd1d181cdf4ff187035e928e200c
                                          • Instruction Fuzzy Hash: AC91C374A00208CFDB58DFB8D984A9DBBB6FF88304F208569D409AB365DB35AD46CF54
                                          Function 00F931E8 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9e0f7493539c6e47fa39d07bb2e53ef9ec11bf2fc6e0ace5aeed110764866bd
                                          • Instruction ID: dc2751cdaf7391654782a2a6b0f1c289890043048e3140f730cd1a8ddf9f0709
                                          • Opcode Fuzzy Hash: a9e0f7493539c6e47fa39d07bb2e53ef9ec11bf2fc6e0ace5aeed110764866bd
                                          • Instruction Fuzzy Hash: E461CF75E01218CFDB08CFA9C884AEDBBB6FF89310F148169E405AB365DB70AD46DB50
                                          Function 00F92AD0 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8bdb66e4c342113ed9d5e767fb5056fe1fccb76daa03c4abd8d7109ebbf26fa7
                                          • Instruction ID: 3c4f722cd940e6d4b022824df0b3b3f6fedbb111b23c7c65d93776efb6db7da6
                                          • Opcode Fuzzy Hash: 8bdb66e4c342113ed9d5e767fb5056fe1fccb76daa03c4abd8d7109ebbf26fa7
                                          • Instruction Fuzzy Hash: 4541ADB4D042489FDF14DFAAC984ADEBBF1BF49310F24902AE818BB250DB749985DF54
                                          Function 00F931D8 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64014115f1bc42e88710130e2f9bbe4b6d526cd07ded45ae669eeab1a730b44a
                                          • Instruction ID: 419bb2facaca3220a0653a7dfd3e65abfb426211b003593ac2134e6dfc3f5a7a
                                          • Opcode Fuzzy Hash: 64014115f1bc42e88710130e2f9bbe4b6d526cd07ded45ae669eeab1a730b44a
                                          • Instruction Fuzzy Hash: 7A51E074E01218CFCB09CFA8D884ADDBBB2FF89310F14816AE405AB365DB70A946DF50
                                          Function 00F94851 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18d2abfa6555cc0a8c9cd546ff970252bed2243382626735c7c6864d6e070c07
                                          • Instruction ID: c17b12dde0e385e31bb5e2774b27094858de4fbe3f05118f0e394f7ecec1ea00
                                          • Opcode Fuzzy Hash: 18d2abfa6555cc0a8c9cd546ff970252bed2243382626735c7c6864d6e070c07
                                          • Instruction Fuzzy Hash: 2841D670E003198FDB14CFA9C584ADDBBF2FF99310F219159D458AB265D734AE46CB40
                                          Function 00F91C55 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83cea1c3b550d99cacb4001e6ecc40852cb73e62deb0d8f7f911ecdf5b4f21a7
                                          • Instruction ID: 768824acfb4a5b23dd141a4dc913d99c57382e3b64e8e2326c34a393787bb544
                                          • Opcode Fuzzy Hash: 83cea1c3b550d99cacb4001e6ecc40852cb73e62deb0d8f7f911ecdf5b4f21a7
                                          • Instruction Fuzzy Hash: 21213832A082498FEF119B74C8546BEBBF2FFC9311F1545BBC8829B256C6315D0AE791
                                          Function 00CFD704 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4473618802.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_cfd000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16fe95c67fbd31e13cdf386deed44805fe348684e949833e16a6bc2d7d714adf
                                          • Instruction ID: 634be9293efad9b8298cee8feeaacb329f1e0ccf561c347b3c0b919e4b24a540
                                          • Opcode Fuzzy Hash: 16fe95c67fbd31e13cdf386deed44805fe348684e949833e16a6bc2d7d714adf
                                          • Instruction Fuzzy Hash: 3F210371500248DFDB45EF14D9C0F26BF66FB98314F20856AEA0A4F25AC33AD856D7A2
                                          Function 00F93531 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6f81a31f1e957ee4b3989f4b72731a1ac63376470a2df9746c4e0f39e9b778b
                                          • Instruction ID: 8c4db9fbedd31f8586e8ac510c1b143f35b1944852ffd9e54a924fdb21df698b
                                          • Opcode Fuzzy Hash: e6f81a31f1e957ee4b3989f4b72731a1ac63376470a2df9746c4e0f39e9b778b
                                          • Instruction Fuzzy Hash: 68311874D0021A9FCB45DFA8D8909EEBBB1FF88310F408566E451B72A5D730AD46CF50
                                          Function 00F91F08 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61ab3a86ee1ec7423d3a16231d2e3a69d6d5a5d4d23fee8cbe8fa1d5eede79cb
                                          • Instruction ID: 512be05ff006fe7fcb359c067a9f4ab43b8798f6446b967da98c479b5cd10f91
                                          • Opcode Fuzzy Hash: 61ab3a86ee1ec7423d3a16231d2e3a69d6d5a5d4d23fee8cbe8fa1d5eede79cb
                                          • Instruction Fuzzy Hash: 4731EA70E0015A9FCB06DFA8D9509DDBFB1FF89310F0182A6D454BB2A6D730AA46CF91
                                          Function 00F95119 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70364794a68ab08a198d5d855880e112ca93dc6b84b07bcb0cd12fd3bcb88380
                                          • Instruction ID: 5fbb8ca5435ac69461a05051757e2654c1d07bb0881146fddef15447227365c8
                                          • Opcode Fuzzy Hash: 70364794a68ab08a198d5d855880e112ca93dc6b84b07bcb0cd12fd3bcb88380
                                          • Instruction Fuzzy Hash: 46213970E0425A9FCF05DFA8D9509DDBBB1EF49300F0182AAD454BB2A6D770AA46CB90
                                          Function 00F956BF Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d3b242f50e153cf20623442f5a73f6e381be6e76bf364217b81c437513b42827
                                          • Instruction ID: 298106ffa74cc811ad4269d3ef8ea2b3cc4df319f77a8170df1284b7f879f2c9
                                          • Opcode Fuzzy Hash: d3b242f50e153cf20623442f5a73f6e381be6e76bf364217b81c437513b42827
                                          • Instruction Fuzzy Hash: C5212A70D0424E9FCF46DFA8D8549DDBBB1EF49310F0186AAD450BB2A6DB30E946CB91
                                          Function 00F90A49 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f476199feadfa6d17b587098305f1b8d6ff9172acd593adf6845f9e2be528815
                                          • Instruction ID: 5aa8997fc07a25e9cb16fb03e86d93b567586ded8a864bcdc15476b723449e9e
                                          • Opcode Fuzzy Hash: f476199feadfa6d17b587098305f1b8d6ff9172acd593adf6845f9e2be528815
                                          • Instruction Fuzzy Hash: 4B212570E0124A9FCF45DFA8D850ADDBFB1AF49310F4582A6D454BB2A6DB30E946CB90
                                          Function 00F91C65 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf142196ecb8d1ed0a3291f085966710973969fae4b30a583f1d73ec7ed63c4d
                                          • Instruction ID: 178980d3b3df5cd4d79d21fcfc73960ec9a72fe051b8b85032b1e12b935050ae
                                          • Opcode Fuzzy Hash: bf142196ecb8d1ed0a3291f085966710973969fae4b30a583f1d73ec7ed63c4d
                                          • Instruction Fuzzy Hash: 43016830AAC60BC36F4B26F428082FABB45FAF23737544977C1418A21ED540881AE3E2
                                          Function 00F91E30 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ded3eab2af3debceb07f1d54516ba1e2735e5ca3a2c342fd7fc9ac48f106f4dc
                                          • Instruction ID: 562795ac1814117ad4d3404485327ed687cfab7ea66b5fb20468f4ee7000ee0a
                                          • Opcode Fuzzy Hash: ded3eab2af3debceb07f1d54516ba1e2735e5ca3a2c342fd7fc9ac48f106f4dc
                                          • Instruction Fuzzy Hash: F4112332B001499FDF14DB64C8006AEBBF7ABC8311F29817AD842A7201CA306D459790
                                          Function 00F90839 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e3a25f1b776dd2df1c07285afb6b6ce31e4ead3d09cf72419d4460b8d40116e
                                          • Instruction ID: c83f1fd182e5e3fb3d4e61c1ff0939001d6411839dc7925f4484092d54fd0190
                                          • Opcode Fuzzy Hash: 7e3a25f1b776dd2df1c07285afb6b6ce31e4ead3d09cf72419d4460b8d40116e
                                          • Instruction Fuzzy Hash: 0A213E709002099FCB06EFB4FA58A9D7FF5FB45308F0046A9D1089B67ADB746A49DF81
                                          Function 00CFD6FF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4473618802.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_cfd000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                          • Instruction ID: 515088ea16f6ba6ef2a3b606343bc4d743ab6d7c893a7ce82c99f5bef0866fb7
                                          • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                          • Instruction Fuzzy Hash: 6E110676404244CFCB06DF10D5C4B26BF72FB94314F24C5AAD9054F65AC336D556CBA2
                                          Function 00F907E0 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 84117785e4a5c421f1605b4219fa207f22f6db408885aa18d3352fbaeb7d57d9
                                          • Instruction ID: 60e7a2b9841a842c24ec84acfdf8ae1979bf78842a0f119a63724745552ea628
                                          • Opcode Fuzzy Hash: 84117785e4a5c421f1605b4219fa207f22f6db408885aa18d3352fbaeb7d57d9
                                          • Instruction Fuzzy Hash: FA21AE70900209DFDB05EFA8FA98A9D7BB5FB4130CF004665D1085F6BADB74AA49DB80
                                          Function 00F91E2F Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5fc661f63f28ed23b0ca591e841abf50211872850d1718235acf5c564e158cc
                                          • Instruction ID: d19e4c9ba3e1c872821b0fc443d202f8213ea823ab8ed7e6dd2c440c2bade466
                                          • Opcode Fuzzy Hash: a5fc661f63f28ed23b0ca591e841abf50211872850d1718235acf5c564e158cc
                                          • Instruction Fuzzy Hash: A211E032A041499FEF14DB64C840AAEBBF2ABC8311F28817ED846A7241CA306D499B90
                                          Function 00F90848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cc3a696ab521f86c54e8558344b58c7a20bea5194a529f781b0ef9d3a07daf7
                                          • Instruction ID: 23d0616518859605b756b5b1430bc3b07d79a514a4561ab793c0763999e6e7b2
                                          • Opcode Fuzzy Hash: 5cc3a696ab521f86c54e8558344b58c7a20bea5194a529f781b0ef9d3a07daf7
                                          • Instruction Fuzzy Hash: 88110D709002099FCB05EFA8FA48A9D7BF5FB44308F008565D1049B67ADB746A49DF80
                                          Function 00CFD149 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4473618802.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_cfd000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf3b3ab58e9a7d51c83c682c004309e1599e60018bef3284395e59a33601fb07
                                          • Instruction ID: da7c1af9a929cb0349c82cd97987f02b3073be74f525274746ab0f7326daba18
                                          • Opcode Fuzzy Hash: bf3b3ab58e9a7d51c83c682c004309e1599e60018bef3284395e59a33601fb07
                                          • Instruction Fuzzy Hash: CD012B710043489AE7609B16CD84B7BFF9DEF45330F18C56AEE1A0B296C2399840CA73
                                          Function 00F91870 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d859fbe9dab15bc5214efc1bcf8095cd05f66b8a9990abc6f0fa9080603e00e5
                                          • Instruction ID: f819b31078200d7b56592afe92e252593b82e223c3e1c48d5e2868941391b78a
                                          • Opcode Fuzzy Hash: d859fbe9dab15bc5214efc1bcf8095cd05f66b8a9990abc6f0fa9080603e00e5
                                          • Instruction Fuzzy Hash: 5FF087B5D0824E8EDF11CFAAD8053EEBBF0BB89310F109069D055B2241D7784A0AEFA0
                                          Function 00F93419 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b4cf4c8992de35eb782123a61982bec30d094e58196c210173664ba50469ea1
                                          • Instruction ID: cc911cd0050150ebf3196556829e1d5a3287697a09f2dea403b2d207d102bcd5
                                          • Opcode Fuzzy Hash: 7b4cf4c8992de35eb782123a61982bec30d094e58196c210173664ba50469ea1
                                          • Instruction Fuzzy Hash: FB011630A49249DFCB05DF68D950E8DFFB1AF86304F1582EAD4046B266C6349E49DB82
                                          Function 00CFD148 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4473618802.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_cfd000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a20f84feabadd5745322d41281197a530a898c12fde4a3cfea3cd5a8ffc9bca
                                          • Instruction ID: 3b354a81acc6693c6c0749f2d65beb1f749501e073e1d3f942e1e9107a70ba0b
                                          • Opcode Fuzzy Hash: 3a20f84feabadd5745322d41281197a530a898c12fde4a3cfea3cd5a8ffc9bca
                                          • Instruction Fuzzy Hash: E9F0F6720043489EE7209F06CC84B67FFA8EF51334F18C45AEE090B296C3799C44CAB1
                                          Function 00F9202F Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a11ea1a8dd4b17e339b62a5310deab97a9a95000dfebea5c6a56f23ac439a838
                                          • Instruction ID: 1e1c2c6bc86bed0627c8231230d4f43e6f4b3114c2c58b4b68ca48006daabb2f
                                          • Opcode Fuzzy Hash: a11ea1a8dd4b17e339b62a5310deab97a9a95000dfebea5c6a56f23ac439a838
                                          • Instruction Fuzzy Hash: 85F09636D00149DBEF25DB60C455AEFBFB16F48310F14492DC442A7290DE70190ADB82
                                          Function 00F909DF Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a5bbeaa468a81d6c6ca8f2dcae5986f05b099f114f9a704f001ce09d8d37e04
                                          • Instruction ID: 899f728c8f40e9ad309a45c2c96cd25b8ac55464d4d6e6b46d2450051d56c024
                                          • Opcode Fuzzy Hash: 3a5bbeaa468a81d6c6ca8f2dcae5986f05b099f114f9a704f001ce09d8d37e04
                                          • Instruction Fuzzy Hash: FB01EF70D0924ADFCB02DFB8C85469DBFB0AF06215F1446EEC845A72A2EB749A45DB81
                                          Function 00F91D65 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93b8eb5e16e2b3a51fcc145d3faab798fb261f7ebd92625434b1fa63d9197c81
                                          • Instruction ID: fac639ea0d0326e194f183d065a882d19c03dfceb134ed2daf4cbd2698f07839
                                          • Opcode Fuzzy Hash: 93b8eb5e16e2b3a51fcc145d3faab798fb261f7ebd92625434b1fa63d9197c81
                                          • Instruction Fuzzy Hash: 23F0A772B082099F8F44DF5DD400AAEBBA2FBC9221724C06BE848C7355D6309D42DB81
                                          Function 00F91DD8 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 264bf8ffbe15f0fffb522909f97754f339843decd170c4752dd7624f3b8e6c5c
                                          • Instruction ID: fb1f7d05ce23ddb0d79e7ebb298c55f1d34f9caaea6946ac94a6a0238dffc088
                                          • Opcode Fuzzy Hash: 264bf8ffbe15f0fffb522909f97754f339843decd170c4752dd7624f3b8e6c5c
                                          • Instruction Fuzzy Hash: 6BE03071B04105AB9B449A4AD400D6ABBAAEBC9360764C02AF849C7315DA319C429B91
                                          Function 00F9400F Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63d566591ac6f9ddd21a033e7143ae45efbb52f494a990f48f5ce2ccebc19441
                                          • Instruction ID: 826514ec86150884c9bf91732973b02990f43f8989a1f554a07d306b93b88edb
                                          • Opcode Fuzzy Hash: 63d566591ac6f9ddd21a033e7143ae45efbb52f494a990f48f5ce2ccebc19441
                                          • Instruction Fuzzy Hash: 1BF0D471E046188FCB28CF5AC944BA9F7F1AFCA360F5591A6C01DA7234D630AA42DF05
                                          Function 00F909F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3707c6e814a1e80c5f0b4178ae0bacd4232e8dfccdfa8151b007d9ae16f8ed55
                                          • Instruction ID: 08b051b01a7995bb803ca2c890bd632702bb6bb779db928846a44747318def5c
                                          • Opcode Fuzzy Hash: 3707c6e814a1e80c5f0b4178ae0bacd4232e8dfccdfa8151b007d9ae16f8ed55
                                          • Instruction Fuzzy Hash: 5FF0B2B0D0021EDFCB45EFB8D9446AEBBB4FB04315F1046AAD415A72A4EB70AA40DB80
                                          Function 00F91DD7 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 663257addfeac84d0fa4f3f8e49e1180210854201484273e2dbe98ea9e0de0c2
                                          • Instruction ID: 2bbe06ecca236a875a317b373e41b42c50481f19ca0e8dfbc721462b21892b72
                                          • Opcode Fuzzy Hash: 663257addfeac84d0fa4f3f8e49e1180210854201484273e2dbe98ea9e0de0c2
                                          • Instruction Fuzzy Hash: 6CE0A932A08104AF8B04CB1AE400EAFBBA6EBC8320324C02BE849C3311DA319802DB91
                                          Function 00F93397 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 640f1918a936405092d8e96e69fc6d92bb2fa6ffcb1bcde8d7d3f00b408595df
                                          • Instruction ID: fe51690769880f256a69246296ad93e0a189d8b68c21ff1e18b65080a7b9cb46
                                          • Opcode Fuzzy Hash: 640f1918a936405092d8e96e69fc6d92bb2fa6ffcb1bcde8d7d3f00b408595df
                                          • Instruction Fuzzy Hash: 76E01A74E44258CBCF28DFAAE9408ACF7B2FFC4324B109166D015AB264D770EE12DB41
                                          Function 00F940E6 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 613bf4ab0f3a1e8a14f81fc11385c793bf22e3b7058d8eae6236634d400766f1
                                          • Instruction ID: 9644bfe65d822eb3567cf42a9ce9a6b0aa681d923f5b5f1a8cddcc9906748afb
                                          • Opcode Fuzzy Hash: 613bf4ab0f3a1e8a14f81fc11385c793bf22e3b7058d8eae6236634d400766f1
                                          • Instruction Fuzzy Hash: 6AE0E574E05208EFCB05CFA8D54599DFFB1EB46321F2082A9E80863365C331AE81DF40
                                          Function 00F9244D Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76480c2a8dd67a48edc2fc8371bc65062884c14aa0bdd5818528bf3136a7f369
                                          • Instruction ID: b5a4158279b9b5bcdcf081d8b9cac6fa8e1e3d2fc827106b324dbb887be057eb
                                          • Opcode Fuzzy Hash: 76480c2a8dd67a48edc2fc8371bc65062884c14aa0bdd5818528bf3136a7f369
                                          • Instruction Fuzzy Hash: E2E08635E04108CBDF64CF99D5405ECB771EFC9320F206165C005A7265C6305E129F50
                                          Function 00F946B6 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4474325717.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_f90000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d9a6cbd5cf7068936869d684c0ff9521379ad0be860bde016e8289dc69231ed
                                          • Instruction ID: abc3be82109d02c2b8275891ffdc3d88bc59bbff04d4cb1026ba3ee3a551a51a
                                          • Opcode Fuzzy Hash: 6d9a6cbd5cf7068936869d684c0ff9521379ad0be860bde016e8289dc69231ed
                                          • Instruction Fuzzy Hash: E6E04674E0421C8BCB14CFAAD84089CB772EFC2320F0092668069BF264C730A916CB00

                                          Executed Functions

                                          Function 012B0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 1e4733e8ee692b296b7c955147134a9c157139e8f43c6f7ef6a2a5f4afb67343
                                          • Instruction ID: dffcb6bbdde5c24fb0516f219a9a1003b70fd7d15834b808960e962065765027
                                          • Opcode Fuzzy Hash: 1e4733e8ee692b296b7c955147134a9c157139e8f43c6f7ef6a2a5f4afb67343
                                          • Instruction Fuzzy Hash: 4382A174A10229CFCB25DF68D994BDDBBB6FF49300F1082A6D409AB265D770AE85CF50
                                          Function 012B0630 Relevance: .3, Instructions: 315COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36728f732a6f3a8ac67aaffaa4d7d11b44df40d8efb06d1db2298671406de563
                                          • Instruction ID: 3d83db9e5ce6eee1cae46839451fb989fa371be7638070c594c53a904f16bb21
                                          • Opcode Fuzzy Hash: 36728f732a6f3a8ac67aaffaa4d7d11b44df40d8efb06d1db2298671406de563
                                          • Instruction Fuzzy Hash: 0B218E3091024ADFCB56EF68F5A4A897FF6FF45300F1085AAC0408B269E7785A49CF81
                                          Function 012B05E7 Relevance: .3, Instructions: 305COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52586070fa104c34f0be7636699825d84a2ab54fac734e12cf9b80f7aa835085
                                          • Instruction ID: aae25a8ec968d48d681a7309e022012aec15303d1493bcf7410e48f482a4935c
                                          • Opcode Fuzzy Hash: 52586070fa104c34f0be7636699825d84a2ab54fac734e12cf9b80f7aa835085
                                          • Instruction Fuzzy Hash: 2431827090438A9FD746EF78E4A8A897FF5FF46304F1445EAC0448B1AAE7785949CB81
                                          Function 012B0A49 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9524c565349164b84d6162ef1801977d35cdc72b3ea9bacd607e779d75cb75be
                                          • Instruction ID: 694bc045c32840eccec060e87ed9167a230cd8a0f377dc999440f881f3619ae3
                                          • Opcode Fuzzy Hash: 9524c565349164b84d6162ef1801977d35cdc72b3ea9bacd607e779d75cb75be
                                          • Instruction Fuzzy Hash: C2214331E0024A9FCF45DFA8D4809EDBFB1EF49310F4582AAD450BB2A5DB30A946CB90
                                          Function 012B0848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2af02e6c9457b3ff0213d12d9531220ccac7cc54afca6559fe176246e4f3010
                                          • Instruction ID: 3096d07eb40cd2d47706459a25718cfacb0dbba2e905e506f5a8928c38c1ae00
                                          • Opcode Fuzzy Hash: a2af02e6c9457b3ff0213d12d9531220ccac7cc54afca6559fe176246e4f3010
                                          • Instruction Fuzzy Hash: 34112C7090020EEFCB55EFA8F594A8D7BBAFF44305F108665C0049B26DE7749A49CB81
                                          Function 012B1870 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 255b6bff620d95487ed3453103790ccd201be589badb04de498cfa35f15c5c98
                                          • Instruction ID: 7fdaef238d346e28c3946157cab86e84171ab6532a54af5dd153a3f7b1b2b656
                                          • Opcode Fuzzy Hash: 255b6bff620d95487ed3453103790ccd201be589badb04de498cfa35f15c5c98
                                          • Instruction Fuzzy Hash: D5F08770C2424ECBDF01DFAAE4582EEBBF0BF8A310F00902AD850B2240DB790A59CF50
                                          Function 012B09DF Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f19fbda9ddf518335eb7dc9cb0522cc564993d2ad2c68dcffb74a12fdf8096f
                                          • Instruction ID: 42c7b3b026695767990e813d1e615b290720c3d68632d9864651c4007de71dea
                                          • Opcode Fuzzy Hash: 7f19fbda9ddf518335eb7dc9cb0522cc564993d2ad2c68dcffb74a12fdf8096f
                                          • Instruction Fuzzy Hash: 3301E470D10309DFCB55DFA8D4545EDBBB0FF06310F1046AEC455A72A5E7709A50DB81
                                          Function 012B09F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2021827197.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_12b0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5c8057c0200c62f733028aa3d96e33b5b5714fe01978364a7212d9a0b450f6c
                                          • Instruction ID: 7e46e195fe6731a3fe3db9a8d0aa183c7fdf9b2ced5323b1ff771210fd17a6b6
                                          • Opcode Fuzzy Hash: c5c8057c0200c62f733028aa3d96e33b5b5714fe01978364a7212d9a0b450f6c
                                          • Instruction Fuzzy Hash: 37F0B270D0021ADFCB45EFB8D5446EEBBB4FB05300F508AAAD415A72A4EB709A40DB80

                                          Execution Graph

                                          Execution Coverage:18.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:183
                                          Total number of Limit Nodes:4
                                          execution_graph 6994 b058a86 6995 b058a92 6994->6995 7002 b059ad8 6995->7002 7007 b059ae8 6995->7007 6996 b058adf 7012 b0584d0 6996->7012 7016 b0584c8 6996->7016 6997 b058b1d 7004 b059b0c 7002->7004 7003 b059cc4 7003->6996 7004->7003 7020 b057e10 7004->7020 7024 b057e18 7004->7024 7009 b059b0c 7007->7009 7008 b059cc4 7008->6996 7009->7008 7010 b057e10 NtReadVirtualMemory 7009->7010 7011 b057e18 NtReadVirtualMemory 7009->7011 7010->7009 7011->7009 7013 b058514 VirtualAllocEx 7012->7013 7015 b05858c 7013->7015 7015->6997 7017 b058514 VirtualAllocEx 7016->7017 7019 b05858c 7017->7019 7019->6997 7021 b057e64 NtReadVirtualMemory 7020->7021 7023 b057edc 7021->7023 7023->7004 7025 b057e64 NtReadVirtualMemory 7024->7025 7027 b057edc 7025->7027 7027->7004 7028 b059703 7029 b05970b 7028->7029 7033 b0585f0 7029->7033 7037 b0585e9 7029->7037 7030 b0597f2 7034 b058639 NtWriteVirtualMemory 7033->7034 7036 b0586d2 7034->7036 7036->7030 7038 b058639 NtWriteVirtualMemory 7037->7038 7040 b0586d2 7038->7040 7040->7030 7041 b05664f 7042 b05665b 7041->7042 7052 b058790 7042->7052 7056 b058798 7042->7056 7043 b056680 7050 b0585f0 NtWriteVirtualMemory 7043->7050 7051 b0585e9 NtWriteVirtualMemory 7043->7051 7044 b05672d 7060 b057778 7044->7060 7065 b057769 7044->7065 7045 b05677b 7050->7044 7051->7044 7053 b0587e1 NtSetContextThread 7052->7053 7055 b058859 7053->7055 7055->7043 7057 b0587e1 NtSetContextThread 7056->7057 7059 b058859 7057->7059 7059->7043 7062 b05779c 7060->7062 7061 b057940 7061->7045 7062->7061 7063 b057e10 NtReadVirtualMemory 7062->7063 7064 b057e18 NtReadVirtualMemory 7062->7064 7063->7062 7064->7062 7067 b05779c 7065->7067 7066 b057940 7066->7045 7067->7066 7068 b057e10 NtReadVirtualMemory 7067->7068 7069 b057e18 NtReadVirtualMemory 7067->7069 7068->7067 7069->7067 7070 b05608f 7071 b056061 7070->7071 7071->7070 7072 b056089 7071->7072 7080 b0582e1 7071->7080 7084 b058340 7071->7084 7088 b0583d0 7071->7088 7077 b0582e1 NtResumeThread 7072->7077 7078 b058340 NtResumeThread 7072->7078 7079 b0583d0 NtResumeThread 7072->7079 7073 b056f78 7077->7073 7078->7073 7079->7073 7081 b0582f5 NtResumeThread 7080->7081 7083 b05846b 7081->7083 7083->7071 7085 b058345 NtResumeThread 7084->7085 7087 b05846b 7085->7087 7087->7071 7089 b058414 NtResumeThread 7088->7089 7091 b05846b 7089->7091 7091->7071 7118 b059813 7119 b05981f 7118->7119 7122 b059ad8 2 API calls 7119->7122 7123 b059ae8 2 API calls 7119->7123 7120 b059876 7124 b0585f0 NtWriteVirtualMemory 7120->7124 7125 b0585e9 NtWriteVirtualMemory 7120->7125 7121 b0598b2 7122->7120 7123->7120 7124->7121 7125->7121 7131 b05ad5c 7132 b05ad68 7131->7132 7135 b05b237 7132->7135 7137 b05b26c 7135->7137 7136 b05ad84 7137->7136 7138 b057e10 NtReadVirtualMemory 7137->7138 7139 b057e18 NtReadVirtualMemory 7137->7139 7138->7137 7139->7137 7140 b058e5f 7141 b058e77 7140->7141 7143 b0582e1 NtResumeThread 7141->7143 7144 b058340 NtResumeThread 7141->7144 7145 b0583d0 NtResumeThread 7141->7145 7142 b058f68 7143->7142 7144->7142 7145->7142 7146 b05645b 7147 b056470 7146->7147 7149 b057769 2 API calls 7147->7149 7150 b057778 2 API calls 7147->7150 7148 b05648c 7149->7148 7150->7148 7156 b056b69 7157 b056b75 7156->7157 7167 b057769 2 API calls 7157->7167 7168 b057778 2 API calls 7157->7168 7158 b056bc2 7169 b0584d0 VirtualAllocEx 7158->7169 7170 b0584c8 VirtualAllocEx 7158->7170 7159 b056c00 7171 b057769 2 API calls 7159->7171 7172 b057778 2 API calls 7159->7172 7160 b056d9e 7163 b0585f0 NtWriteVirtualMemory 7160->7163 7164 b0585e9 NtWriteVirtualMemory 7160->7164 7161 b056dda 7165 b057769 2 API calls 7161->7165 7166 b057778 2 API calls 7161->7166 7162 b056e09 7163->7161 7164->7161 7165->7162 7166->7162 7167->7158 7168->7158 7169->7159 7170->7159 7171->7160 7172->7160 7173 b0591e9 7174 b0591f5 7173->7174 7177 b0585f0 NtWriteVirtualMemory 7174->7177 7178 b0585e9 NtWriteVirtualMemory 7174->7178 7175 b05928f 7179 b059ad8 2 API calls 7175->7179 7180 b059ae8 2 API calls 7175->7180 7176 b0592dd 7177->7175 7178->7175 7179->7176 7180->7176 7181 b0565a8 7182 b0565bf 7181->7182 7186 b05718c 7182->7186 7190 b057198 7182->7190 7188 b057228 CreateProcessW 7186->7188 7189 b0575fc 7188->7189 7192 b057228 CreateProcessW 7190->7192 7193 b0575fc 7192->7193 7194 b0594ea 7195 b0594ff 7194->7195 7200 b059ad8 2 API calls 7195->7200 7201 b059ae8 2 API calls 7195->7201 7196 b05951b 7198 b059ad8 2 API calls 7196->7198 7199 b059ae8 2 API calls 7196->7199 7197 b05955f 7198->7197 7199->7197 7200->7196 7201->7196 7202 b0562f3 7203 b05630f 7202->7203 7205 b0585f0 NtWriteVirtualMemory 7203->7205 7206 b0585e9 NtWriteVirtualMemory 7203->7206 7204 b056397 7205->7204 7206->7204 7207 b05a972 7208 b05a98a 7207->7208 7211 b05b237 2 API calls 7208->7211 7209 b05aa89 7212 b0584d0 VirtualAllocEx 7209->7212 7213 b0584c8 VirtualAllocEx 7209->7213 7210 b05aac7 7211->7209 7212->7210 7213->7210 7214 b0560fc 7215 b056114 7214->7215 7217 b058790 NtSetContextThread 7215->7217 7218 b058798 NtSetContextThread 7215->7218 7216 b0561eb 7217->7216 7218->7216 7225 b05a57b 7226 b05a587 7225->7226 7229 b05b237 2 API calls 7226->7229 7227 b05a5de 7230 b0585f0 NtWriteVirtualMemory 7227->7230 7231 b0585e9 NtWriteVirtualMemory 7227->7231 7228 b05a61a 7229->7227 7230->7228 7231->7228 7232 b05adbb 7233 b05ade6 7232->7233 7235 b05b237 2 API calls 7233->7235 7234 b05ae02 7235->7234 7236 b05a23a 7237 b05a116 7236->7237 7237->7236 7238 b05b01e 7237->7238 7243 b05b237 NtReadVirtualMemory NtReadVirtualMemory 7237->7243 7240 b0582e1 NtResumeThread 7238->7240 7241 b058340 NtResumeThread 7238->7241 7242 b0583d0 NtResumeThread 7238->7242 7239 b05b068 7240->7239 7241->7239 7242->7239 7243->7237 7244 b05a77a 7245 b05a792 7244->7245 7248 b058790 NtSetContextThread 7245->7248 7249 b058798 NtSetContextThread 7245->7249 7246 b05a869 7250 b0585f0 NtWriteVirtualMemory 7246->7250 7251 b0585e9 NtWriteVirtualMemory 7246->7251 7247 b05a916 7248->7246 7249->7246 7250->7247 7251->7247

                                          Executed Functions

                                          Function 02EF443C Relevance: 5.4, Strings: 4, Instructions: 409COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 2ef443c-2ef4445 1 2ef4468-2ef4477 0->1 2 2ef4447 0->2 3 2ef449d-2ef45a5 1->3 2->3 5 2ef45ac-2ef45f2 call 2ef4bc0 3->5 6 2ef45a7 3->6 9 2ef45f5 5->9 6->5 10 2ef45fc-2ef4618 9->10 11 2ef461a 10->11 12 2ef4621-2ef4622 10->12 11->9 13 2ef49b8-2ef49bf 11->13 14 2ef4627-2ef462d 11->14 15 2ef46e6-2ef46fb 11->15 16 2ef467b-2ef468d 11->16 17 2ef4837-2ef4849 11->17 18 2ef4936-2ef494b 11->18 19 2ef4734-2ef4746 11->19 20 2ef47f3-2ef4808 11->20 21 2ef4873-2ef488a 11->21 22 2ef488f-2ef48bb 11->22 23 2ef484e-2ef486e 11->23 24 2ef464e-2ef4652 11->24 25 2ef480d-2ef4819 11->25 26 2ef474b-2ef4754 11->26 27 2ef47c9-2ef47d5 11->27 28 2ef4906-2ef490a 11->28 29 2ef4984-2ef4990 11->29 30 2ef4700-2ef470c 11->30 31 2ef48c0-2ef48cd 11->31 32 2ef4780-2ef4794 11->32 33 2ef4799-2ef479d 11->33 34 2ef48d2-2ef48de 11->34 35 2ef4692-2ef469e 11->35 36 2ef4950-2ef495c 11->36 12->13 12->14 77 2ef462f call 2ef4ec8 14->77 78 2ef462f call 2ef4f08 14->78 15->10 16->10 17->10 18->10 19->10 20->10 21->10 22->10 23->10 53 2ef4665-2ef466c 24->53 54 2ef4654-2ef4663 24->54 37 2ef481b 25->37 38 2ef4820-2ef4832 25->38 45 2ef4767-2ef476e 26->45 46 2ef4756-2ef4765 26->46 51 2ef47dc-2ef47ee 27->51 52 2ef47d7 27->52 49 2ef491d-2ef4924 28->49 50 2ef490c-2ef491b 28->50 39 2ef4997-2ef49b3 29->39 40 2ef4992 29->40 41 2ef470e 30->41 42 2ef4713-2ef472f 30->42 31->10 32->10 47 2ef479f-2ef47ae 33->47 48 2ef47b0-2ef47b7 33->48 43 2ef48e5-2ef4901 34->43 44 2ef48e0 34->44 57 2ef46a5-2ef46bb 35->57 58 2ef46a0 35->58 55 2ef495e 36->55 56 2ef4963-2ef497f 36->56 37->38 38->10 39->10 40->39 41->42 42->10 43->10 44->43 64 2ef4775-2ef477b 45->64 46->64 65 2ef47be-2ef47c4 47->65 48->65 61 2ef492b-2ef4931 49->61 50->61 51->10 52->51 63 2ef4673-2ef4679 53->63 54->63 55->56 56->10 74 2ef46bd 57->74 75 2ef46c2-2ef46e1 57->75 58->57 61->10 62 2ef4635-2ef464c 62->10 63->10 64->10 65->10 74->75 75->10 77->62 78->62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 82b2443c344b8bd86cf78ba5055e5285643e8b7096045317529a7f5f2d0afc5e
                                          • Instruction ID: d5e1aa43552affe2408dfa068d8c6dc1b726af1eb507601ca437116c64cbcd10
                                          • Opcode Fuzzy Hash: 82b2443c344b8bd86cf78ba5055e5285643e8b7096045317529a7f5f2d0afc5e
                                          • Instruction Fuzzy Hash: 06F19D70E4828ACFCB45DFA5D4844EEFBB2FF86350B54E0A5C6119B259D735A982CF80
                                          Function 02EF4481 Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 80 2ef4481-2ef45a5 83 2ef45ac-2ef45f2 call 2ef4bc0 80->83 84 2ef45a7 80->84 87 2ef45f5 83->87 84->83 88 2ef45fc-2ef4618 87->88 89 2ef461a 88->89 90 2ef4621-2ef4622 88->90 89->87 91 2ef49b8-2ef49bf 89->91 92 2ef4627-2ef462d 89->92 93 2ef46e6-2ef46fb 89->93 94 2ef467b-2ef468d 89->94 95 2ef4837-2ef4849 89->95 96 2ef4936-2ef494b 89->96 97 2ef4734-2ef4746 89->97 98 2ef47f3-2ef4808 89->98 99 2ef4873-2ef488a 89->99 100 2ef488f-2ef48bb 89->100 101 2ef484e-2ef486e 89->101 102 2ef464e-2ef4652 89->102 103 2ef480d-2ef4819 89->103 104 2ef474b-2ef4754 89->104 105 2ef47c9-2ef47d5 89->105 106 2ef4906-2ef490a 89->106 107 2ef4984-2ef4990 89->107 108 2ef4700-2ef470c 89->108 109 2ef48c0-2ef48cd 89->109 110 2ef4780-2ef4794 89->110 111 2ef4799-2ef479d 89->111 112 2ef48d2-2ef48de 89->112 113 2ef4692-2ef469e 89->113 114 2ef4950-2ef495c 89->114 90->91 90->92 155 2ef462f call 2ef4ec8 92->155 156 2ef462f call 2ef4f08 92->156 93->88 94->88 95->88 96->88 97->88 98->88 99->88 100->88 101->88 131 2ef4665-2ef466c 102->131 132 2ef4654-2ef4663 102->132 115 2ef481b 103->115 116 2ef4820-2ef4832 103->116 123 2ef4767-2ef476e 104->123 124 2ef4756-2ef4765 104->124 129 2ef47dc-2ef47ee 105->129 130 2ef47d7 105->130 127 2ef491d-2ef4924 106->127 128 2ef490c-2ef491b 106->128 117 2ef4997-2ef49b3 107->117 118 2ef4992 107->118 119 2ef470e 108->119 120 2ef4713-2ef472f 108->120 109->88 110->88 125 2ef479f-2ef47ae 111->125 126 2ef47b0-2ef47b7 111->126 121 2ef48e5-2ef4901 112->121 122 2ef48e0 112->122 135 2ef46a5-2ef46bb 113->135 136 2ef46a0 113->136 133 2ef495e 114->133 134 2ef4963-2ef497f 114->134 115->116 116->88 117->88 118->117 119->120 120->88 121->88 122->121 142 2ef4775-2ef477b 123->142 124->142 143 2ef47be-2ef47c4 125->143 126->143 139 2ef492b-2ef4931 127->139 128->139 129->88 130->129 141 2ef4673-2ef4679 131->141 132->141 133->134 134->88 152 2ef46bd 135->152 153 2ef46c2-2ef46e1 135->153 136->135 139->88 140 2ef4635-2ef464c 140->88 141->88 142->88 143->88 152->153 153->88 155->140 156->140
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 3ad6dd5405109999ae11526097311e78d6e4b3f5a39586439204fdb9b35290cb
                                          • Instruction ID: 53572c616c12acf5183c86f320bb7a629dda6f32698edc19995df61c5a7972f2
                                          • Opcode Fuzzy Hash: 3ad6dd5405109999ae11526097311e78d6e4b3f5a39586439204fdb9b35290cb
                                          • Instruction Fuzzy Hash: 2EF19C70E48286CFDB45DFA5D4904EEFBF2FF86350B54A0A5C6019B259D739A982CF80
                                          Function 02EF4580 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 158 2ef4580-2ef45a5 159 2ef45ac-2ef45f2 call 2ef4bc0 158->159 160 2ef45a7 158->160 163 2ef45f5 159->163 160->159 164 2ef45fc-2ef4618 163->164 165 2ef461a 164->165 166 2ef4621-2ef4622 164->166 165->163 167 2ef49b8-2ef49bf 165->167 168 2ef4627-2ef462d 165->168 169 2ef46e6-2ef46fb 165->169 170 2ef467b-2ef468d 165->170 171 2ef4837-2ef4849 165->171 172 2ef4936-2ef494b 165->172 173 2ef4734-2ef4746 165->173 174 2ef47f3-2ef4808 165->174 175 2ef4873-2ef488a 165->175 176 2ef488f-2ef48bb 165->176 177 2ef484e-2ef486e 165->177 178 2ef464e-2ef4652 165->178 179 2ef480d-2ef4819 165->179 180 2ef474b-2ef4754 165->180 181 2ef47c9-2ef47d5 165->181 182 2ef4906-2ef490a 165->182 183 2ef4984-2ef4990 165->183 184 2ef4700-2ef470c 165->184 185 2ef48c0-2ef48cd 165->185 186 2ef4780-2ef4794 165->186 187 2ef4799-2ef479d 165->187 188 2ef48d2-2ef48de 165->188 189 2ef4692-2ef469e 165->189 190 2ef4950-2ef495c 165->190 166->167 166->168 232 2ef462f call 2ef4ec8 168->232 233 2ef462f call 2ef4f08 168->233 169->164 170->164 171->164 172->164 173->164 174->164 175->164 176->164 177->164 207 2ef4665-2ef466c 178->207 208 2ef4654-2ef4663 178->208 191 2ef481b 179->191 192 2ef4820-2ef4832 179->192 199 2ef4767-2ef476e 180->199 200 2ef4756-2ef4765 180->200 205 2ef47dc-2ef47ee 181->205 206 2ef47d7 181->206 203 2ef491d-2ef4924 182->203 204 2ef490c-2ef491b 182->204 193 2ef4997-2ef49b3 183->193 194 2ef4992 183->194 195 2ef470e 184->195 196 2ef4713-2ef472f 184->196 185->164 186->164 201 2ef479f-2ef47ae 187->201 202 2ef47b0-2ef47b7 187->202 197 2ef48e5-2ef4901 188->197 198 2ef48e0 188->198 211 2ef46a5-2ef46bb 189->211 212 2ef46a0 189->212 209 2ef495e 190->209 210 2ef4963-2ef497f 190->210 191->192 192->164 193->164 194->193 195->196 196->164 197->164 198->197 218 2ef4775-2ef477b 199->218 200->218 219 2ef47be-2ef47c4 201->219 202->219 215 2ef492b-2ef4931 203->215 204->215 205->164 206->205 217 2ef4673-2ef4679 207->217 208->217 209->210 210->164 228 2ef46bd 211->228 229 2ef46c2-2ef46e1 211->229 212->211 215->164 216 2ef4635-2ef464c 216->164 217->164 218->164 219->164 228->229 229->164 232->216 233->216
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 195204f73366ac066872b60dfa1ae011a7c5a365f4ec4a1b1eb8c563666d49b0
                                          • Instruction ID: a69b017e1ef3aeb3dcb7d241cda63c31d53773e7061c71eada60e977d2226d05
                                          • Opcode Fuzzy Hash: 195204f73366ac066872b60dfa1ae011a7c5a365f4ec4a1b1eb8c563666d49b0
                                          • Instruction Fuzzy Hash: 48D16DB0E0520ADFCB44DF99D5848AEFBB2FF88300B10E565D615AB294D734EA42CF95
                                          Function 02EFB9A8 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 2efb9a8-2efb9cd 235 2efb9cf 234->235 236 2efb9d4-2efb9f1 234->236 235->236 237 2efb9f9 236->237 238 2efba00-2efba1c 237->238 239 2efba1e 238->239 240 2efba25-2efba26 238->240 239->237 239->240 241 2efbb4f-2efbb67 239->241 242 2efba8d-2efbaa4 239->242 243 2efba2b-2efba42 239->243 244 2efbaa9-2efbaad 239->244 245 2efbce9-2efbcf5 239->245 246 2efbc07-2efbc2c 239->246 247 2efbcc6-2efbce4 239->247 248 2efbb85-2efbb9a 239->248 249 2efba63-2efba6f 239->249 250 2efbb22-2efbb2e 239->250 251 2efbc61-2efbc65 239->251 252 2efbb9f-2efbbab 239->252 253 2efbd3d-2efbd6b 239->253 254 2efbad9-2efbae5 239->254 255 2efbc91-2efbc9a 239->255 256 2efbc31-2efbc35 239->256 257 2efbd70-2efbd77 239->257 258 2efbb10-2efbb1d 239->258 259 2efbbf0-2efbc02 239->259 240->257 262 2efbb6e-2efbb80 241->262 263 2efbb69 241->263 242->238 282 2efba4a-2efba61 243->282 270 2efbaaf-2efbabe 244->270 271 2efbac0-2efbac7 244->271 264 2efbcfc-2efbd12 245->264 265 2efbcf7 245->265 246->238 247->238 248->238 268 2efba76-2efba88 249->268 269 2efba71 249->269 276 2efbb35-2efbb4a 250->276 277 2efbb30 250->277 278 2efbc78-2efbc7f 251->278 279 2efbc67-2efbc76 251->279 266 2efbbad 252->266 267 2efbbb2-2efbbc8 252->267 253->238 272 2efbaec-2efbb0b 254->272 273 2efbae7 254->273 260 2efbcad-2efbcb4 255->260 261 2efbc9c-2efbcab 255->261 274 2efbc48-2efbc4f 256->274 275 2efbc37-2efbc46 256->275 258->238 259->238 280 2efbcbb-2efbcc1 260->280 261->280 262->238 263->262 294 2efbd19-2efbd38 264->294 295 2efbd14 264->295 265->264 266->267 296 2efbbcf-2efbbeb 267->296 297 2efbbca 267->297 268->238 269->268 283 2efbace-2efbad4 270->283 271->283 272->238 273->272 286 2efbc56-2efbc5c 274->286 275->286 276->238 277->276 287 2efbc86-2efbc8c 278->287 279->287 280->238 282->238 283->238 286->238 287->238 294->238 295->294 296->238 297->296
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: t701$t701+j$vBjT
                                          • API String ID: 0-3425911971
                                          • Opcode ID: 973d7c72a2b8e42804aa4a2cebe567ce6849a0c7f60f51de4d2948168d647c0d
                                          • Instruction ID: f8b242297a4a11ada0d4543b97a5ee3486edd422e5b89a65be7a1f7ab2360897
                                          • Opcode Fuzzy Hash: 973d7c72a2b8e42804aa4a2cebe567ce6849a0c7f60f51de4d2948168d647c0d
                                          • Instruction Fuzzy Hash: 85C11870E0160ADFCB54CF99D5848AEFBB2FF88344F14E559D516AB218D734AA82CF90
                                          Function 02EF22D0 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 365 2ef22d0-2ef23ab 366 2ef23ad 365->366 367 2ef23b2-2ef2432 call 2ef00e4 365->367 366->367 374 2ef2435 367->374 375 2ef243c-2ef2458 374->375 376 2ef245a 375->376 377 2ef2461-2ef2462 375->377 376->374 378 2ef258f-2ef25c3 376->378 379 2ef264d-2ef26cb call 2ef00f4 376->379 380 2ef2489-2ef24a4 376->380 381 2ef25c8-2ef25df 376->381 382 2ef2467-2ef246f call 2ef2be1 376->382 383 2ef24a6-2ef24bd 376->383 384 2ef25e4-2ef2618 376->384 385 2ef24c2-2ef24c6 376->385 386 2ef261d-2ef2621 376->386 387 2ef253d-2ef254f 376->387 388 2ef2578-2ef258a 376->388 389 2ef2554-2ef2573 376->389 390 2ef24f2-2ef250a 376->390 377->379 377->382 378->375 413 2ef26cd call 2ef35eb 379->413 414 2ef26cd call 2ef3638 379->414 415 2ef26cd call 2ef3a45 379->415 380->375 381->375 398 2ef2475-2ef2487 382->398 383->375 384->375 393 2ef24d9-2ef24e0 385->393 394 2ef24c8-2ef24d7 385->394 391 2ef2634-2ef263b 386->391 392 2ef2623-2ef2632 386->392 387->375 388->375 389->375 404 2ef251d-2ef2524 390->404 405 2ef250c-2ef251b 390->405 396 2ef2642-2ef2648 391->396 392->396 401 2ef24e7-2ef24ed 393->401 394->401 396->375 398->375 401->375 406 2ef252b-2ef2538 404->406 405->406 406->375 411 2ef26d3-2ef26dd 413->411 414->411 415->411
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: d1651c1a84acb09ed72955f3cc64da63b96fa59adf52bfb07b579f3295944b06
                                          • Instruction ID: e6762dbebd429be7f8b9f77989d0cd635dc722a797389e14e1a51d0396d45b87
                                          • Opcode Fuzzy Hash: d1651c1a84acb09ed72955f3cc64da63b96fa59adf52bfb07b579f3295944b06
                                          • Instruction Fuzzy Hash: B4D18970E45289CFDB44CFA9C890ADEBBF2FF89210F208569D945AB315DB365906CF00
                                          Function 02EF2388 Relevance: 2.8, Strings: 2, Instructions: 251COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 416 2ef2388-2ef23ab 417 2ef23ad 416->417 418 2ef23b2-2ef2432 call 2ef00e4 416->418 417->418 425 2ef2435 418->425 426 2ef243c-2ef2458 425->426 427 2ef245a 426->427 428 2ef2461-2ef2462 426->428 427->425 429 2ef258f-2ef25c3 427->429 430 2ef264d-2ef26cb call 2ef00f4 427->430 431 2ef2489-2ef24a4 427->431 432 2ef25c8-2ef25df 427->432 433 2ef2467-2ef246f call 2ef2be1 427->433 434 2ef24a6-2ef24bd 427->434 435 2ef25e4-2ef2618 427->435 436 2ef24c2-2ef24c6 427->436 437 2ef261d-2ef2621 427->437 438 2ef253d-2ef254f 427->438 439 2ef2578-2ef258a 427->439 440 2ef2554-2ef2573 427->440 441 2ef24f2-2ef250a 427->441 428->430 428->433 429->426 463 2ef26cd call 2ef35eb 430->463 464 2ef26cd call 2ef3638 430->464 465 2ef26cd call 2ef3a45 430->465 431->426 432->426 449 2ef2475-2ef2487 433->449 434->426 435->426 444 2ef24d9-2ef24e0 436->444 445 2ef24c8-2ef24d7 436->445 442 2ef2634-2ef263b 437->442 443 2ef2623-2ef2632 437->443 438->426 439->426 440->426 455 2ef251d-2ef2524 441->455 456 2ef250c-2ef251b 441->456 447 2ef2642-2ef2648 442->447 443->447 452 2ef24e7-2ef24ed 444->452 445->452 447->426 449->426 452->426 457 2ef252b-2ef2538 455->457 456->457 457->426 462 2ef26d3-2ef26dd 463->462 464->462 465->462
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: e04a473f3ec29c78adf4971d850dadedaf591b9753228f4f6c91601860be9ad7
                                          • Instruction ID: 2a9d084d6bbb6b85383120b28ab54197f1be38cdac285199bf7e3982112a0c55
                                          • Opcode Fuzzy Hash: e04a473f3ec29c78adf4971d850dadedaf591b9753228f4f6c91601860be9ad7
                                          • Instruction Fuzzy Hash: 3EB1D1B4E05219CFCB48CFA9C984AEEBBB2FF88300F609529DA15AB355D7719901CF54
                                          Function 02EF9F60 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 467 2ef9f60-2ef9f91 468 2ef9f98-2ef9fbd 467->468 469 2ef9f93 467->469 470 2ef9fbf 468->470 471 2ef9fc4-2ef9fda 468->471 469->468 470->471 472 2ef9fdc 471->472 473 2ef9fe1-2efa009 471->473 472->473 474 2efa00c 473->474 475 2efa013-2efa02f 474->475 476 2efa038-2efa039 475->476 477 2efa031 475->477 479 2efa15e-2efa162 476->479 477->474 477->476 478 2efa0ef-2efa106 477->478 477->479 480 2efa03e-2efa048 477->480 481 2efa0bc-2efa0d3 477->481 482 2efa13b-2efa159 477->482 483 2efa10b-2efa10f 477->483 484 2efa0d8-2efa0ea 477->484 485 2efa0a2-2efa0b7 477->485 486 2efa070-2efa073 477->486 478->475 489 2efa04f-2efa06e 480->489 490 2efa04a 480->490 481->475 482->475 487 2efa122-2efa129 483->487 488 2efa111-2efa120 483->488 484->475 485->475 495 2efa076 call 2efa1a0 486->495 496 2efa076 call 2efa190 486->496 491 2efa130-2efa136 487->491 488->491 489->475 490->489 491->475 493 2efa07c-2efa09d 493->475 495->493 496->493
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BLO[${5\b
                                          • API String ID: 0-2738392615
                                          • Opcode ID: 58f95668820cf404266b475a1305bcaf2bc5f9f74ad7e244fdefe02a60a328d4
                                          • Instruction ID: ae2ccd0018d9c23ef94464bac0407d6c92373a61d801f46fda6b3250d8969f62
                                          • Opcode Fuzzy Hash: 58f95668820cf404266b475a1305bcaf2bc5f9f74ad7e244fdefe02a60a328d4
                                          • Instruction Fuzzy Hash: A8514770E052098FCB48CFAAD5406EEFBF2EF89300F14E16AD519AB355D7348A41CBA5
                                          Function 0B057198 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 567 b057198-b057252 569 b057258-b057293 567->569 570 b05730a-b05731f 567->570 587 b057295-b05729d 569->587 588 b0572cb-b0572dc 569->588 571 b057325-b05736b 570->571 572 b0573cf-b0573d3 570->572 590 b05736d-b057375 571->590 591 b0573a9-b0573b4 571->591 573 b0573d5-b057417 572->573 574 b05741d-b05746e 572->574 573->574 577 b057474-b0574af 574->577 578 b057526-b057538 574->578 604 b0574e7-b0574f8 577->604 605 b0574b1-b0574b9 577->605 580 b057555-b057567 578->580 581 b05753a-b057552 578->581 584 b057584-b0575fa CreateProcessW 580->584 585 b057569-b057581 580->585 581->580 592 b057603-b057644 584->592 593 b0575fc-b057602 584->593 585->584 594 b0572c0-b0572c9 587->594 595 b05729f-b0572a9 587->595 599 b0572e2-b057302 588->599 601 b057377-b057381 590->601 602 b057398-b0573a7 590->602 607 b0573ba-b0573c9 591->607 616 b057646-b057655 592->616 617 b05765b-b057672 592->617 593->592 594->599 597 b0572ad-b0572bc 595->597 598 b0572ab 595->598 597->597 606 b0572be 597->606 598->597 599->570 611 b057385-b057394 601->611 612 b057383 601->612 602->607 620 b0574fe-b05751e 604->620 614 b0574dc-b0574e5 605->614 615 b0574bb-b0574c5 605->615 606->594 607->572 611->611 613 b057396 611->613 612->611 613->602 614->620 618 b0574c7 615->618 619 b0574c9-b0574d8 615->619 616->617 625 b057674-b057680 617->625 626 b05768b-b05769b 617->626 618->619 619->619 622 b0574da 619->622 620->578 622->614 625->626 627 b0576b2-b0576f5 626->627 628 b05769d-b0576ac 626->628 633 b057705-b057709 627->633 634 b0576f7-b0576fb 627->634 628->627 636 b057719-b05771d 633->636 637 b05770b-b05770f 633->637 634->633 635 b0576fd 634->635 635->633 639 b05772d 636->639 640 b05771f-b057723 636->640 637->636 638 b057711 637->638 638->636 642 b05772e 639->642 640->639 641 b057725 640->641 641->639 642->642
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0B0575E7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 259095ed407c71781a6139dd0ddfefb2ea294971f35c6a6df226d2219ab897a1
                                          • Instruction ID: b099f9e3290bfe99ffabfdd3b0018523795dc4057d730c23c94999e49c5989a0
                                          • Opcode Fuzzy Hash: 259095ed407c71781a6139dd0ddfefb2ea294971f35c6a6df226d2219ab897a1
                                          • Instruction Fuzzy Hash: 5402D074E01229CFDB64CFA9D880B9EBBF1BF49304F1081AAE819A7250DB349D85DF55
                                          Function 0B05718C Relevance: 1.9, APIs: 1, Instructions: 386processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 643 b05718c-b057252 645 b057258-b057293 643->645 646 b05730a-b05731f 643->646 663 b057295-b05729d 645->663 664 b0572cb-b0572dc 645->664 647 b057325-b05736b 646->647 648 b0573cf-b0573d3 646->648 666 b05736d-b057375 647->666 667 b0573a9-b0573b4 647->667 649 b0573d5-b057417 648->649 650 b05741d-b05746e 648->650 649->650 653 b057474-b0574af 650->653 654 b057526-b057538 650->654 680 b0574e7-b0574f8 653->680 681 b0574b1-b0574b9 653->681 656 b057555-b057567 654->656 657 b05753a-b057552 654->657 660 b057584-b0575fa CreateProcessW 656->660 661 b057569-b057581 656->661 657->656 668 b057603-b057644 660->668 669 b0575fc-b057602 660->669 661->660 670 b0572c0-b0572c9 663->670 671 b05729f-b0572a9 663->671 675 b0572e2-b057302 664->675 677 b057377-b057381 666->677 678 b057398-b0573a7 666->678 683 b0573ba-b0573c9 667->683 692 b057646-b057655 668->692 693 b05765b-b057672 668->693 669->668 670->675 673 b0572ad-b0572bc 671->673 674 b0572ab 671->674 673->673 682 b0572be 673->682 674->673 675->646 687 b057385-b057394 677->687 688 b057383 677->688 678->683 696 b0574fe-b05751e 680->696 690 b0574dc-b0574e5 681->690 691 b0574bb-b0574c5 681->691 682->670 683->648 687->687 689 b057396 687->689 688->687 689->678 690->696 694 b0574c7 691->694 695 b0574c9-b0574d8 691->695 692->693 701 b057674-b057680 693->701 702 b05768b-b05769b 693->702 694->695 695->695 698 b0574da 695->698 696->654 698->690 701->702 703 b0576b2-b0576f5 702->703 704 b05769d-b0576ac 702->704 709 b057705-b057709 703->709 710 b0576f7-b0576fb 703->710 704->703 712 b057719-b05771d 709->712 713 b05770b-b05770f 709->713 710->709 711 b0576fd 710->711 711->709 715 b05772d 712->715 716 b05771f-b057723 712->716 713->712 714 b057711 713->714 714->712 718 b05772e 715->718 716->715 717 b057725 716->717 717->715 718->718
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0B0575E7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 03a3e8760b9f6c61d182847dfa4a564975b97b75b2fa8acbd943764f4d72e574
                                          • Instruction ID: 2e1b378860505f48e851f905adc6399533477fadb5e59aa95906e38e8e18efdb
                                          • Opcode Fuzzy Hash: 03a3e8760b9f6c61d182847dfa4a564975b97b75b2fa8acbd943764f4d72e574
                                          • Instruction Fuzzy Hash: 00F1D070E002298FDB64CFA9D884B9EBBF1BF49304F1481AAE819A7250DB349D85DF55
                                          Function 0B0582E1 Relevance: 1.7, APIs: 1, Instructions: 157nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 719 b0582e1-b0582f8 721 b05834e-b058469 NtResumeThread 719->721 722 b0582fa-b058310 719->722 731 b058472-b0584b6 721->731 732 b05846b-b058471 721->732 722->721 732->731
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 0B058459
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 89089d35c912d3e5d4d2faa3ed55c04e97b4e95e6a64a4e3e4d26bf003c52f0a
                                          • Instruction ID: 318981457fbe595b72b7d78e7b66abe094c2b373e1e2a8821b7ca36575800592
                                          • Opcode Fuzzy Hash: 89089d35c912d3e5d4d2faa3ed55c04e97b4e95e6a64a4e3e4d26bf003c52f0a
                                          • Instruction Fuzzy Hash: 74514875C193988FDB11CFA8D8A0ACEBFB4FF46320F04805AD844A7261C7789905CB94
                                          Function 0B058340 Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 737 b058340-b058469 NtResumeThread 744 b058472-b0584b6 737->744 745 b05846b-b058471 737->745 745->744
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 0B058459
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: cdd54aa6648cee6860ba772f5664e4490f16910b40e07b8085bba56e9302d935
                                          • Instruction ID: 97bda757f9ae2d17728f63b98223f33cb8c1d80209446f57424f97b57b5f2a20
                                          • Opcode Fuzzy Hash: cdd54aa6648cee6860ba772f5664e4490f16910b40e07b8085bba56e9302d935
                                          • Instruction Fuzzy Hash: C64125B5C052988FDB01CFA8D890ADEBFB4FF4A310F04805AE844B7251D7786946CF64
                                          Function 0B0585E9 Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 750 b0585e9-b058658 752 b05866f-b0586d0 NtWriteVirtualMemory 750->752 753 b05865a-b05866c 750->753 755 b0586d2-b0586d8 752->755 756 b0586d9-b05872b 752->756 753->752 755->756
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0B0586C0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: 608a2b2b83e6e19e8af2f443a71f426d293b6ac031fda81f885f6377224dd1e8
                                          • Instruction ID: 227ad430a62a9f9d8dbd599b454de8e7027e6e69e6b4ad0b389acad2253d7bbc
                                          • Opcode Fuzzy Hash: 608a2b2b83e6e19e8af2f443a71f426d293b6ac031fda81f885f6377224dd1e8
                                          • Instruction Fuzzy Hash: D5419CB5D012588FCB04CFA9D984ADEBBF1BB49310F14942AE819B7250D738AA45CB54
                                          Function 0B0585F0 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0B0586C0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: 59c2cfc08f8a3373cdab593ca136e76f9d0bf3d6a7ddfc8807ec9a57fef2b6c4
                                          • Instruction ID: 4711b3e9387677271aee4a523fe8ae33e16dedd0192e4673119128efd1ebe36e
                                          • Opcode Fuzzy Hash: 59c2cfc08f8a3373cdab593ca136e76f9d0bf3d6a7ddfc8807ec9a57fef2b6c4
                                          • Instruction Fuzzy Hash: CC41ACB5D012589FCF04CFA9D984AEEFBF1BF49310F10902AE819B7210D739AA45CB64
                                          Function 0B057E10 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0B057ECA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: 19f79dc56b65bfefa45822ba9a02005a93128cf8f6cf0cfe736bde98eaf76a88
                                          • Instruction ID: a102e19995251c56e71833f09779e19e0e25c65186724703f3d6f9e62cce035a
                                          • Opcode Fuzzy Hash: 19f79dc56b65bfefa45822ba9a02005a93128cf8f6cf0cfe736bde98eaf76a88
                                          • Instruction Fuzzy Hash: 464188B9D002589FCF10CFA9D980AEEFBB1BF09310F14942AE819B7210D739A945CF64
                                          Function 0B057E18 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0B057ECA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: a6af76cdfdeb6739b577064fe0e45c80e490e6d5c1fd41a550fce113a8eacbfc
                                          • Instruction ID: b98f8ce3cac496177596d7d94073cbe2dc859fc2f0d63e2c70850025e21c6483
                                          • Opcode Fuzzy Hash: a6af76cdfdeb6739b577064fe0e45c80e490e6d5c1fd41a550fce113a8eacbfc
                                          • Instruction Fuzzy Hash: A64199B9D002589FCF10CFAAD984AEEFBB5BF49310F10942AE815B7210D735A945CF64
                                          Function 0B058790 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 0B058847
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 5c3292ac4063c4d1e4e71cf3406acdad62706c5af3b188d6b26404bbdab6c8ca
                                          • Instruction ID: 2e48d2f6fad7db19a5eba820833b0879f54b097b3eb093e10d0e019fd53caa8f
                                          • Opcode Fuzzy Hash: 5c3292ac4063c4d1e4e71cf3406acdad62706c5af3b188d6b26404bbdab6c8ca
                                          • Instruction Fuzzy Hash: 8B41CBB5D002188FDB14CFAAD984AEEBBF1FF48310F14842AE819B7240C738A985CF54
                                          Function 0B058798 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 0B058847
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 10ba7f6193c7df7cda8378f664a34fe346f7de23e950f7900fbf848c370ff59c
                                          • Instruction ID: 0bdfd55e0d94c6a5650b874f79f5e686a3d8c45c28392dca4f6420af151aea7e
                                          • Opcode Fuzzy Hash: 10ba7f6193c7df7cda8378f664a34fe346f7de23e950f7900fbf848c370ff59c
                                          • Instruction Fuzzy Hash: 9B31ABB5D002589FCB14DFAAD884AEEBBF1FB49310F14802AE819B7240D738A945CF64
                                          Function 0B0583D0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 0B058459
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 741da92fd42e7f7243ea3711938f13ac0db1708a8b3442d9fc845716f66c8c93
                                          • Instruction ID: 9dbd14484dd60de0dd477debf186d3879277ff076401aa9d9bcd0eb2e676f6b7
                                          • Opcode Fuzzy Hash: 741da92fd42e7f7243ea3711938f13ac0db1708a8b3442d9fc845716f66c8c93
                                          • Instruction Fuzzy Hash: D03199B5D012189FCB14CFA9D984A9EFBF5FF49310F10942AE819B7200D775A946CFA4
                                          Function 02EF91A0 Relevance: .2, Instructions: 233COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82d02098658f6cd14f58b361ac75579452ae114f891128538260c42a299164da
                                          • Instruction ID: c8e20d282046081320e7be7fa43e03160b0445d0dced2b8a684722794973fb9d
                                          • Opcode Fuzzy Hash: 82d02098658f6cd14f58b361ac75579452ae114f891128538260c42a299164da
                                          • Instruction Fuzzy Hash: 51A102B4E05219CFDB48CFA9D984AEEBBF2FF89300F20952AD519AB255D7309941CF10
                                          Function 02EF91B0 Relevance: .2, Instructions: 233COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8bf32652a0661c26c1dac071327384e2958b0b86fd23a2c0b6e3b8b846e9c41
                                          • Instruction ID: c64e8726777eb5d64d6d5e31f1890a5bea4f068940c24adda4dcd963da474530
                                          • Opcode Fuzzy Hash: c8bf32652a0661c26c1dac071327384e2958b0b86fd23a2c0b6e3b8b846e9c41
                                          • Instruction Fuzzy Hash: ABA1F1B0E41219CFDB48CFA9D984AEEBBF2FB89300F209529D519AB255D7309941CF50
                                          Function 02EF80F0 Relevance: .2, Instructions: 224COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac3e828e986049a2a563a898983fa302f3f47e6655cbea1d93c0495de69c9997
                                          • Instruction ID: 090642da06c65aec14c9d264729c8f2c4fc1d78032b503da86523dbd95a4764e
                                          • Opcode Fuzzy Hash: ac3e828e986049a2a563a898983fa302f3f47e6655cbea1d93c0495de69c9997
                                          • Instruction Fuzzy Hash: 10A13674E01259CFDB54DFA9E988A9DBBF2FF88304F148129E815AB355DB30A942CF50
                                          Function 02EF8100 Relevance: .2, Instructions: 220COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20ecc63e19321b75ffc14092cae119365b332656fa179912465238c11f56a8f9
                                          • Instruction ID: 5946b093071a02167c778468571519fcc61e0ed1e0681b9ba25a4aebd7dfb47a
                                          • Opcode Fuzzy Hash: 20ecc63e19321b75ffc14092cae119365b332656fa179912465238c11f56a8f9
                                          • Instruction Fuzzy Hash: 46A11474E01259CFDB54DFA9E988A9EBBF2FF88305F148129E816AB354DB309941CF50
                                          Function 02EF2BE1 Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 594b1d9a06406a9f22eab6405cd8e766b0f1bd407abb8d7f7fdbdcaad2098b32
                                          • Instruction ID: ded6df3b81ce0408d278bb7b9bfbf0727aa9aafcc33c67e59a059e5ecf7f379b
                                          • Opcode Fuzzy Hash: 594b1d9a06406a9f22eab6405cd8e766b0f1bd407abb8d7f7fdbdcaad2098b32
                                          • Instruction Fuzzy Hash: AB5120B0D056098FDB44CFAAD8456EEFBF2EF88301F14D06ADA19A7254D7349A42CF94
                                          Function 02EF7E9F Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6c1d74085ffa025b9e40bb66113602f6462feef40a766bcae2bfeb5a5dd708c
                                          • Instruction ID: 324b842c10070422aa5926285c4632459e955a1a4898227b1feb62cf47b5ebb7
                                          • Opcode Fuzzy Hash: c6c1d74085ffa025b9e40bb66113602f6462feef40a766bcae2bfeb5a5dd708c
                                          • Instruction Fuzzy Hash: 685125B0D4120ADFCB44DFE5C5806EEFBB6FF88304F10A92AC516AA254D7349A41CF95
                                          Function 02EFAAD9 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1eb421ab3cd42f4ac58e371ef09addb542c28ecf93271f36657d0d290f78452
                                          • Instruction ID: 067a16f4801633978ef9f2f7cdef0e89a12b1625bfdf6c05679c42f2fba22f52
                                          • Opcode Fuzzy Hash: c1eb421ab3cd42f4ac58e371ef09addb542c28ecf93271f36657d0d290f78452
                                          • Instruction Fuzzy Hash: D8315A71E056588BDB19CFAAD8446DEFBF3EFC9310F14C0AAD409AA268DB301945CF50
                                          Function 02EF35EB Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad6b598272a0984772960e024c50aeed6a55d66db50cd857dfa351c53514c8c2
                                          • Instruction ID: f76dc3a32688d4b2c775da740d43c5b182b34c10efb58b24340de02e6dd1ddaa
                                          • Opcode Fuzzy Hash: ad6b598272a0984772960e024c50aeed6a55d66db50cd857dfa351c53514c8c2
                                          • Instruction Fuzzy Hash: 4131E6B1E006598BEB18CF9AD8442DEFBF2BFC8314F14C16AD519A6258DB344A46CF80
                                          Function 02EF3638 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc0afb0e1118ddb30899ad8055c9ce307656b3b6ecec50d34dd9dc31ac474c91
                                          • Instruction ID: 677ab18f718917cbe91a84dc4f16b88d5b72383d6fdc17b74c2ef90c3b0d8af7
                                          • Opcode Fuzzy Hash: bc0afb0e1118ddb30899ad8055c9ce307656b3b6ecec50d34dd9dc31ac474c91
                                          • Instruction Fuzzy Hash: 3E31E8B1E016598BEB58CFABD8443DEBBF3AFC9314F14C16AD408A6268DB740945CF40
                                          Function 02EF0848 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f00d6633598cc08300033154be8f3abf6beb79d98d249899803dbd3aea16c626
                                          • Instruction ID: c9a485109b986097dd82276880a08814dd253d32bbbe9e3ed18b6a6301600f71
                                          • Opcode Fuzzy Hash: f00d6633598cc08300033154be8f3abf6beb79d98d249899803dbd3aea16c626
                                          • Instruction Fuzzy Hash: 4811DA71E416199BEB5CCF6BDC446DEFAF3AFC8310F04C176D918A6228EB3049519E50
                                          Function 02EF0838 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: caed30c66ba5ad910bdcb9406c2a2b9163bf8ab57747e552d83402d275df6ed7
                                          • Instruction ID: 1c2d6e929f5124f5a7a7c619ebb2ec14d344cb03fd375b9da58ac7be4d842f60
                                          • Opcode Fuzzy Hash: caed30c66ba5ad910bdcb9406c2a2b9163bf8ab57747e552d83402d275df6ed7
                                          • Instruction Fuzzy Hash: 04111271E416599BD71DCF6BDD4469EFAF3AFC8300F04C07AD818A6259EB3045429F50
                                          Function 0B0584C8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B05857A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 3cda38793af0c38c1f87c6af1b6ca2fe72cde4b7134a580713afbd3ca9a368cb
                                          • Instruction ID: f266f928041f920787c601041ef59ef9ce7b027f3be3689409cd9685eb704ab2
                                          • Opcode Fuzzy Hash: 3cda38793af0c38c1f87c6af1b6ca2fe72cde4b7134a580713afbd3ca9a368cb
                                          • Instruction Fuzzy Hash: F23178B9D00258DFCF14CFA9E980AEEBBB1FB09310F10942AE919B7210D735A945CF54
                                          Function 0B0584D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B05857A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2051447999.000000000B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B050000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_b050000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 2ebd7b05e4142b8be6a0e3785ba8ce5467f1d5d4300d38db0893277639e1b030
                                          • Instruction ID: 93d0bf6e6448b8816f9580aa8906e70383af134af58132121a9d646bcddfcad0
                                          • Opcode Fuzzy Hash: 2ebd7b05e4142b8be6a0e3785ba8ce5467f1d5d4300d38db0893277639e1b030
                                          • Instruction Fuzzy Hash: F13176B9D002589FCF14CFA9D980AAEFBB5FB49310F10942AE819B7210D735A946CF64
                                          Function 02EF2DF8 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: 6f515a619248b0031a426a75108b70ba6354183819a05c4ce4940c6068468864
                                          • Instruction ID: 9ffab21e00d7ebeb0ab2b121630f1ede028f9cceead80d4180dc469a3462ef6d
                                          • Opcode Fuzzy Hash: 6f515a619248b0031a426a75108b70ba6354183819a05c4ce4940c6068468864
                                          • Instruction Fuzzy Hash: EA41D9B4E152099FCB85CFAAC4415AEBBF2EF89300F10D56AD919E7355E3349A42CF50
                                          Function 02EF2E08 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: 024158ff6af37165f29341e5550152b9cfc5625432dbc1500a2a34bedef15c1c
                                          • Instruction ID: 0f157d42a5a2bacc54a723973288a0181b8940ae8258f3fbfa4e1492f0b8c943
                                          • Opcode Fuzzy Hash: 024158ff6af37165f29341e5550152b9cfc5625432dbc1500a2a34bedef15c1c
                                          • Instruction Fuzzy Hash: EE31D6B4E1420A9FCB84CFAAC5415AEFBF2FB88300F10D56AD919A7354E3349A41CF50
                                          Function 02EFA330 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: _Po
                                          • API String ID: 0-3094450229
                                          • Opcode ID: 011dfca300fcaa27b305305f6d3137c416c8fadf04ccf5da91490ebfe5ea35a3
                                          • Instruction ID: e7a9c9e25d37ec0113a2071734beeaf97d5a038559f331e1236bc622bac577d8
                                          • Opcode Fuzzy Hash: 011dfca300fcaa27b305305f6d3137c416c8fadf04ccf5da91490ebfe5ea35a3
                                          • Instruction Fuzzy Hash: 9C21F5B0E1520A9FCB48CFA9C544AAEBBF2EF89304F10C5AAC518AB315D7309A418B51
                                          Function 02EF4BC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: b|+W
                                          • API String ID: 0-1862224030
                                          • Opcode ID: 985939dd17a8d847f6efade147aff0b88bc64df47604e4f9d7235fe11684fb74
                                          • Instruction ID: 772ae67c8715c95ba087992df6f48cff17f25d9181de8dfa299e3094d16a0e0d
                                          • Opcode Fuzzy Hash: 985939dd17a8d847f6efade147aff0b88bc64df47604e4f9d7235fe11684fb74
                                          • Instruction Fuzzy Hash: 572137B0D05249DFDB44CFAAC5406AEBFF2FF89304F20E5AAD618A7255E3309A41DB54
                                          Function 02EF0DA0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q
                                          • API String ID: 0-1007455737
                                          • Opcode ID: d0bf858c4566f350e06dcadecbdb8d28fff5633e3e633ddd872dc3cba414d0eb
                                          • Instruction ID: a707cd1aa288f3d339e7296516fc49ceb90c4886b70aad475068f33dc661b817
                                          • Opcode Fuzzy Hash: d0bf858c4566f350e06dcadecbdb8d28fff5633e3e633ddd872dc3cba414d0eb
                                          • Instruction Fuzzy Hash: B511D474D0121CCFCB65DFA5D940ADDBBB2BF58300F1085AAD549A7214DB749A81CF41
                                          Function 02EF876E Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f7e2439ab83ac12f28e2ef978b5a2e57bedbab60ccffe99e1cc7b1523bf1590
                                          • Instruction ID: 4f2ae454d54ea4247f405e3afbca9576f50d458b55aeb9a6a0d4cefddc112d2d
                                          • Opcode Fuzzy Hash: 4f7e2439ab83ac12f28e2ef978b5a2e57bedbab60ccffe99e1cc7b1523bf1590
                                          • Instruction Fuzzy Hash: CD51E270A02254CFD7A0DB58C584A8AFBB2FF45316F9AE194E1499B212D730EDC4CF96
                                          Function 02EFA190 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e9095c2a5f1ac6495bc09b1e24545178ca071ade0f5a2d761aeb3a83bd32b05
                                          • Instruction ID: a5e24c94f4e3ecb72e3ded458973baba387aeb7634e6e8d5081d9951fae359fa
                                          • Opcode Fuzzy Hash: 1e9095c2a5f1ac6495bc09b1e24545178ca071ade0f5a2d761aeb3a83bd32b05
                                          • Instruction Fuzzy Hash: 8A41EAB4E052099FCB44CFAAD4805AEFBF1AF89300B50D4AAD819A7314D374AA41CF50
                                          Function 02EFA1A0 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76215710fd0b6e75ba728ff87985bbf9c90df6553a7535d1e83e7d0111c02c1a
                                          • Instruction ID: a07e0f7d3942ebb7fb907e538de5dc9ed2260584c6ecf2d6dead33891019cea5
                                          • Opcode Fuzzy Hash: 76215710fd0b6e75ba728ff87985bbf9c90df6553a7535d1e83e7d0111c02c1a
                                          • Instruction Fuzzy Hash: A431DAB4E0520A9FCB44CFAAD5806AEFBF1BB88300F50D56AD919A7314D374AA41CF54
                                          Function 02EF4F08 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fea84ed93b59d76f4e5b2e5e59cb5fbd4fc088580b5b71250c3d3a989f11b0cc
                                          • Instruction ID: 062d999254ed7d6ee0bf254fdf5f87f560f0957a89df603e85f5aca67a15960e
                                          • Opcode Fuzzy Hash: fea84ed93b59d76f4e5b2e5e59cb5fbd4fc088580b5b71250c3d3a989f11b0cc
                                          • Instruction Fuzzy Hash: 61315A70E0520A9FCB44CFAAC4805AEFBB2FF89304F15E5AAD519E7255E3349A41CB50
                                          Function 02EF4EC8 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4061fa5b677aecc8dfc95eb48968817556fc474dea96544369cfc7b27ee2ed6f
                                          • Instruction ID: 6fb291aec9f231c3798a54cac6e9e8d6ff23b1a6e651a0af2f094667dcf5d0f5
                                          • Opcode Fuzzy Hash: 4061fa5b677aecc8dfc95eb48968817556fc474dea96544369cfc7b27ee2ed6f
                                          • Instruction Fuzzy Hash: 20313C71E0520ACFCB44CFAAC4806AEFBB2FF85304F15E5A6C619A7255E3749A41CF90
                                          Function 02EF2F49 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6b097ea1837e1c89cd460bb2e8212817dc1d0de8a8729d0356de6720df84b57
                                          • Instruction ID: 08d3af5c4af0120f8deb67c7af9e63ee22b629a07309f7c2dfa8cfb1e3ab6e5b
                                          • Opcode Fuzzy Hash: a6b097ea1837e1c89cd460bb2e8212817dc1d0de8a8729d0356de6720df84b57
                                          • Instruction Fuzzy Hash: 72314870E1424ADFCB44CFAAC9809AEFBF2AF89300F65C5AAD514A7215D3309A01CF50
                                          Function 02EF1477 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8d37c231154697ec1108da5e73fe8baa342502622b3dc5562846d1a59adc253
                                          • Instruction ID: 1bb208d665abcfa8e31e4c243f6b860f855c38bb72bce7831911a51f0cad0c51
                                          • Opcode Fuzzy Hash: c8d37c231154697ec1108da5e73fe8baa342502622b3dc5562846d1a59adc253
                                          • Instruction Fuzzy Hash: FA317A74A022288FCB64DF25C994BD9BBB2BF49304F1091EAD94EAB355DB305E85CF41
                                          Function 02EF14B3 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e5e48551b9a25e3b9aa9b524b30a82faa096fa2fbc6f2c9ad1e4b8252df58439
                                          • Instruction ID: 21820f333079b9c33c5d5a9963c5c5a324d05351cefe3865de634ce43305c9e0
                                          • Opcode Fuzzy Hash: e5e48551b9a25e3b9aa9b524b30a82faa096fa2fbc6f2c9ad1e4b8252df58439
                                          • Instruction Fuzzy Hash: 03314774A02228CFCB64DF29C994BD9BBB2BB49304F1081D9D94EA7355EB305E85CF45
                                          Function 02EF4CB8 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5e45bcff7f59a13d79d5e79916b528d84ac5714512269af2d293c5a557b35f9
                                          • Instruction ID: 65725036243d084037122bba84a83cae61e39095abc9506054ee50f7ea5d14dc
                                          • Opcode Fuzzy Hash: a5e45bcff7f59a13d79d5e79916b528d84ac5714512269af2d293c5a557b35f9
                                          • Instruction Fuzzy Hash: 8E012238A05248AFCB05DFA9C588A9DBFF1FF4A214F19D1D9D908AB366D7309941CF00
                                          Function 02EF4CC8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd8cfa626a059ac28c7be158f27da0ed9d85a4595952fb83be7cf473d9f852af
                                          • Instruction ID: 66fd8f749320523911291e4fd701d8a3b2758f63b22711397685f0d524b8f334
                                          • Opcode Fuzzy Hash: dd8cfa626a059ac28c7be158f27da0ed9d85a4595952fb83be7cf473d9f852af
                                          • Instruction Fuzzy Hash: 4E01AF78A01208AFCB04DFA9D588A9DBFF1AF48310F05C1A5A9089B365DB31D940DB41
                                          Function 02EFC098 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3000b2699f612381ba16322e301606d2b452a8c77c6312c65e3f8cdd51241f92
                                          • Instruction ID: cb3ba84f8f53628fc9f9634f8d84a67089bc5aa5a5b1e755062f0588b64218db
                                          • Opcode Fuzzy Hash: 3000b2699f612381ba16322e301606d2b452a8c77c6312c65e3f8cdd51241f92
                                          • Instruction Fuzzy Hash: F601AF74A00208AFCB14DFA9D598A9DBBF1FF48311F15C1A5E5089B365D731D951CB41
                                          Function 02EF8996 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06327032bbc21fec1abb1a44c1fd8aed2f9fcecf4758f68d6c8179137f5d4e96
                                          • Instruction ID: fa3124dcf9374c7f6408c82ba214df48372aa1f92748f4074cfe57f411d3c02f
                                          • Opcode Fuzzy Hash: 06327032bbc21fec1abb1a44c1fd8aed2f9fcecf4758f68d6c8179137f5d4e96
                                          • Instruction Fuzzy Hash: 27012874D06269DFDB11DFA4DE44BAEBBB2FF98300F044598E508A7254D7349A00CF12
                                          Function 02EF892E Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0fce8fab06163503c32f7fc30ffe6475a561d6ac222cf8d1ee0f7acd0f83e26e
                                          • Instruction ID: 30a1468e7625622431b872bef0b696a96d1dd2e9c8ee1c7bd8c2a87f874c6f15
                                          • Opcode Fuzzy Hash: 0fce8fab06163503c32f7fc30ffe6475a561d6ac222cf8d1ee0f7acd0f83e26e
                                          • Instruction Fuzzy Hash: BB011274E02229AFDB50DFA4DD44BAEBBF6FF98300F0094A8E509A7244D7309A00CF11
                                          Function 02EF18A1 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be434589444ecdf70fb80593554a32d373cdddd7678b2340521d2bbc9a4f02ad
                                          • Instruction ID: 4c1407fdf8fd8938f02cbdee16aef71885aca0138797ea06a18b709efefd58f2
                                          • Opcode Fuzzy Hash: be434589444ecdf70fb80593554a32d373cdddd7678b2340521d2bbc9a4f02ad
                                          • Instruction Fuzzy Hash: 8C011674A00219CFC7A4DFA9D990B9DBBB2BF89600F0080DA940DBB254DB30AD85CF20
                                          Function 02EF106E Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f04bea24a0d089f87d96ecc796b58bf74eb578a70b3605c9ba3f578bd470a2ac
                                          • Instruction ID: 6527ee38a0364be76205c4ee326979b6c57faa9a655833d8077b1a773fc46b18
                                          • Opcode Fuzzy Hash: f04bea24a0d089f87d96ecc796b58bf74eb578a70b3605c9ba3f578bd470a2ac
                                          • Instruction Fuzzy Hash: 77F0D070A4221D9BDB6CDB35C9517EE7376BF84705F1084A885096B344CD359D82DF92
                                          Function 02EF2218 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 772beebfd30145cb22f60002a11db0550588bbb0902977fde32943efc277e14f
                                          • Instruction ID: dd37cd6aea3a684d082fe06215eefb010c7a8ee0f91e2b4eaaf0439b2cbf1761
                                          • Opcode Fuzzy Hash: 772beebfd30145cb22f60002a11db0550588bbb0902977fde32943efc277e14f
                                          • Instruction Fuzzy Hash: A5E01230C1922ACEEB91CF66D880F8ABBB4AB45200F00D296C649AA255D3308A45CF65
                                          Function 02EF21A1 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b7911f8dec19cde0b092c778ab19aaf4ad6dac9e5460293e5e2f0b07b8f5500
                                          • Instruction ID: 2a156ed501a4192110f0112bedb1585fbe4b681dcae6c47a116489d376b7c94e
                                          • Opcode Fuzzy Hash: 4b7911f8dec19cde0b092c778ab19aaf4ad6dac9e5460293e5e2f0b07b8f5500
                                          • Instruction Fuzzy Hash: 2BE08C30D1A11ACFEB45CFAAC880FCAFBF0BF14204F509296C04CAB255D2328945CF50
                                          Function 02EF0F29 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f747891b10afbac17badf4f7dec985085fd7bdb037ee3bb4b6fbe7c045cd6b2d
                                          • Instruction ID: 47537aeb02c63678a17d46600ec06e2b8f0114313d46a824968b0efe23469efd
                                          • Opcode Fuzzy Hash: f747891b10afbac17badf4f7dec985085fd7bdb037ee3bb4b6fbe7c045cd6b2d
                                          • Instruction Fuzzy Hash: FFD0127096111EDFC758DF15E985ADCB7B6FF45300F2095A4D50593118E7345E41CF50
                                          Function 02EF3A45 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c130a71435a044379adc83b90883912896e6282bee3bd7d8ef4864c552e3505
                                          • Instruction ID: a733098caa2ee9503b10d76b0574189d911d4cb012203087677089df76aff97b
                                          • Opcode Fuzzy Hash: 9c130a71435a044379adc83b90883912896e6282bee3bd7d8ef4864c552e3505
                                          • Instruction Fuzzy Hash: 73D0C972506758CFC758DBA0C98558DBBB2EB49312B609499E10A9B268D734D941CB00
                                          Function 02EFB12B Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2046039823.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_2ef0000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47187aca40bcc2efa48e75f4c8597c46fdf79b1d22f8845afb642b1d9ccb40ba
                                          • Instruction ID: 03c62144346d1fa7e79c93faa4f3b603d0c30f048c0af94e8b213283499fcb28
                                          • Opcode Fuzzy Hash: 47187aca40bcc2efa48e75f4c8597c46fdf79b1d22f8845afb642b1d9ccb40ba
                                          • Instruction Fuzzy Hash: 1DD0C974A02355CFC769CBA0C684888BBB2EB49311B10D868940A9F668D734DA85CF00

                                          Executed Functions

                                          Function 00C40B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 64d1b2078be947fdde14d58a6245b2ea144d9b6ef2914beb6c27c590475cfcc5
                                          • Instruction ID: 000e26b23e4b7a662d4ecf4de75cf05d75f460a1a1b0e95960fe1414490f07a5
                                          • Opcode Fuzzy Hash: 64d1b2078be947fdde14d58a6245b2ea144d9b6ef2914beb6c27c590475cfcc5
                                          • Instruction Fuzzy Hash: B782A174900229CFCB24DF69D984BDDBBB1FF49304F1486A6D819AB265DB30AE85CF50
                                          Function 00C405E7 Relevance: .6, Instructions: 590COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15942591cf7cef7c79d6a7247f93a27abcb9c37e3435813814ef2af68c8df96c
                                          • Instruction ID: e43f4efeefa9799b9c5168a052d388d4c7dc198611baf6232b827b99e93bf921
                                          • Opcode Fuzzy Hash: 15942591cf7cef7c79d6a7247f93a27abcb9c37e3435813814ef2af68c8df96c
                                          • Instruction Fuzzy Hash: AF31F0759042498FDB02EF78E894B897FF1FF82304F1545E6C0458B2A6EB35690BCB91
                                          Function 00C40A49 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e6e116958257909ca3d09ff1690b6da561934b1a50b21d081c220f33631a78e
                                          • Instruction ID: 0ab9c2185c41e87ad7e4acd3691f46776f2e75cffddd78c4a7b5a5b64e157b83
                                          • Opcode Fuzzy Hash: 6e6e116958257909ca3d09ff1690b6da561934b1a50b21d081c220f33631a78e
                                          • Instruction Fuzzy Hash: D5214871E0024E9FCF41DFA8D4509EDBFB1EF49300F4582A6D454BB265DB30A946CB90
                                          Function 00C40848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 663ef159592a915e42a72cef6a3f28dcd180af10b2e9d4d6b740e2f0073c6258
                                          • Instruction ID: 9a20585c2d9e01e94c28cb261d8deeec74dff6072c6bf9e71d1848a565e72346
                                          • Opcode Fuzzy Hash: 663ef159592a915e42a72cef6a3f28dcd180af10b2e9d4d6b740e2f0073c6258
                                          • Instruction Fuzzy Hash: 18110D749002099FCB05EF68F944B9E7BF5FF84304F108AA4D1059B269EB756A5ACF81
                                          Function 00C41870 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e749d3eecf5b404874417d13b345ce533439379d57392d496be45aa49450443d
                                          • Instruction ID: 4f13d8bf6cdd72e7b4e0f2d7688009f5003e5359f00b99ea1163b405cde33bcc
                                          • Opcode Fuzzy Hash: e749d3eecf5b404874417d13b345ce533439379d57392d496be45aa49450443d
                                          • Instruction Fuzzy Hash: EEF049B4D04249CBDF11DFA6D9043EEBBF0BB49310F699069D854B7290E7394A49CF60
                                          Function 00C409DF Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4456098a8570a8b5c4685ed74da56e5ee8d0427a41fda83793c467cb78b04ced
                                          • Instruction ID: 76450bcb05b7c3ffeda97cbad2704489b96f3926080c42497237d6d6c1e93c6b
                                          • Opcode Fuzzy Hash: 4456098a8570a8b5c4685ed74da56e5ee8d0427a41fda83793c467cb78b04ced
                                          • Instruction Fuzzy Hash: 4E0114B0D00209DFCB01DFB8C8446AEBBB0FF05315F1046AEC415A72A1EB709A40DB80
                                          Function 00C409F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2035577474.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_c40000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d02f9a27273b4bc933e05da6079b8e717f49762165fb7414ba06b13b1bc862d
                                          • Instruction ID: 107027d320010b6880085858d4222e4b85227c641824e2b5352d02ffe38d02a3
                                          • Opcode Fuzzy Hash: 9d02f9a27273b4bc933e05da6079b8e717f49762165fb7414ba06b13b1bc862d
                                          • Instruction Fuzzy Hash: E9F0B270D00219DFCB45EFB8D9446AEBBB4FB04314F104AAAD419A72A4EB709A40DB80

                                          Executed Functions

                                          Function 00E10B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 4a566c0fc7888185c124023eba819e08622a3353b931f8a25ce2f5dc102d91f0
                                          • Instruction ID: 9ff86863577e23fd3f90b8965cc72d9e6beeb9132a0fb546b4bad385d52d77e7
                                          • Opcode Fuzzy Hash: 4a566c0fc7888185c124023eba819e08622a3353b931f8a25ce2f5dc102d91f0
                                          • Instruction Fuzzy Hash: 2C828F74A002298FCB24DFA8D984BDDBBB5FF49304F1096A6D409BB265D770AE85CF50
                                          Function 00E105E7 Relevance: .3, Instructions: 323COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e44a33b06571dd5929e20235b0532fef6e4858c9856290e33fcca4a28cc783f
                                          • Instruction ID: df4667b6ea148bfc75260e0d1cdfe3d990a266d9fc7ee9ba860ff1a06f20bfbf
                                          • Opcode Fuzzy Hash: 1e44a33b06571dd5929e20235b0532fef6e4858c9856290e33fcca4a28cc783f
                                          • Instruction Fuzzy Hash: 0C31BF749053449FCB06EF68E894A883FB4EF82304F0045E6C0009B2A7E739599ECB91
                                          Function 00E10630 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22e60efea34f19f7e22b2449c29c4746e354e60238b8fe4301891280631dae4f
                                          • Instruction ID: e31488aba9fde29f44e544686cc424943cacfdf8fdb46995f6c5a0f5e400f302
                                          • Opcode Fuzzy Hash: 22e60efea34f19f7e22b2449c29c4746e354e60238b8fe4301891280631dae4f
                                          • Instruction Fuzzy Hash: 162181789003499FCB06EF68E954B8D7FB5FF85305F0045A5D0019B2A6E7796A8ACB81
                                          Function 00E1061A Relevance: .3, Instructions: 287COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5277e0f65afee441f49a4b999cf9f875b105842ea8b9d6a4f151b743c0dd95c2
                                          • Instruction ID: ec78d1abbd877daa2e4b2b92bfe1d960d32ebe5ebe13f19a13cb7a84dfbd62c1
                                          • Opcode Fuzzy Hash: 5277e0f65afee441f49a4b999cf9f875b105842ea8b9d6a4f151b743c0dd95c2
                                          • Instruction Fuzzy Hash: 5421B278900308DFCB06EF68E984B8D3BB5FF85305F1045A5D0019B2AAE7756D9ACB81
                                          Function 00E10A49 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b30f84f65387636fa1437a3c72676761025a50fd30a64fbb185bde848af84bb
                                          • Instruction ID: ab5c9a0aec4a54c9112954f54847857f340bb17b063cd0e0b33b6b77392f9472
                                          • Opcode Fuzzy Hash: 2b30f84f65387636fa1437a3c72676761025a50fd30a64fbb185bde848af84bb
                                          • Instruction Fuzzy Hash: 71219A70E0024A9FCF05DFA8D850ADDBFB1EF49301F4082A6D410BB261DB30E986CB90
                                          Function 00E10848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 335d3b9b5248f4d43e71c30db55f5eff2b4b7cf81d6a5fbf2cd01b06e75146a9
                                          • Instruction ID: 6ddbe36c859aaed771ea8503be1b78020b121d66273478ccf292d5f59c1bbe61
                                          • Opcode Fuzzy Hash: 335d3b9b5248f4d43e71c30db55f5eff2b4b7cf81d6a5fbf2cd01b06e75146a9
                                          • Instruction Fuzzy Hash: 83111F78900209DFCF09EF68F984B8D7BB5FF84305F108664D0059B2A9E7756A9ACF81
                                          Function 00E11870 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef7775a7abcde5f73629f8e2989015e2f81c07235737752c7545d5cf7dde58f9
                                          • Instruction ID: 5ad381cf889f6825bcf26c68047ea0db1e045219350c6a91a76cc83be955a6d9
                                          • Opcode Fuzzy Hash: ef7775a7abcde5f73629f8e2989015e2f81c07235737752c7545d5cf7dde58f9
                                          • Instruction Fuzzy Hash: 81F08774D0425D8BCF08CFA6D8053EEBBF4AB49310F00A0A9D614B7241D7384A8ACBA0
                                          Function 00E109DF Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 286e87f5be82133454e76b4bb3d0e71eef365bea3832bdc6dfe08fd75c7f235a
                                          • Instruction ID: c259539269c5a48fa94b357dc0da29034aa977b8431b4d6dba0b7798f77af1a2
                                          • Opcode Fuzzy Hash: 286e87f5be82133454e76b4bb3d0e71eef365bea3832bdc6dfe08fd75c7f235a
                                          • Instruction Fuzzy Hash: 54012470905359DFCB05DFA8C85469DBBB0AF06204F1049EAD444E72A2EB309A84CB81
                                          Function 00E109F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2035746399.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_e10000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1c3f40ceb4aeeb1253310a0ec7f64328864062514f59940dbe978158f48316e
                                          • Instruction ID: ca2f6497a2b0dbd345be3ffa2e62a29127df5d8deac8b3e178eead6fe4905a17
                                          • Opcode Fuzzy Hash: b1c3f40ceb4aeeb1253310a0ec7f64328864062514f59940dbe978158f48316e
                                          • Instruction Fuzzy Hash: 40F0B274D00319EFCB45EFB8D9456EEBBB4FF04305F104AAAD415A72A4EB709A80DB81

                                          Executed Functions

                                          Function 01340B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 5918ecadb7ac4a2c95bd3cb5a42593977b1f9badd2f282a9d4cc5b36ea1b1c5b
                                          • Instruction ID: cae89259f47188c1d99b9a2015a60ac4660affb679a532fdd6bcfc49b86e4c0b
                                          • Opcode Fuzzy Hash: 5918ecadb7ac4a2c95bd3cb5a42593977b1f9badd2f282a9d4cc5b36ea1b1c5b
                                          • Instruction Fuzzy Hash: 8A82A174A00229CFCB24DF68D994BDDBBB5BF49304F1086AAD409AB365D734AE85CF50
                                          Function 013405E7 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3461e7412e96de5586133f569cdf42bcd39c7753f7ff40d9958a368c46845166
                                          • Instruction ID: 870e4064177470019690718531724719f5ed2166b1caa5c0e8eb33f6f85d12b4
                                          • Opcode Fuzzy Hash: 3461e7412e96de5586133f569cdf42bcd39c7753f7ff40d9958a368c46845166
                                          • Instruction Fuzzy Hash: 3C315C319053859FD707EF78EA645893FB5FF42304B0445EAC0818F266E679594ACB91
                                          Function 01340A49 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a5d1c7d467952f7e107972a4a8c0e76285b4b3e912fd33f09ed0212def871e0
                                          • Instruction ID: 6bfb0a76d5f9bfa8cb449162a862cf1a4d479b9d78874678487c9289e10b169e
                                          • Opcode Fuzzy Hash: 4a5d1c7d467952f7e107972a4a8c0e76285b4b3e912fd33f09ed0212def871e0
                                          • Instruction Fuzzy Hash: E9217830E0024A9FCF45DFA9D5509DDBFB1FF49300F4082A6E450BB265DB30A946CB90
                                          Function 01340848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 856850174cf8c0c7b4e260d5399509987cbbfa79827abdfedb69fae4e0b80c82
                                          • Instruction ID: aeacc2f4deb3a953de8307f718cb60fcbe5d8c0d0c9dfd174a05afeaa9bb7750
                                          • Opcode Fuzzy Hash: 856850174cf8c0c7b4e260d5399509987cbbfa79827abdfedb69fae4e0b80c82
                                          • Instruction Fuzzy Hash: EA115171D00609DFDB06EFA8FA54A8D7BB6FB45305F008A68D0449B369D775AA09DFC0
                                          Function 01341870 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c52ffdf0f8cf91ab2cf47030b1223e4151093538913047ea2e0f4b70e543cb53
                                          • Instruction ID: e07199e75b4bf0948ac1bb9f4081607e9bf06befbcbeb2a8624836928292584f
                                          • Opcode Fuzzy Hash: c52ffdf0f8cf91ab2cf47030b1223e4151093538913047ea2e0f4b70e543cb53
                                          • Instruction Fuzzy Hash: D4F06470D08209CBDF01DFAAD4142EEBFF8EB4A314F0090A9D511B6240DB396A4ACFA0
                                          Function 013409DF Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa0ce7643d9d01df7b03740938722085ccced5ed5a204bddd69510a8f7a7227c
                                          • Instruction ID: 1a6dd54bfa2d9936a43b78e04be31c973cecd7defdc7c1602e4c33388411d5a1
                                          • Opcode Fuzzy Hash: fa0ce7643d9d01df7b03740938722085ccced5ed5a204bddd69510a8f7a7227c
                                          • Instruction Fuzzy Hash: F901D270805309DFCB06DFB8C5545ADBBB0FF06214F1045EED445EB2A5EB759A45CB81
                                          Function 013409F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2036939151.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1340000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 405ed1ac61ef46f0a145f2d98dfabcd47e731f642ddb990064e9c652cadbf4ce
                                          • Instruction ID: 59b522860ee19a0fcd5be12cf995548e0cdd06a50bc1c7298076b34912aa1849
                                          • Opcode Fuzzy Hash: 405ed1ac61ef46f0a145f2d98dfabcd47e731f642ddb990064e9c652cadbf4ce
                                          • Instruction Fuzzy Hash: 4AF0B270D0021ADFCB45EFB8D5546EEBBB4FB04304F5046AAD415E7294EB719A44DB80

                                          Execution Graph

                                          Execution Coverage:22.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:314
                                          Total number of Limit Nodes:9
                                          execution_graph 9095 5430040 9096 5430070 9095->9096 9097 5430188 9096->9097 9100 5433883 9096->9100 9105 543384c 9096->9105 9101 5433892 9100->9101 9111 54344c5 9101->9111 9114 5434530 9101->9114 9102 54338b0 9102->9097 9106 54338ab 9105->9106 9108 5433768 9105->9108 9109 5434530 VirtualProtect 9106->9109 9110 54344c5 VirtualProtect 9106->9110 9107 54338b0 9107->9097 9108->9097 9109->9107 9110->9107 9112 543457d VirtualProtect 9111->9112 9113 54345e9 9112->9113 9113->9102 9115 543457d VirtualProtect 9114->9115 9116 54345e9 9115->9116 9116->9102 9117 543ae80 9118 543aea2 9117->9118 9155 543af33 9118->9155 9156 5276557 9118->9156 9161 52762f3 9118->9161 9166 5276620 9118->9166 9174 5275fc0 9118->9174 9181 5275fd0 9118->9181 9188 527664f 9118->9188 9199 527608f 9118->9199 9210 52760fc 9118->9210 9215 527645b 9118->9215 9220 5276b69 9118->9220 9237 52764f9 9118->9237 9242 52765a8 9118->9242 9247 5278e5f 9118->9247 9253 52791e9 9118->9253 9261 5278fd7 9118->9261 9266 52798d6 9118->9266 9272 5278cd5 9118->9272 9277 5279813 9118->9277 9285 52794ea 9118->9285 9293 527917e 9118->9293 9299 5278a27 9118->9299 9304 5278a86 9118->9304 9312 5279702 9118->9312 9119 543b0d1 9155->9119 9317 527a23a 9155->9317 9325 527a77a 9155->9325 9333 527a039 9155->9333 9341 527a14f 9155->9341 9349 527af4a 9155->9349 9355 527ac53 9155->9355 9360 527a488 9155->9360 9365 527a048 9155->9365 9373 527adbb 9155->9373 9377 527ad5c 9155->9377 9381 527a57b 9155->9381 9388 527a972 9155->9388 9157 5276563 9156->9157 9395 527776a 9157->9395 9400 5277778 9157->9400 9158 527657f 9162 527630f 9161->9162 9413 52785f0 9162->9413 9417 52785e9 9162->9417 9163 5276397 9167 5276626 9166->9167 9172 52785f0 NtWriteVirtualMemory 9167->9172 9173 52785e9 NtWriteVirtualMemory 9167->9173 9168 527672d 9170 527776a 2 API calls 9168->9170 9171 5277778 2 API calls 9168->9171 9169 527677b 9170->9169 9171->9169 9172->9168 9173->9168 9176 5275fc5 9174->9176 9175 5276082 9175->9175 9176->9175 9421 5278340 9176->9421 9425 52782db 9176->9425 9430 52783d0 9176->9430 9177 5276f78 9177->9118 9183 527600a 9181->9183 9182 5276082 9182->9182 9183->9182 9185 5278340 NtResumeThread 9183->9185 9186 52783d0 NtResumeThread 9183->9186 9187 52782db NtResumeThread 9183->9187 9184 5276f78 9184->9118 9185->9184 9186->9184 9187->9184 9189 527665b 9188->9189 9434 5278790 9189->9434 9438 5278798 9189->9438 9190 5276680 9197 52785f0 NtWriteVirtualMemory 9190->9197 9198 52785e9 NtWriteVirtualMemory 9190->9198 9191 527672d 9193 527776a 2 API calls 9191->9193 9194 5277778 2 API calls 9191->9194 9192 527677b 9193->9192 9194->9192 9197->9191 9198->9191 9200 527609b 9199->9200 9207 5278340 NtResumeThread 9200->9207 9208 52783d0 NtResumeThread 9200->9208 9209 52782db NtResumeThread 9200->9209 9201 5276082 9201->9201 9202 5276061 9202->9201 9204 5278340 NtResumeThread 9202->9204 9205 52783d0 NtResumeThread 9202->9205 9206 52782db NtResumeThread 9202->9206 9203 5276f78 9203->9118 9204->9203 9205->9203 9206->9203 9207->9202 9208->9202 9209->9202 9211 5276114 9210->9211 9213 5278790 NtSetContextThread 9211->9213 9214 5278798 NtSetContextThread 9211->9214 9212 52761eb 9213->9212 9214->9212 9216 5276470 9215->9216 9218 527776a 2 API calls 9216->9218 9219 5277778 2 API calls 9216->9219 9217 527648c 9218->9217 9219->9217 9221 5276b75 9220->9221 9235 527776a 2 API calls 9221->9235 9236 5277778 2 API calls 9221->9236 9222 5276bc2 9442 52784d0 9222->9442 9446 52784c8 9222->9446 9223 5276c00 9227 527776a 2 API calls 9223->9227 9228 5277778 2 API calls 9223->9228 9224 5276d9e 9231 52785f0 NtWriteVirtualMemory 9224->9231 9232 52785e9 NtWriteVirtualMemory 9224->9232 9225 5276dda 9233 527776a 2 API calls 9225->9233 9234 5277778 2 API calls 9225->9234 9226 5276e09 9226->9118 9227->9224 9228->9224 9231->9225 9232->9225 9233->9226 9234->9226 9235->9222 9236->9222 9238 5276502 9237->9238 9239 527657f 9238->9239 9240 527776a 2 API calls 9238->9240 9241 5277778 2 API calls 9238->9241 9240->9239 9241->9239 9243 52765bf 9242->9243 9450 527718c 9243->9450 9454 5277198 9243->9454 9248 5278e77 9247->9248 9250 5278340 NtResumeThread 9248->9250 9251 52783d0 NtResumeThread 9248->9251 9252 52782db NtResumeThread 9248->9252 9249 5278f68 9250->9249 9251->9249 9252->9249 9254 52791f5 9253->9254 9257 52785f0 NtWriteVirtualMemory 9254->9257 9258 52785e9 NtWriteVirtualMemory 9254->9258 9255 527928f 9458 5279ae8 9255->9458 9463 5279ad8 9255->9463 9256 52792dd 9257->9255 9258->9255 9262 5278fe3 9261->9262 9264 5278790 NtSetContextThread 9262->9264 9265 5278798 NtSetContextThread 9262->9265 9263 5279008 9264->9263 9265->9263 9267 5279893 9266->9267 9268 52798d9 9266->9268 9270 52785f0 NtWriteVirtualMemory 9267->9270 9271 52785e9 NtWriteVirtualMemory 9267->9271 9269 52798b2 9270->9269 9271->9269 9273 5278ced 9272->9273 9275 5278790 NtSetContextThread 9273->9275 9276 5278798 NtSetContextThread 9273->9276 9274 5278da4 9275->9274 9276->9274 9278 527981f 9277->9278 9281 5279ae8 2 API calls 9278->9281 9282 5279ad8 2 API calls 9278->9282 9279 5279876 9283 52785f0 NtWriteVirtualMemory 9279->9283 9284 52785e9 NtWriteVirtualMemory 9279->9284 9280 52798b2 9281->9279 9282->9279 9283->9280 9284->9280 9286 52794ff 9285->9286 9291 5279ae8 2 API calls 9286->9291 9292 5279ad8 2 API calls 9286->9292 9287 527951b 9289 5279ae8 2 API calls 9287->9289 9290 5279ad8 2 API calls 9287->9290 9288 527955f 9289->9288 9290->9288 9291->9287 9292->9287 9294 527918a 9293->9294 9296 5278340 NtResumeThread 9294->9296 9297 52783d0 NtResumeThread 9294->9297 9298 52782db NtResumeThread 9294->9298 9295 52791c8 9296->9295 9297->9295 9298->9295 9300 5278a33 9299->9300 9302 5279ae8 2 API calls 9300->9302 9303 5279ad8 2 API calls 9300->9303 9301 52789d9 9301->9118 9302->9301 9303->9301 9305 5278a92 9304->9305 9310 5279ae8 2 API calls 9305->9310 9311 5279ad8 2 API calls 9305->9311 9306 5278adf 9308 52784d0 VirtualAllocEx 9306->9308 9309 52784c8 VirtualAllocEx 9306->9309 9307 5278b1d 9308->9307 9309->9307 9310->9306 9311->9306 9313 5279725 9312->9313 9315 52785f0 NtWriteVirtualMemory 9313->9315 9316 52785e9 NtWriteVirtualMemory 9313->9316 9314 52797f2 9315->9314 9316->9314 9319 527a116 9317->9319 9318 527b01e 9321 5278340 NtResumeThread 9318->9321 9322 52783d0 NtResumeThread 9318->9322 9323 52782db NtResumeThread 9318->9323 9319->9318 9324 527b237 NtReadVirtualMemory NtReadVirtualMemory 9319->9324 9320 527b068 9320->9119 9321->9320 9322->9320 9323->9320 9324->9319 9326 527a792 9325->9326 9329 5278790 NtSetContextThread 9326->9329 9330 5278798 NtSetContextThread 9326->9330 9327 527a869 9331 52785f0 NtWriteVirtualMemory 9327->9331 9332 52785e9 NtWriteVirtualMemory 9327->9332 9328 527a916 9329->9327 9330->9327 9331->9328 9332->9328 9335 527a082 9333->9335 9334 527b01e 9337 5278340 NtResumeThread 9334->9337 9338 52783d0 NtResumeThread 9334->9338 9339 52782db NtResumeThread 9334->9339 9335->9334 9340 527b237 NtReadVirtualMemory NtReadVirtualMemory 9335->9340 9336 527b068 9336->9119 9337->9336 9338->9336 9339->9336 9340->9335 9343 527a116 9341->9343 9342 527b01e 9345 5278340 NtResumeThread 9342->9345 9346 52783d0 NtResumeThread 9342->9346 9347 52782db NtResumeThread 9342->9347 9343->9341 9343->9342 9348 527b237 NtReadVirtualMemory NtReadVirtualMemory 9343->9348 9344 527b068 9344->9119 9345->9344 9346->9344 9347->9344 9348->9343 9350 527af56 9349->9350 9352 5278340 NtResumeThread 9350->9352 9353 52783d0 NtResumeThread 9350->9353 9354 52782db NtResumeThread 9350->9354 9351 527af95 9352->9351 9353->9351 9354->9351 9356 527ac5f 9355->9356 9358 52785f0 NtWriteVirtualMemory 9356->9358 9359 52785e9 NtWriteVirtualMemory 9356->9359 9357 527acd2 9358->9357 9359->9357 9361 527a494 9360->9361 9363 5278790 NtSetContextThread 9361->9363 9364 5278798 NtSetContextThread 9361->9364 9362 527a4b9 9363->9362 9364->9362 9367 527a082 9365->9367 9366 527b01e 9370 5278340 NtResumeThread 9366->9370 9371 52783d0 NtResumeThread 9366->9371 9372 52782db NtResumeThread 9366->9372 9367->9366 9369 527b237 NtReadVirtualMemory NtReadVirtualMemory 9367->9369 9368 527b068 9368->9119 9369->9367 9370->9368 9371->9368 9372->9368 9374 527ade6 9373->9374 9468 527b237 9374->9468 9378 527ad68 9377->9378 9380 527b237 2 API calls 9378->9380 9379 527ad84 9380->9379 9382 527a587 9381->9382 9385 527b237 2 API calls 9382->9385 9383 527a5de 9386 52785f0 NtWriteVirtualMemory 9383->9386 9387 52785e9 NtWriteVirtualMemory 9383->9387 9384 527a61a 9385->9383 9386->9384 9387->9384 9389 527a98a 9388->9389 9392 527b237 2 API calls 9389->9392 9390 527aa89 9393 52784d0 VirtualAllocEx 9390->9393 9394 52784c8 VirtualAllocEx 9390->9394 9391 527aac7 9392->9390 9393->9391 9394->9391 9397 5277778 9395->9397 9396 5277940 9396->9158 9397->9396 9405 5277e10 9397->9405 9409 5277e18 9397->9409 9402 527779c 9400->9402 9401 5277940 9401->9158 9402->9401 9403 5277e10 NtReadVirtualMemory 9402->9403 9404 5277e18 NtReadVirtualMemory 9402->9404 9403->9402 9404->9402 9406 5277e64 NtReadVirtualMemory 9405->9406 9408 5277edc 9406->9408 9408->9397 9410 5277e64 NtReadVirtualMemory 9409->9410 9412 5277edc 9410->9412 9412->9397 9414 5278639 NtWriteVirtualMemory 9413->9414 9416 52786d2 9414->9416 9416->9163 9418 5278639 NtWriteVirtualMemory 9417->9418 9420 52786d2 9418->9420 9420->9163 9422 5278345 NtResumeThread 9421->9422 9424 527846b 9422->9424 9424->9177 9427 52782f5 9425->9427 9426 52782fa 9426->9177 9427->9426 9428 5278435 NtResumeThread 9427->9428 9429 527846b 9428->9429 9429->9177 9431 5278414 NtResumeThread 9430->9431 9433 527846b 9431->9433 9433->9177 9435 52787e1 NtSetContextThread 9434->9435 9437 5278859 9435->9437 9437->9190 9439 52787e1 NtSetContextThread 9438->9439 9441 5278859 9439->9441 9441->9190 9443 5278514 VirtualAllocEx 9442->9443 9445 527858c 9443->9445 9445->9223 9447 52784d0 VirtualAllocEx 9446->9447 9449 527858c 9447->9449 9449->9223 9452 5277228 CreateProcessW 9450->9452 9453 52775fc 9452->9453 9456 5277228 CreateProcessW 9454->9456 9457 52775fc 9456->9457 9460 5279b0c 9458->9460 9459 5279b52 9459->9256 9460->9459 9461 5277e10 NtReadVirtualMemory 9460->9461 9462 5277e18 NtReadVirtualMemory 9460->9462 9461->9460 9462->9460 9465 5279b0c 9463->9465 9464 5279b52 9464->9256 9465->9464 9466 5277e10 NtReadVirtualMemory 9465->9466 9467 5277e18 NtReadVirtualMemory 9465->9467 9466->9465 9467->9465 9469 527b26c 9468->9469 9470 527ae02 9469->9470 9471 5277e10 NtReadVirtualMemory 9469->9471 9472 5277e18 NtReadVirtualMemory 9469->9472 9471->9469 9472->9469 9473 5432487 9476 5439bb8 9473->9476 9477 5439c05 VirtualProtect 9476->9477 9478 543249e 9477->9478 9494 5430338 9496 5439bb8 VirtualProtect 9494->9496 9495 5430349 9496->9495

                                          Executed Functions

                                          Function 0101443C Relevance: 5.4, Strings: 4, Instructions: 408COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 101443c-1014445 1 1014447-10144d0 0->1 2 1014468-1014477 0->2 4 1014511-1014517 1->4 5 10144d2-10144d8 1->5 6 101451b-1014534 4->6 5->6 7 10144da-101450b 5->7 8 1014536-1014578 6->8 9 1014579-10145a5 6->9 7->4 8->9 11 10145a7 9->11 12 10145ac-10145f2 call 1014bc0 9->12 11->12 15 10145f5 12->15 16 10145fc-1014618 15->16 17 1014621-1014622 16->17 18 101461a 16->18 41 10149b8-10149bf 17->41 18->15 18->17 19 1014700-101470c 18->19 20 10148c0-10148cd 18->20 21 1014780-1014794 18->21 22 1014984-1014990 18->22 23 1014906-101490a 18->23 24 10147c9-10147d5 18->24 25 101474b-1014754 18->25 26 101480d-1014819 18->26 27 101488f-10148bb 18->27 28 101484e-101486e 18->28 29 101464e-1014652 18->29 30 1014950-101495c 18->30 31 10148d2-10148de 18->31 32 1014692-101469e 18->32 33 1014799-101479d 18->33 34 1014627-101462d 18->34 35 10146e6-10146fb 18->35 36 10147f3-1014808 18->36 37 1014873-101488a 18->37 38 1014734-1014746 18->38 39 1014837-1014849 18->39 40 1014936-101494b 18->40 18->41 42 101467b-101468d 18->42 63 1014713-101472f 19->63 64 101470e 19->64 20->16 21->16 61 1014992 22->61 62 1014997-10149b3 22->62 49 101491d-1014924 23->49 50 101490c-101491b 23->50 53 10147d7 24->53 54 10147dc-10147ee 24->54 43 1014767-101476e 25->43 44 1014756-1014765 25->44 59 1014820-1014832 26->59 60 101481b 26->60 27->16 28->16 51 1014665-101466c 29->51 52 1014654-1014663 29->52 55 1014963-101497f 30->55 56 101495e 30->56 45 10148e0 31->45 46 10148e5-1014901 31->46 57 10146a0 32->57 58 10146a5-10146bb 32->58 47 10147b0-10147b7 33->47 48 101479f-10147ae 33->48 69 1014635-101464c 34->69 35->16 36->16 37->16 38->16 39->16 40->16 42->16 65 1014775-101477b 43->65 44->65 45->46 46->16 66 10147be-10147c4 47->66 48->66 70 101492b-1014931 49->70 50->70 71 1014673-1014679 51->71 52->71 53->54 54->16 55->16 56->55 57->58 80 10146c2-10146e1 58->80 81 10146bd 58->81 59->16 60->59 61->62 62->16 63->16 64->63 65->16 66->16 69->16 70->16 71->16 80->16 81->80
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: e3380d115a99be689bc8921aa7c0a33f1ca39497cbb19c8611a6e7362c2d7f46
                                          • Instruction ID: 389a6b2e8e778d1c4d467bb0e1535eaeb58b9be37c798964eb5c647e72f2be0f
                                          • Opcode Fuzzy Hash: e3380d115a99be689bc8921aa7c0a33f1ca39497cbb19c8611a6e7362c2d7f46
                                          • Instruction Fuzzy Hash: 2F028D70D0530ACFCB45CFA9C5818AEFBB1FF89315B2485A9C451EB229D339A942CF95
                                          Function 01014481 Relevance: 5.4, Strings: 4, Instructions: 406COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 84 1014481-1014494 85 10144d1-10144d8 84->85 86 1014496-10144d0 84->86 88 101451b-1014534 85->88 89 10144da-101450b 85->89 86->85 87 1014511-1014517 86->87 87->88 90 1014536-1014578 88->90 91 1014579-10145a5 88->91 89->87 90->91 93 10145a7 91->93 94 10145ac-10145f2 call 1014bc0 91->94 93->94 97 10145f5 94->97 98 10145fc-1014618 97->98 99 1014621-1014622 98->99 100 101461a 98->100 123 10149b8-10149bf 99->123 100->97 100->99 101 1014700-101470c 100->101 102 10148c0-10148cd 100->102 103 1014780-1014794 100->103 104 1014984-1014990 100->104 105 1014906-101490a 100->105 106 10147c9-10147d5 100->106 107 101474b-1014754 100->107 108 101480d-1014819 100->108 109 101488f-10148bb 100->109 110 101484e-101486e 100->110 111 101464e-1014652 100->111 112 1014950-101495c 100->112 113 10148d2-10148de 100->113 114 1014692-101469e 100->114 115 1014799-101479d 100->115 116 1014627-101462d 100->116 117 10146e6-10146fb 100->117 118 10147f3-1014808 100->118 119 1014873-101488a 100->119 120 1014734-1014746 100->120 121 1014837-1014849 100->121 122 1014936-101494b 100->122 100->123 124 101467b-101468d 100->124 145 1014713-101472f 101->145 146 101470e 101->146 102->98 103->98 143 1014992 104->143 144 1014997-10149b3 104->144 131 101491d-1014924 105->131 132 101490c-101491b 105->132 135 10147d7 106->135 136 10147dc-10147ee 106->136 125 1014767-101476e 107->125 126 1014756-1014765 107->126 141 1014820-1014832 108->141 142 101481b 108->142 109->98 110->98 133 1014665-101466c 111->133 134 1014654-1014663 111->134 137 1014963-101497f 112->137 138 101495e 112->138 127 10148e0 113->127 128 10148e5-1014901 113->128 139 10146a0 114->139 140 10146a5-10146bb 114->140 129 10147b0-10147b7 115->129 130 101479f-10147ae 115->130 151 1014635-101464c 116->151 117->98 118->98 119->98 120->98 121->98 122->98 124->98 147 1014775-101477b 125->147 126->147 127->128 128->98 148 10147be-10147c4 129->148 130->148 152 101492b-1014931 131->152 132->152 153 1014673-1014679 133->153 134->153 135->136 136->98 137->98 138->137 139->140 162 10146c2-10146e1 140->162 163 10146bd 140->163 141->98 142->141 143->144 144->98 145->98 146->145 147->98 148->98 151->98 152->98 153->98 162->98 163->162
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 809332b88d9a720bbbd54a37f4d7e3eb87e0f2a2afa3778685e334dec461c448
                                          • Instruction ID: 978344414e688870cdc04e080184c3147c758a45328c9160bed1d43804c13028
                                          • Opcode Fuzzy Hash: 809332b88d9a720bbbd54a37f4d7e3eb87e0f2a2afa3778685e334dec461c448
                                          • Instruction Fuzzy Hash: 7A027C70D0530ACFC745CFA9C5818AEFBB2FF4A315B2484A9C445DB229D339A942CF95
                                          Function 01014580 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 215 1014580-10145a5 216 10145a7 215->216 217 10145ac-10145f2 call 1014bc0 215->217 216->217 220 10145f5 217->220 221 10145fc-1014618 220->221 222 1014621-1014622 221->222 223 101461a 221->223 246 10149b8-10149bf 222->246 223->220 223->222 224 1014700-101470c 223->224 225 10148c0-10148cd 223->225 226 1014780-1014794 223->226 227 1014984-1014990 223->227 228 1014906-101490a 223->228 229 10147c9-10147d5 223->229 230 101474b-1014754 223->230 231 101480d-1014819 223->231 232 101488f-10148bb 223->232 233 101484e-101486e 223->233 234 101464e-1014652 223->234 235 1014950-101495c 223->235 236 10148d2-10148de 223->236 237 1014692-101469e 223->237 238 1014799-101479d 223->238 239 1014627-101462d 223->239 240 10146e6-10146fb 223->240 241 10147f3-1014808 223->241 242 1014873-101488a 223->242 243 1014734-1014746 223->243 244 1014837-1014849 223->244 245 1014936-101494b 223->245 223->246 247 101467b-101468d 223->247 268 1014713-101472f 224->268 269 101470e 224->269 225->221 226->221 266 1014992 227->266 267 1014997-10149b3 227->267 254 101491d-1014924 228->254 255 101490c-101491b 228->255 258 10147d7 229->258 259 10147dc-10147ee 229->259 248 1014767-101476e 230->248 249 1014756-1014765 230->249 264 1014820-1014832 231->264 265 101481b 231->265 232->221 233->221 256 1014665-101466c 234->256 257 1014654-1014663 234->257 260 1014963-101497f 235->260 261 101495e 235->261 250 10148e0 236->250 251 10148e5-1014901 236->251 262 10146a0 237->262 263 10146a5-10146bb 237->263 252 10147b0-10147b7 238->252 253 101479f-10147ae 238->253 274 1014635-101464c 239->274 240->221 241->221 242->221 243->221 244->221 245->221 247->221 270 1014775-101477b 248->270 249->270 250->251 251->221 271 10147be-10147c4 252->271 253->271 275 101492b-1014931 254->275 255->275 276 1014673-1014679 256->276 257->276 258->259 259->221 260->221 261->260 262->263 285 10146c2-10146e1 263->285 286 10146bd 263->286 264->221 265->264 266->267 267->221 268->221 269->268 270->221 271->221 274->221 275->221 276->221 285->221 286->285
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P}a{$m>,8$w:=Q$w:=Q
                                          • API String ID: 0-3508682127
                                          • Opcode ID: 5a7a68c3c19c36ae2b4733631e642bd350396438c19c590299e6787fb7c8391c
                                          • Instruction ID: 17f8b9f85ccac07c1ecca97adc0a93f073dc882de127d42bb53784e4f3b25471
                                          • Opcode Fuzzy Hash: 5a7a68c3c19c36ae2b4733631e642bd350396438c19c590299e6787fb7c8391c
                                          • Instruction Fuzzy Hash: 74D12970E0520ADFCB04CF99C5818AEFBB2FF88301B14D569D415AB229D738EA42CF95
                                          Function 0101B9A8 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 381 101b9a8-101b9cd 382 101b9d4-101b9f1 381->382 383 101b9cf 381->383 384 101b9f9 382->384 383->382 385 101ba00-101ba1c 384->385 386 101ba25-101ba26 385->386 387 101ba1e 385->387 401 101bd70-101bd77 386->401 387->384 387->386 388 101bc61-101bc65 387->388 389 101ba63-101ba6f 387->389 390 101bb22-101bb2e 387->390 391 101bb85-101bb9a 387->391 392 101bc07-101bc2c 387->392 393 101bcc6-101bce4 387->393 394 101baa9-101baad 387->394 395 101bce9-101bcf5 387->395 396 101ba2b-101ba42 387->396 397 101ba8d-101baa4 387->397 398 101bb4f-101bb67 387->398 399 101bc91-101bc9a 387->399 400 101bc31-101bc35 387->400 387->401 402 101bb10-101bb1d 387->402 403 101bbf0-101bc02 387->403 404 101bad9-101bae5 387->404 405 101bd3d-101bd6b 387->405 406 101bb9f-101bbab 387->406 419 101bc67-101bc76 388->419 420 101bc78-101bc7f 388->420 411 101ba71 389->411 412 101ba76-101ba88 389->412 421 101bb30 390->421 422 101bb35-101bb4a 390->422 391->385 392->385 393->385 413 101bac0-101bac7 394->413 414 101baaf-101babe 394->414 407 101bcf7 395->407 408 101bcfc-101bd12 395->408 428 101ba4a-101ba61 396->428 397->385 425 101bb69 398->425 426 101bb6e-101bb80 398->426 423 101bcad-101bcb4 399->423 424 101bc9c-101bcab 399->424 417 101bc37-101bc46 400->417 418 101bc48-101bc4f 400->418 402->385 403->385 415 101bae7 404->415 416 101baec-101bb0b 404->416 405->385 409 101bbb2-101bbc8 406->409 410 101bbad 406->410 407->408 441 101bd14 408->441 442 101bd19-101bd38 408->442 443 101bbca 409->443 444 101bbcf-101bbeb 409->444 410->409 411->412 412->385 429 101bace-101bad4 413->429 414->429 415->416 416->385 432 101bc56-101bc5c 417->432 418->432 433 101bc86-101bc8c 419->433 420->433 421->422 422->385 434 101bcbb-101bcc1 423->434 424->434 425->426 426->385 428->385 429->385 432->385 433->385 434->385 441->442 442->385 443->444 444->385
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: t701$t701+j$vBjT
                                          • API String ID: 0-3425911971
                                          • Opcode ID: 201df153ad74bffd0e4dc4d681ae98afb433c8fe4dc4bc162b2575955d85388d
                                          • Instruction ID: 3cfee7aefbc3888361c5393c27bc8ae5444361c5b253e155c4f441cb190eb51c
                                          • Opcode Fuzzy Hash: 201df153ad74bffd0e4dc4d681ae98afb433c8fe4dc4bc162b2575955d85388d
                                          • Instruction Fuzzy Hash: C8C12770E0420EDFCB04DF99C5818AEFBB2FF88341F549555E516AB259D738AA82CF90
                                          Function 010122F5 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 448 10122f5-10122fc 449 1012318-10123ab 448->449 450 10122fe-1012312 448->450 451 10123b2-1012432 call 10100e4 449->451 452 10123ad 449->452 450->449 459 1012435 451->459 452->451 460 101243c-1012458 459->460 461 1012461-1012462 460->461 462 101245a 460->462 465 1012467-101246f call 1012be2 461->465 469 101264d-10126cb call 10100f4 461->469 462->459 463 10124c2-10124c6 462->463 464 10125e4-1012618 462->464 462->465 466 10124a6-10124bd 462->466 467 1012489-10124a4 462->467 468 10125c8-10125df 462->468 462->469 470 101258f-10125c3 462->470 471 10124f2-101250a 462->471 472 1012554-1012573 462->472 473 1012578-101258a 462->473 474 101261d-1012621 462->474 475 101253d-101254f 462->475 478 10124d9-10124e0 463->478 479 10124c8-10124d7 463->479 464->460 486 1012475-1012487 465->486 466->460 467->460 468->460 498 10126cd call 1013a45 469->498 499 10126cd call 1013638 469->499 500 10126cd call 101354a 469->500 470->460 489 101251d-1012524 471->489 490 101250c-101251b 471->490 472->460 473->460 476 1012623-1012632 474->476 477 1012634-101263b 474->477 475->460 483 1012642-1012648 476->483 477->483 480 10124e7-10124ed 478->480 479->480 480->460 483->460 486->460 491 101252b-1012538 489->491 490->491 491->460 496 10126d3-10126dd 498->496 499->496 500->496
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: 9b521f0406e88f42e70b3aec1ad470ea9ef7fabfa2011b4e142c6dbf7c7a87d6
                                          • Instruction ID: 46b651a4d7ec8df01b95e0a15af7120f82d63ce6315e9f8d5352c627b97033f7
                                          • Opcode Fuzzy Hash: 9b521f0406e88f42e70b3aec1ad470ea9ef7fabfa2011b4e142c6dbf7c7a87d6
                                          • Instruction Fuzzy Hash: 08C115B0E05319CFCB09CFA9C8809AEBBF2FF89314F208569D445AB265E7359906CF54
                                          Function 01012315 Relevance: 2.8, Strings: 2, Instructions: 293COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 501 1012315-10123ab 502 10123b2-1012432 call 10100e4 501->502 503 10123ad 501->503 510 1012435 502->510 503->502 511 101243c-1012458 510->511 512 1012461-1012462 511->512 513 101245a 511->513 516 1012467-101246f call 1012be2 512->516 520 101264d-10126cb call 10100f4 512->520 513->510 514 10124c2-10124c6 513->514 515 10125e4-1012618 513->515 513->516 517 10124a6-10124bd 513->517 518 1012489-10124a4 513->518 519 10125c8-10125df 513->519 513->520 521 101258f-10125c3 513->521 522 10124f2-101250a 513->522 523 1012554-1012573 513->523 524 1012578-101258a 513->524 525 101261d-1012621 513->525 526 101253d-101254f 513->526 529 10124d9-10124e0 514->529 530 10124c8-10124d7 514->530 515->511 537 1012475-1012487 516->537 517->511 518->511 519->511 548 10126cd call 1013a45 520->548 549 10126cd call 1013638 520->549 550 10126cd call 101354a 520->550 521->511 540 101251d-1012524 522->540 541 101250c-101251b 522->541 523->511 524->511 527 1012623-1012632 525->527 528 1012634-101263b 525->528 526->511 534 1012642-1012648 527->534 528->534 531 10124e7-10124ed 529->531 530->531 531->511 534->511 537->511 542 101252b-1012538 540->542 541->542 542->511 547 10126d3-10126dd 548->547 549->547 550->547
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: 101b85079ca2a21654789ae27c706b34e73bbdfb5c168dec06fd14460b1f67ba
                                          • Instruction ID: 6891c7f16e3c0e24b541fa1f11feec9f501ef5067bbefee53718caed41ab31bc
                                          • Opcode Fuzzy Hash: 101b85079ca2a21654789ae27c706b34e73bbdfb5c168dec06fd14460b1f67ba
                                          • Instruction Fuzzy Hash: A5C102B0E05319CFCB09CFA9C98099EBBF2FF89314F208569D445AB269E7359902CF14
                                          Function 01012388 Relevance: 2.8, Strings: 2, Instructions: 251COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 552 1012388-10123ab 553 10123b2-1012432 call 10100e4 552->553 554 10123ad 552->554 561 1012435 553->561 554->553 562 101243c-1012458 561->562 563 1012461-1012462 562->563 564 101245a 562->564 567 1012467-101246f call 1012be2 563->567 571 101264d-10126cb call 10100f4 563->571 564->561 565 10124c2-10124c6 564->565 566 10125e4-1012618 564->566 564->567 568 10124a6-10124bd 564->568 569 1012489-10124a4 564->569 570 10125c8-10125df 564->570 564->571 572 101258f-10125c3 564->572 573 10124f2-101250a 564->573 574 1012554-1012573 564->574 575 1012578-101258a 564->575 576 101261d-1012621 564->576 577 101253d-101254f 564->577 580 10124d9-10124e0 565->580 581 10124c8-10124d7 565->581 566->562 588 1012475-1012487 567->588 568->562 569->562 570->562 599 10126cd call 1013a45 571->599 600 10126cd call 1013638 571->600 601 10126cd call 101354a 571->601 572->562 591 101251d-1012524 573->591 592 101250c-101251b 573->592 574->562 575->562 578 1012623-1012632 576->578 579 1012634-101263b 576->579 577->562 585 1012642-1012648 578->585 579->585 582 10124e7-10124ed 580->582 581->582 582->562 585->562 588->562 593 101252b-1012538 591->593 592->593 593->562 598 10126d3-10126dd 599->598 600->598 601->598
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te]q$Te]q
                                          • API String ID: 0-3320153681
                                          • Opcode ID: 97d1d70a85d86f5fcded74c19fe0670dcbd092dd455b33d9851b803458707ba4
                                          • Instruction ID: 7721135c1cccfb9f36cef2384cef361259ea1e41f2d4a4ecff9302fa9167ccc3
                                          • Opcode Fuzzy Hash: 97d1d70a85d86f5fcded74c19fe0670dcbd092dd455b33d9851b803458707ba4
                                          • Instruction Fuzzy Hash: B2B1D3B4E05219CFCB08CFA9C991AEEBBB2FF89300F608529D515AB359DB359901CF54
                                          Function 01019F60 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 603 1019f60-1019f91 604 1019f93 603->604 605 1019f98-1019fbd 603->605 604->605 606 1019fc4-1019fda 605->606 607 1019fbf 605->607 608 1019fe1-101a009 606->608 609 1019fdc 606->609 607->606 610 101a00c 608->610 609->608 611 101a013-101a02f 610->611 612 101a031 611->612 613 101a038-101a039 611->613 612->610 612->613 614 101a070-101a073 612->614 615 101a0a2-101a0b7 612->615 616 101a0d8-101a0ea 612->616 617 101a13b-101a159 612->617 618 101a10b-101a10f 612->618 619 101a0bc-101a0d3 612->619 620 101a0ef-101a106 612->620 621 101a15e-101a162 612->621 622 101a03e-101a048 612->622 613->621 631 101a076 call 101a190 614->631 632 101a076 call 101a1a0 614->632 615->611 616->611 617->611 625 101a111-101a120 618->625 626 101a122-101a129 618->626 619->611 620->611 623 101a04a 622->623 624 101a04f-101a06e 622->624 623->624 624->611 627 101a130-101a136 625->627 626->627 627->611 629 101a07c-101a09d 629->611 631->629 632->629
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BLO[${5\b
                                          • API String ID: 0-2738392615
                                          • Opcode ID: 2c748a0c1556e69821c06d09bf629e7b22021ea8d26ebc6e34c8d727500174ef
                                          • Instruction ID: d89ea5b26b5bec181569f623612e7737185a1115b9585e6c2416ce34424ed64c
                                          • Opcode Fuzzy Hash: 2c748a0c1556e69821c06d09bf629e7b22021ea8d26ebc6e34c8d727500174ef
                                          • Instruction Fuzzy Hash: AC513974E05209CFCB48CFA9C9416EEFBF2FF89300F14D16AE419A7255D7388A418BA5
                                          Function 05277198 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 052775E7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6e43ba5464d7e12de629af8af5940b94dcaf815e621638904ba3d128c82eed16
                                          • Instruction ID: 97aef08838ca45d9ead5d04acbef3280d78c332cd14d850c25d7acac5e0f9fd7
                                          • Opcode Fuzzy Hash: 6e43ba5464d7e12de629af8af5940b94dcaf815e621638904ba3d128c82eed16
                                          • Instruction Fuzzy Hash: 3102CF74E1122D8FDB24CFA9C880B9DBBB2FF49304F1481AAE819B7250DB349985CF55
                                          Function 0527718C Relevance: 1.9, APIs: 1, Instructions: 388processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 052775E7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: b6406daa46fe5e3bbb6492973d15c6d0b978909a5c94ee7e7157a9eb38b0e488
                                          • Instruction ID: 4ced479a9a174c0148264a922f52ec88f3a27edd1e9489f93696435e343d7057
                                          • Opcode Fuzzy Hash: b6406daa46fe5e3bbb6492973d15c6d0b978909a5c94ee7e7157a9eb38b0e488
                                          • Instruction Fuzzy Hash: 29F1C074E1122D8FEB24CFA9C884B9DBBB1FF49304F1481AAE819B7250DB349985CF55
                                          Function 052782DB Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0908b67183e6432acbcc77d4ee372bb1d399eabe4031a96af306c11975a9f76b
                                          • Instruction ID: 67d126aaea6b78557541c4a7bf3e9ead1ffed84f3b39a40055fe384c4c688916
                                          • Opcode Fuzzy Hash: 0908b67183e6432acbcc77d4ee372bb1d399eabe4031a96af306c11975a9f76b
                                          • Instruction Fuzzy Hash: 1B517EB5D1A3D89FCB12CFB8D8A09DDBFB0EF57210F094097D484AB252D6785809CB65
                                          Function 05278340 Relevance: 1.6, APIs: 1, Instructions: 140nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 05278459
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: af9760a5e140b02451dd19cf386db51e369022a2e216373b2e156e6bf01462b5
                                          • Instruction ID: 06fe61c0119e1529adc09c4e097989d02508dd8f51ddd60b2072fdca4e20f50a
                                          • Opcode Fuzzy Hash: af9760a5e140b02451dd19cf386db51e369022a2e216373b2e156e6bf01462b5
                                          • Instruction Fuzzy Hash: 8B416CB1C093989FCB12CFA8D8A49DDBFB0FF56310F19809AD484A7252C7785906CB65
                                          Function 052785E9 Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 052786C0
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: 608b24d3aa0a67a68f42ee36fa986ad5b94e218c2f7db661edd786f11fdac6ed
                                          • Instruction ID: a0bd26cd7e2f569231e9e2246b0c3420e4840622eb0dc96f8fa64f9a1ad9f498
                                          • Opcode Fuzzy Hash: 608b24d3aa0a67a68f42ee36fa986ad5b94e218c2f7db661edd786f11fdac6ed
                                          • Instruction Fuzzy Hash: 6D41ABB4D012589FCF10CFA9D984AEEFBF1BF49310F24942AE419B7210D735A945CB54
                                          Function 052785F0 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 052786C0
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryVirtualWrite
                                          • String ID:
                                          • API String ID: 3527976591-0
                                          • Opcode ID: ed92c12a6eb456a940314c9b3fb4e17a753bf8017fc52b1a42ad445bf3efef25
                                          • Instruction ID: d40c32dc76b9ff0e6e12d828aae8aa8a64f4f5ae6ebfa9467ef12fa3e5854ced
                                          • Opcode Fuzzy Hash: ed92c12a6eb456a940314c9b3fb4e17a753bf8017fc52b1a42ad445bf3efef25
                                          • Instruction Fuzzy Hash: 6A41ADB4D012589FCF00CFA9D984AEEFBF1BF49310F10942AE419B7210D775A945CB64
                                          Function 05277E10 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 05277ECA
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: d9381ae29157af1ec03a4065a8f62146241fe1411d1f99ffb6ef554bf359a3e8
                                          • Instruction ID: 5ee76cdd94af7fed2ab74fa4cee1fc74a8397e1cd807a166ba33f8ca3e856e21
                                          • Opcode Fuzzy Hash: d9381ae29157af1ec03a4065a8f62146241fe1411d1f99ffb6ef554bf359a3e8
                                          • Instruction Fuzzy Hash: 964199B4D042589FCF10CFA9D984AEEFBB1BF59310F14942AE815B7210C775A946CF64
                                          Function 05277E18 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 05277ECA
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: MemoryReadVirtual
                                          • String ID:
                                          • API String ID: 2834387570-0
                                          • Opcode ID: 6796fd3180fb4e998751cc09fb23d9ee49d12179d0cf8e7966e7b1a955de0f61
                                          • Instruction ID: 7401756dd5a5da5dee7ee6e67c33e4b6711262675b0b27a5312c7131db6b7381
                                          • Opcode Fuzzy Hash: 6796fd3180fb4e998751cc09fb23d9ee49d12179d0cf8e7966e7b1a955de0f61
                                          • Instruction Fuzzy Hash: 804199B4D002589FCF10CFA9D984AEEFBB1BF09310F14942AE815B7210C775A945CF64
                                          Function 05278790 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 05278847
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 3c67a9598a0d34d3a7994bbe977d9c848669c84d220d1eda156587097ded029b
                                          • Instruction ID: b70a53e21a994d5107ed568b760c3f940c1231fa1e7d459c0fb376f9b81b9b8b
                                          • Opcode Fuzzy Hash: 3c67a9598a0d34d3a7994bbe977d9c848669c84d220d1eda156587097ded029b
                                          • Instruction Fuzzy Hash: 8E41BBB5D002589FDB10CFAAD884AEEFBF1BF49310F24842AE419B7240C778A985CF54
                                          Function 05278798 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtSetContextThread.NTDLL(?,?), ref: 05278847
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: a5038a55c9b88c95dc53d550ff0231b7e830f60b826e1e1c1ec4098beab0aadb
                                          • Instruction ID: ce2e6fbc312164912b54d5443992ff2da214d5ceb9fe8870ec1a4d07131bc343
                                          • Opcode Fuzzy Hash: a5038a55c9b88c95dc53d550ff0231b7e830f60b826e1e1c1ec4098beab0aadb
                                          • Instruction Fuzzy Hash: 7C31ABB4D002589FCB10DFAAD884AEEBBF1BF49310F24802AE419B7240C778A945CF54
                                          Function 052783D0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtResumeThread.NTDLL(?,?), ref: 05278459
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b029244850623a697d5756ebf6e38e70f4ea0c8c7e4e8be74b37aa39c2e4577f
                                          • Instruction ID: 29facaa7cf23d555678208179b83bde916c7a09eec8dfa8b14e6d397bb6ed194
                                          • Opcode Fuzzy Hash: b029244850623a697d5756ebf6e38e70f4ea0c8c7e4e8be74b37aa39c2e4577f
                                          • Instruction Fuzzy Hash: 093199B4D112189FCB10CFA9D984A9EFBF5FF49310F20942AE819B7200D775A945CFA4
                                          Function 01017DDF Relevance: .3, Instructions: 275COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16de82df577e453ee40ed21ae12e8c3835f2c95f1f22cc9e61ccb776c2082625
                                          • Instruction ID: 2a69f4f6aefe2e5fe3085a5cb4c1ec6039b70e24b6f3fd15108dc904992d2cc5
                                          • Opcode Fuzzy Hash: 16de82df577e453ee40ed21ae12e8c3835f2c95f1f22cc9e61ccb776c2082625
                                          • Instruction Fuzzy Hash: 17C14875E00218CFDB46DFA9D98499DBBF2FF89300F14806AE445AB369DB35A942DF40
                                          Function 0101919A Relevance: .2, Instructions: 236COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb0f764b42f906ccb3c31d6fe8509e14206b5265ab27647046df1c9dee8f5e7c
                                          • Instruction ID: 6efda80e47a0299764e335a8d913914f3228e4066d91659d8b5da61ee3f573e7
                                          • Opcode Fuzzy Hash: eb0f764b42f906ccb3c31d6fe8509e14206b5265ab27647046df1c9dee8f5e7c
                                          • Instruction Fuzzy Hash: 61A1E1B4E052199FDB08CFA9C9949EEBBF2FF89300F20852AD415AB254D7399941CF50
                                          Function 010191B0 Relevance: .2, Instructions: 233COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de80a7342d08b82d48c6930a77a13ebf25b51b7fb21188425f2cb6f0ec297226
                                          • Instruction ID: c60508d35fe78ef634444337bd90af95e81fa0a33efbb21092eff926da948648
                                          • Opcode Fuzzy Hash: de80a7342d08b82d48c6930a77a13ebf25b51b7fb21188425f2cb6f0ec297226
                                          • Instruction Fuzzy Hash: 28A1CFB4E04219DFDB08CFA9C9949EEBBF2FF89300F208529D415AB258D7399941CF54
                                          Function 01017E28 Relevance: .2, Instructions: 220COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ab5262cd4161a4e8b88767b0ba5c2ea92fd8997b3ca54913521e88eadb886e9
                                          • Instruction ID: 4aa2f1d447f092d790a75f3623d4e34efa8ae7390becd65bc0cdd2acb7588293
                                          • Opcode Fuzzy Hash: 6ab5262cd4161a4e8b88767b0ba5c2ea92fd8997b3ca54913521e88eadb886e9
                                          • Instruction Fuzzy Hash: C9A11574E00218CFDB44DFA9D99499DBBF2FF88300F14802AE855AB369DB34A902DF50
                                          Function 0101354A Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a0f5cc83fc0d52f322a20431236f5652de9b6739bdd1accd2912c09ca6609dc
                                          • Instruction ID: 6dc0ee7c5baa19ec1842e640ffd7dd78da2d6e3420cdec9a4456367ebd51ec7c
                                          • Opcode Fuzzy Hash: 5a0f5cc83fc0d52f322a20431236f5652de9b6739bdd1accd2912c09ca6609dc
                                          • Instruction Fuzzy Hash: 13712875E056198FDB04CFAAD9406DEFBB2BF89310F14C166D409BB258D738AA45CF90
                                          Function 01012BE2 Relevance: .2, Instructions: 151COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d86a39d2d02d28947641dddeedd868b45a0ff1d4237842be52f95110100f4242
                                          • Instruction ID: d32edf4cf9c901cd6e4060ac5454e104afadd7b68ab6f47ddb5c711923124977
                                          • Opcode Fuzzy Hash: d86a39d2d02d28947641dddeedd868b45a0ff1d4237842be52f95110100f4242
                                          • Instruction Fuzzy Hash: F1512CB0E056098FDB08CFEAC5416AEFBF2EF88301F24D06AD555A7255D7389A42CF94
                                          Function 010181C7 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4fd110122de52bcc516185e5b92c52fee64fbb4931ea5ef01d8c7b343a25984
                                          • Instruction ID: 86789b5925d5c590f38872d7131ee6efa911d7cc43217a070497d0a6e2506016
                                          • Opcode Fuzzy Hash: a4fd110122de52bcc516185e5b92c52fee64fbb4931ea5ef01d8c7b343a25984
                                          • Instruction Fuzzy Hash: E1513871D0220ADFDB08DFE5C9845EEBBB6FF88300F10891AC456AB258D7399A42CF55
                                          Function 0101AAD9 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9321469f821507b2b09d0c073c01436539dd3dfbd4a6dbbd93094d2ba45d7ad8
                                          • Instruction ID: 1acaef34a29fcaaf27e490f5ecce230e565b1bcd8118c8e13216af9e999d8afc
                                          • Opcode Fuzzy Hash: 9321469f821507b2b09d0c073c01436539dd3dfbd4a6dbbd93094d2ba45d7ad8
                                          • Instruction Fuzzy Hash: 2F3114B1E056588FDB18CFAAD9406DEBBB2EFC8310F14C06AD409A7269DB341A46CF50
                                          Function 01013638 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 716c010eb25f1afb74d0a088680c4bc990b806c6ffe71ddfa40ff0d3059d38f7
                                          • Instruction ID: 54d9fb50f5364d75576289f4834d2b5b2a715f7c8dd6bcc34b4f7aac12e223c8
                                          • Opcode Fuzzy Hash: 716c010eb25f1afb74d0a088680c4bc990b806c6ffe71ddfa40ff0d3059d38f7
                                          • Instruction Fuzzy Hash: 7B31D8B1E016588BEB19CFABD9446DEBBF3BFC9310F14C16AD409A6264DB741945CF40
                                          Function 01010848 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d932ef2d476e84933d16ec3dc8726c0aee3cf9ce86c1b92f90afd4c94501a9ab
                                          • Instruction ID: e894d5632a3f9d76ac653a883910ba10f54022cc177ba00ee55ebf18c9ecda96
                                          • Opcode Fuzzy Hash: d932ef2d476e84933d16ec3dc8726c0aee3cf9ce86c1b92f90afd4c94501a9ab
                                          • Instruction Fuzzy Hash: 68110A71E016199BEB1CCF6BDD446DEFAF3AFC8300F08C076D918A6228EB3459419E40
                                          Function 01010838 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a481324de8e8c1c2bf8ba0f9af28d3f696710e426b0f107eca8c3e9b572fecf
                                          • Instruction ID: b37e3867446f652858c58372022600c56f34936c8eca6523c7d27305e45e0d08
                                          • Opcode Fuzzy Hash: 4a481324de8e8c1c2bf8ba0f9af28d3f696710e426b0f107eca8c3e9b572fecf
                                          • Instruction Fuzzy Hash: F4112E71E016198BEB1CCF6BDD4469EFAF3AFC8300F08C07AD848A6269EB3445429F10
                                          Function 054344C5 Relevance: 1.6, APIs: 1, Instructions: 137memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 054345D7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2661066367.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5430000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 44a4bac7065b106e8c6798b6ebd7c201ea9ea3c47bf9e16d89c45f21ea575dec
                                          • Instruction ID: b9e8ad0871e380055ae81d8004cad59979d11f66de1cac43f4a27dd335d72eaa
                                          • Opcode Fuzzy Hash: 44a4bac7065b106e8c6798b6ebd7c201ea9ea3c47bf9e16d89c45f21ea575dec
                                          • Instruction Fuzzy Hash: B641D0B5C042489FCF00CFA9D886ADEFBB0FB1A310F14915AE855A7221D378A946DF65
                                          Function 052784C8 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0527857A
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 5d4cc0d8eca692869eb93a0c211b46aed2fbf9b73165d8e1e8dcd7946719c0a5
                                          • Instruction ID: 437315c9ed9e06cdbec938241c0773db43edbc9a169dfc3380d0c83bbf7f9765
                                          • Opcode Fuzzy Hash: 5d4cc0d8eca692869eb93a0c211b46aed2fbf9b73165d8e1e8dcd7946719c0a5
                                          • Instruction Fuzzy Hash: B93197B8D042589FCF10CFA9D984ADEBBB1FB49310F10942AE919B7210D735A945CF64
                                          Function 052784D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0527857A
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2660814946.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5270000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bfa8f312562913d17aeeaeaf733011866248abc397ed4597a72fcc63b38feaea
                                          • Instruction ID: db438450f1af4847475bb41b61707dff9cb11ed2b7e6744e56e63546a70cbcb1
                                          • Opcode Fuzzy Hash: bfa8f312562913d17aeeaeaf733011866248abc397ed4597a72fcc63b38feaea
                                          • Instruction Fuzzy Hash: AC3176B8D002599BCF10CFA9D984AAEFBB5BF49310F10942AE919B7210D735A946CF64
                                          Function 05434530 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 054345D7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2661066367.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5430000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 802f5bd566c22945ca7acf5c154f52cd49032de4504be3bcc00d4a832cadf26f
                                          • Instruction ID: c05b1fc0e3606cd05229693ac2bf0dfdd2f62a10b12499e1bc2dd040cc4f271c
                                          • Opcode Fuzzy Hash: 802f5bd566c22945ca7acf5c154f52cd49032de4504be3bcc00d4a832cadf26f
                                          • Instruction Fuzzy Hash: E83198B9D042589FCF10CFA9D484ADEFBB1BB19310F24902AE914B7210D779A945CF64
                                          Function 05439BB8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05439C5F
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2661066367.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5430000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 96ac1c8e2c1aba8b18d36f3d409fe738938a627cf966b782d212c9f065d89e70
                                          • Instruction ID: b666765fa959884fbc320c8d792948a4913bd787cbca51971df1e0e7449687e9
                                          • Opcode Fuzzy Hash: 96ac1c8e2c1aba8b18d36f3d409fe738938a627cf966b782d212c9f065d89e70
                                          • Instruction Fuzzy Hash: 4A3179B9D042589FCB10CFA9D584ADEFBF5BB19310F24902AE914B7220D375A945CF64
                                          Function 01012DFA Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: 408e28615018d825cbbbf55ef5095fecfec47098b434234c47547b1d094b06bd
                                          • Instruction ID: 321f4ef8b7cf834a24687308b568ee7d25e430805d4a4c8f3b85009719af7a94
                                          • Opcode Fuzzy Hash: 408e28615018d825cbbbf55ef5095fecfec47098b434234c47547b1d094b06bd
                                          • Instruction Fuzzy Hash: F141D6B4E142099FCB44CFA9C5819AEFBF2FB89300F20856AD455E7769D3389A41CF50
                                          Function 01012E08 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YvgW
                                          • API String ID: 0-412005089
                                          • Opcode ID: 1f12ce43349841d43237afd530d85b84d8d55fa768a9bd4805764264bd5795ad
                                          • Instruction ID: 8827abbadfcec27f25571c8ea45cdc24f57e9b5ae6ce617430ca5b47b453233c
                                          • Opcode Fuzzy Hash: 1f12ce43349841d43237afd530d85b84d8d55fa768a9bd4805764264bd5795ad
                                          • Instruction Fuzzy Hash: 5A31B7B4E14219DFCB44CFA9C5419AEFBF2FB88300F20956AD819A7359D338AA41CF54
                                          Function 0101A330 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: _Po
                                          • API String ID: 0-3094450229
                                          • Opcode ID: 9a8ade52eed7593b18035164853ff4236c38e2f10d3a761809526c1a3b977220
                                          • Instruction ID: 8a6bb7f3d6efd588298209f4c5e99bdb6d482b11437bc357d706c269beed4417
                                          • Opcode Fuzzy Hash: 9a8ade52eed7593b18035164853ff4236c38e2f10d3a761809526c1a3b977220
                                          • Instruction Fuzzy Hash: D82128B0E05209DFCB08CFA9C581AAEBFF2FF89310F24C5AAD418E7255D7749A018B51
                                          Function 01014BC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: b|+W
                                          • API String ID: 0-1862224030
                                          • Opcode ID: f5be76a5a0a55d7877985dc3ac2489d0fb0d60d70a8061b03d36fcb84b57252d
                                          • Instruction ID: a3593f1eaae5699bc2a732320a4d5702f2a0c44d74162e81f6306f88f0540405
                                          • Opcode Fuzzy Hash: f5be76a5a0a55d7877985dc3ac2489d0fb0d60d70a8061b03d36fcb84b57252d
                                          • Instruction Fuzzy Hash: AB2127B0D05209DFCB44CFA9C981AAEBFF1BF99300F14C5AAD555E7225E3349A41DB40
                                          Function 01010DA0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q
                                          • API String ID: 0-1007455737
                                          • Opcode ID: 9ff768a494b057d01872c845e39ada6e6ec983a848cc9214deb183d5e1ee26b1
                                          • Instruction ID: 8ca965760ad13df33c19f369eb7d2a3e1876cf53733e518af346ecfbc4f62202
                                          • Opcode Fuzzy Hash: 9ff768a494b057d01872c845e39ada6e6ec983a848cc9214deb183d5e1ee26b1
                                          • Instruction Fuzzy Hash: 6511A474D4421CCFCB29DFA5C980ADDBBB6BF58300F1045AAD489A7224DB749AC1CF51
                                          Function 0101A190 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d883c60b8c1ca9448f97235ab05b10c368a6cce42e1a9181453fc1a4abd2c44c
                                          • Instruction ID: 7e8966546a1eefc69c548734aa25dfb0f0c4938b0175bf8daee4172504294340
                                          • Opcode Fuzzy Hash: d883c60b8c1ca9448f97235ab05b10c368a6cce42e1a9181453fc1a4abd2c44c
                                          • Instruction Fuzzy Hash: 9E4105B4E0520ADFCB45CFAAC5819AEFBF2BB89350B10D46AD815E7324D3789A41CF50
                                          Function 0101A1A0 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61aa9f7519de2df3bbae55873bd9ee5cc494ac04ba10a14f8db3eaacf038dccf
                                          • Instruction ID: 36cecf866d9d886c3a658ac0bad9b665a500cf35520177a83728ad4e3b9dead9
                                          • Opcode Fuzzy Hash: 61aa9f7519de2df3bbae55873bd9ee5cc494ac04ba10a14f8db3eaacf038dccf
                                          • Instruction Fuzzy Hash: E631E4B4E0521ADFCB45CFAAC5819AEFBF2BB88350B10D46AD815E7318D3789A41CF50
                                          Function 01012F4A Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0526dd17507fe85424cca2dc1d84c3bf5ac025cdee41db03256265884fd44c3
                                          • Instruction ID: c8c2bca18254b5082eb149a3ef7fc72442a01e55a42440fe12f2e545db3f7635
                                          • Opcode Fuzzy Hash: f0526dd17507fe85424cca2dc1d84c3bf5ac025cdee41db03256265884fd44c3
                                          • Instruction Fuzzy Hash: 35312870E04209DFCB48CFA9C5819AEFBF1BF89300F25C5AAD414A7255D3349A418F51
                                          Function 01011477 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec20b94b32adca73d34deff0d6a6b3390f05c1e0d7411609bdd5a93c61bcaa3b
                                          • Instruction ID: 6b3f78139b35505095878ad6f8a59024f25ca844716af3abb3a75425331a0d30
                                          • Opcode Fuzzy Hash: ec20b94b32adca73d34deff0d6a6b3390f05c1e0d7411609bdd5a93c61bcaa3b
                                          • Instruction Fuzzy Hash: 01319C74A052288FDB64CF25C991B99BBB2BF49300F1081E9D98EA7355DB346E85CF41
                                          Function 010114B3 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7da141da886dcb3ab6dfdfca7c062d200f8c3fbe3343309169cf9c34cf9603a
                                          • Instruction ID: 0e2a26e01421ab836c2f923a36bec35e0081714effa286618b2eb05c3142408d
                                          • Opcode Fuzzy Hash: f7da141da886dcb3ab6dfdfca7c062d200f8c3fbe3343309169cf9c34cf9603a
                                          • Instruction Fuzzy Hash: 09314974E012288FDB64CF29C994BD9BBB2BB49300F1081E9D94EA3355DA346E85CF55
                                          Function 01014CB8 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 659fab8dc1f1ccbdce7c8dd8b348998557623845118d201d5e76b051d394989f
                                          • Instruction ID: 9d33fc8af5465c809a7ff4ee372c6d79d22693ce7d6c1e5a09c7d14972f55164
                                          • Opcode Fuzzy Hash: 659fab8dc1f1ccbdce7c8dd8b348998557623845118d201d5e76b051d394989f
                                          • Instruction Fuzzy Hash: 6101E574E05248AFCB05DFA9C594A8DBFF1AF49300F05C1D9D8489B262D6359A41DB01
                                          Function 0101892E Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03485018d1d5d249938d8d7fe8d4f460de863b4f157cdf2b91ad300dd6e6092f
                                          • Instruction ID: a5ee617d7490965a1ec4d70b0d4606e56d3d095310be1becdb29762a3be5344b
                                          • Opcode Fuzzy Hash: 03485018d1d5d249938d8d7fe8d4f460de863b4f157cdf2b91ad300dd6e6092f
                                          • Instruction Fuzzy Hash: AC01D675D022199FDB14CFA4DE54AAEBBF7FB98300F048499E509A7258D7349A40CF11
                                          Function 01018996 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19c9c6e4f16d74627ca7407677628c78eb8a3b9948b9ec0ba3c00ffee78e0cdc
                                          • Instruction ID: 284720454dae0303851220c42ee88e6cfd2eae6f5b2f9c825af30ae95f361076
                                          • Opcode Fuzzy Hash: 19c9c6e4f16d74627ca7407677628c78eb8a3b9948b9ec0ba3c00ffee78e0cdc
                                          • Instruction Fuzzy Hash: 2E012874D062299FDB11CFA4CE54BAEBBB2FF89300F0845A8E509A7254D7349A00DF12
                                          Function 01011022 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c8702cfcca9c9b71d397c1b0e2f075f79255d0f450886e664cc52013e551cd1
                                          • Instruction ID: c0a1fcf4a1c986a58db55c047e4f8ed4cb983b242c6d48eee0cea2a43ed1d424
                                          • Opcode Fuzzy Hash: 2c8702cfcca9c9b71d397c1b0e2f075f79255d0f450886e664cc52013e551cd1
                                          • Instruction Fuzzy Hash: 3601A230A023598FCB1DCB35C8917EDB776BF84305F6444E9954D6B245CA358E81CFA2
                                          Function 0101C098 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8434bdb43f803b8a8915757017aab9c9800ec1a4cb8a621754be8b13303ccd74
                                          • Instruction ID: eaac46733270ca0e8fb2e5fa3c977e7002b0274e9fdba1eb9288a8403062d850
                                          • Opcode Fuzzy Hash: 8434bdb43f803b8a8915757017aab9c9800ec1a4cb8a621754be8b13303ccd74
                                          • Instruction Fuzzy Hash: 15019D78A00208AFDB04DFA9D999A99BBF1AB48310F05C0A5E408AB361D734EA41DF40
                                          Function 01014CC8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a6750f09de41c3bea5d5b47dd256b31e0ade35fdec54825d3178f5bcc7e9de5
                                          • Instruction ID: eb9515d19f69471fdb701bdeb7034e43105bc09615ea2de8d6c2eccae5ce83b0
                                          • Opcode Fuzzy Hash: 8a6750f09de41c3bea5d5b47dd256b31e0ade35fdec54825d3178f5bcc7e9de5
                                          • Instruction Fuzzy Hash: E501A474A00208AFDB44DFA9C599A9DBFF1AF48300F05C195A90897365D735E940DF40
                                          Function 010118A1 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01efb3d686d94b64907b1eebf3a420ab09625858bdd12fab388cfbcc18382931
                                          • Instruction ID: 60a5604d298d2546bfc65df87fc90fbda71bbf46407fe69b5fcaf714d932b0e8
                                          • Opcode Fuzzy Hash: 01efb3d686d94b64907b1eebf3a420ab09625858bdd12fab388cfbcc18382931
                                          • Instruction Fuzzy Hash: AD012C74A00219CFC754DFA5D950B9DBBB1BF48600F0080DAD40DB7214DB30AD85CF20
                                          Function 01010F29 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93a3e491c5621ebe737f72fb4d5f26d803d7a4a50a7678e5488a8202390624b9
                                          • Instruction ID: d1197b7f45f582c5a81451bf11a6142b4bba833f8ccc6a4e9dafc2ff82f988c7
                                          • Opcode Fuzzy Hash: 93a3e491c5621ebe737f72fb4d5f26d803d7a4a50a7678e5488a8202390624b9
                                          • Instruction Fuzzy Hash: 8AD0177496121EEFCB19CF25EA85ADCB7B6FF45300F2096A4E40593228E734AE428F50
                                          Function 0101B12B Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a02b7d8e8dc6d0590d9cc72a95910f20ac6c3a4b0cf4d84d1442813376319ae
                                          • Instruction ID: 80f837ee3b8615d0cf71c55576adcec5185fec4967c05fc32dd0cb0d17e096dc
                                          • Opcode Fuzzy Hash: 3a02b7d8e8dc6d0590d9cc72a95910f20ac6c3a4b0cf4d84d1442813376319ae
                                          • Instruction Fuzzy Hash: BFD0C9B4A06395CFC759CBA0CA84849BBB2FF49315B1088589406DB668C739DA85CE00
                                          Function 01013A45 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2653355873.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1010000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e637bf9dd90d6f92a5fecad768b1c03a662f5e97d6dc56ce29780a486ff6359
                                          • Instruction ID: e515367bed4a9c895f68ec516708d6b8296536ed2b763289e19dff73909c3597
                                          • Opcode Fuzzy Hash: 0e637bf9dd90d6f92a5fecad768b1c03a662f5e97d6dc56ce29780a486ff6359
                                          • Instruction Fuzzy Hash: 9ED0C972506758CFC718CBA0CA8694CBBB2FB49311B605459E10A9F228D735E981CA00

                                          Executed Functions

                                          Function 01970B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: a9811c1e9c5a5c90595ea43361d4cea7e7835cac796f311ff17f902b00c4e5a5
                                          • Instruction ID: 824cfc79eb3310aa072113ca96d3864152461b6ca7c2d0f52fb82390c69893c6
                                          • Opcode Fuzzy Hash: a9811c1e9c5a5c90595ea43361d4cea7e7835cac796f311ff17f902b00c4e5a5
                                          • Instruction Fuzzy Hash: 98829F74A002298FCB24CF68D984BDDBBB5FF49305F1486AAD409AB265D734AE85CF50
                                          Function 019705E7 Relevance: .3, Instructions: 319COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae09db0d7c163e74bdaa010e460fd9e82319385ee041210972ff2e2ab6a6422a
                                          • Instruction ID: 4865a822247af3da405457c54117f0fe71462ec25228829dd7eca37ff9673cb7
                                          • Opcode Fuzzy Hash: ae09db0d7c163e74bdaa010e460fd9e82319385ee041210972ff2e2ab6a6422a
                                          • Instruction Fuzzy Hash: 643157309143499FD742DF68E994ADA3FB8EF06311F0485EAC0448F166E7385D4ACB92
                                          Function 01970630 Relevance: .3, Instructions: 314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7544a1e828259aa31241e1bef927ad9f39fc70a2ac79a23897b4a5ccb40f78dd
                                          • Instruction ID: 4e83e6c18daae6398602f1f924992857610d4c46eeca3330e1190a010ac45c37
                                          • Opcode Fuzzy Hash: 7544a1e828259aa31241e1bef927ad9f39fc70a2ac79a23897b4a5ccb40f78dd
                                          • Instruction Fuzzy Hash: EC218E709002099FDB45DF68E594AAE7FB9FF49306F0495A9C0049F276D7389D49CF81
                                          Function 01970A49 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3401a764d0cf844e9cb0f09598fdddc5ad29ce4a7d74b0f8739fa54ac3b5f94
                                          • Instruction ID: f999f739c5d49e8bf7e17fbd74c53f28243c01be053a575ebbc20cbdd285f8fb
                                          • Opcode Fuzzy Hash: f3401a764d0cf844e9cb0f09598fdddc5ad29ce4a7d74b0f8739fa54ac3b5f94
                                          • Instruction Fuzzy Hash: 9E214830E0024A9FCF85DFA9D5949DDBBB1EF49300F4582AAD414BB265DB30A946CF94
                                          Function 01970848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca1747394f59cfe40dc4dd2c9a8e282fd0a8df5edb5f60b97d63c4b6194dd213
                                          • Instruction ID: b53dee89ebee5ae62e7221348bd047119ee675222cd8c1a0312980d2807d64fd
                                          • Opcode Fuzzy Hash: ca1747394f59cfe40dc4dd2c9a8e282fd0a8df5edb5f60b97d63c4b6194dd213
                                          • Instruction Fuzzy Hash: A7116370A00209DFDB45EF68F584A9E7BB9FF48306F0095A9C5049B275DB78AE49CF81
                                          Function 01971870 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a2288fb1f135bc800f6e04015ab8598cc4ae4b36b14b4816e2951956d9df00f
                                          • Instruction ID: 2dc0e7af8edb579f968cdb2f538bab491cabb161b5215dc8a3dbf8f9952e0f75
                                          • Opcode Fuzzy Hash: 1a2288fb1f135bc800f6e04015ab8598cc4ae4b36b14b4816e2951956d9df00f
                                          • Instruction Fuzzy Hash: 5AF06470D082498BDF14CBAAD4187EEBBF4AB8A310F04906AC458B6241D7380A0ACFA1
                                          Function 019709DF Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 921801b2636c7c57ee6ea0fa825bab2a1c3334d2c5a8379f29bea7b18286d351
                                          • Instruction ID: eed884fced980711b076fa1c3025cd81acd6efc13e108fc724ef983ca95db435
                                          • Opcode Fuzzy Hash: 921801b2636c7c57ee6ea0fa825bab2a1c3334d2c5a8379f29bea7b18286d351
                                          • Instruction Fuzzy Hash: 9701F670D14219DFCB95EFB8C955AEDBBB0FF05310F1446AEC405A7265E7708A80DB81
                                          Function 019709F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2648156352.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1970000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72b0e901985768c632a989fd4f5a0ec61d65ac5f8b6c4f6c7ff5fce28dc5bc26
                                          • Instruction ID: d13cb5b878be08a41013d2b236a8b4950dbf6811c6067cef2e9cb643dec8ccb6
                                          • Opcode Fuzzy Hash: 72b0e901985768c632a989fd4f5a0ec61d65ac5f8b6c4f6c7ff5fce28dc5bc26
                                          • Instruction Fuzzy Hash: 49F0B270D0021EDFCB45EFB8D5556AEBBB5FF05301F1446AAD415A72A4EB709A40DB80

                                          Executed Functions

                                          Function 03080B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 3cd86d07316b2368566b2d60cc5d82af3cea946cec20f68314b40bc9c8fb4c8d
                                          • Instruction ID: f868899a4852b0d015095316c3c5b0da850f50945fa2ae1c94451e960c82b0bd
                                          • Opcode Fuzzy Hash: 3cd86d07316b2368566b2d60cc5d82af3cea946cec20f68314b40bc9c8fb4c8d
                                          • Instruction Fuzzy Hash: 2F82AF74A01229CFCB24DFA8D984BDDBBB5FF49304F1086A6D409AB265D734AE85CF50
                                          Function 03080630 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce81e5adb17aef50c3d98f5a8b789ad29a72363ad364ea073bf30a7a823598fa
                                          • Instruction ID: 2f574dc3c5a263b5a55baac6535996236655abc1b33dc0bfac4306537697cc15
                                          • Opcode Fuzzy Hash: ce81e5adb17aef50c3d98f5a8b789ad29a72363ad364ea073bf30a7a823598fa
                                          • Instruction Fuzzy Hash: 0A214F70A01205EFCB15DF68FA94A897BB9EF0A304F0055A5C4048F266D73EAE59CB91
                                          Function 030805E7 Relevance: .3, Instructions: 308COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3217ac71a1ae95e993c7305c4882195a0a55c5e7e15d32dd007532b22e10f529
                                          • Instruction ID: 6c41cf559f9ae646b0eb96fc417143e0a582a407d2abaa836a79f0b920353801
                                          • Opcode Fuzzy Hash: 3217ac71a1ae95e993c7305c4882195a0a55c5e7e15d32dd007532b22e10f529
                                          • Instruction Fuzzy Hash: B7316D30A05285EFCB02EF78E998A897FB4EF06304B0455E6C4448F266D73DAD59CB92
                                          Function 03080A49 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d93d1e46e4437f1949ade2d6ffc4b5df95def640ad37c85622dce4e5e077f40c
                                          • Instruction ID: 5a514c0849e977e6585ea8e334def97a9f94a3db409ec773a5c7c3af37714963
                                          • Opcode Fuzzy Hash: d93d1e46e4437f1949ade2d6ffc4b5df95def640ad37c85622dce4e5e077f40c
                                          • Instruction Fuzzy Hash: F9218C31E0110A9FCF45DFA8D850ADDBBB5EF4A300F4582A6D450BB265DB30EA46CB90
                                          Function 03080848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea1f7fb863cb836248dab26b1a4f7cda97ecb3189e7b9d7139e67641a7aed42e
                                          • Instruction ID: 93806d0dcb789474ac68eb5b34db8639f2825cd370dece23b615975f2ee5f132
                                          • Opcode Fuzzy Hash: ea1f7fb863cb836248dab26b1a4f7cda97ecb3189e7b9d7139e67641a7aed42e
                                          • Instruction Fuzzy Hash: E9112E70A0120AEFCB15EF68F648A8D7BB9FB48304F005564C4049B265DB7E9E59CB81
                                          Function 03081870 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 434e8227156b7b7d28093d0bdc86605656bbd26fd2494fbb43edb93389f367f5
                                          • Instruction ID: cbcb4dba567a238dbb025f3412785b014eb21187ae1aa84ab361c0f798b572f1
                                          • Opcode Fuzzy Hash: 434e8227156b7b7d28093d0bdc86605656bbd26fd2494fbb43edb93389f367f5
                                          • Instruction Fuzzy Hash: 63F042B5C0520DCBCF00EF96E8057EEBBF8AF89310F446425D050BB240D738961ACBA0
                                          Function 030809DF Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2f7ce2501f0febd8e4685c6b6ed9fec3c6b0f04b865d3e3f906255b70c4eb99
                                          • Instruction ID: 3637417ebc24f2dfd32cbdbcee6b7a1d1af9dca24fce235f6394a54856ebad6b
                                          • Opcode Fuzzy Hash: c2f7ce2501f0febd8e4685c6b6ed9fec3c6b0f04b865d3e3f906255b70c4eb99
                                          • Instruction Fuzzy Hash: 7201F671805219DFCB01EFA8C891A9DBBF4FF06300F0445EAD455EB295EB34AA54DB81
                                          Function 030809F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2648289574.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_3080000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd703417237f14449841e9045570f04a35d3903d84626156b8ff98d0c0d2e3e8
                                          • Instruction ID: 3bb75a50c3d6a177d10256eae6f3eef5dd58348dba6debfca4a107708ca95f62
                                          • Opcode Fuzzy Hash: fd703417237f14449841e9045570f04a35d3903d84626156b8ff98d0c0d2e3e8
                                          • Instruction Fuzzy Hash: 4FF0B270D01219EFCB45EFB8D5446EEBBB4FB04300F5046AAD415A7394EB709A44DB80

                                          Executed Functions

                                          Function 01710B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: daq
                                          • API String ID: 0-1532007458
                                          • Opcode ID: 02be0d5bc552050eb58cd45324b897b31b76f24e9634ddac8944fbb0d4e08a96
                                          • Instruction ID: 60b16eb1e17bafa946482d70b8a1475d6e574c61a6cd86cbbcf7b280aea75535
                                          • Opcode Fuzzy Hash: 02be0d5bc552050eb58cd45324b897b31b76f24e9634ddac8944fbb0d4e08a96
                                          • Instruction Fuzzy Hash: CB829274A002298FDB24CF68D994BDDBBB5FF49304F1086AAD409AB365D734AE85CF50
                                          Function 01710A49 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 110d10626eb687bca1022774e29e6fa8796ac418842bd79e7f098bafdc7c5eda
                                          • Instruction ID: a22504b3d7c6e147d53e6ae7acd295bd824d70bfea2b2efba52986cdb4958292
                                          • Opcode Fuzzy Hash: 110d10626eb687bca1022774e29e6fa8796ac418842bd79e7f098bafdc7c5eda
                                          • Instruction Fuzzy Hash: 4A214531E0024A9FCF45DFA8D8509EDBFB2EF49300F4582AAD451BB265DB30A946CB90
                                          Function 01710848 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f15fb4c001947a34a010775117aaee23363af937d97cb57fae17858905f01f77
                                          • Instruction ID: 2675cff543ab9ab7a5d65003e693f3f3c1b03bd6ae0837ff64eb6fe2372f5e40
                                          • Opcode Fuzzy Hash: f15fb4c001947a34a010775117aaee23363af937d97cb57fae17858905f01f77
                                          • Instruction Fuzzy Hash: 12115170A00209DFDB05EFA8FD94A9E7BB5FB44704F0095ACC4059B265EB79AE49CF81
                                          Function 01711870 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85b63ce900a49bbc6c54c0885d5fecdcf046991da14da501a896d199e895950c
                                          • Instruction ID: e5ba0d99f3d1c7e677f4352162f54a85226f95433cc56aae286a6f12d37da89a
                                          • Opcode Fuzzy Hash: 85b63ce900a49bbc6c54c0885d5fecdcf046991da14da501a896d199e895950c
                                          • Instruction Fuzzy Hash: 3D016974C042498ACF10CBB9D4142EEFBF4AB49320F44906AC914B6245D7384A49CF54
                                          Function 017109DF Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64f78e23bd23ee9ad7e884aeb28616804308bc25f1d3c33012b9d33bb17d1d39
                                          • Instruction ID: 5d897d4db71013ebffa8556f05de0076800e1074900da79e43e5127188a0b2e9
                                          • Opcode Fuzzy Hash: 64f78e23bd23ee9ad7e884aeb28616804308bc25f1d3c33012b9d33bb17d1d39
                                          • Instruction Fuzzy Hash: 9D01F670D00309DFCB45EFB8C855AADBFB0FF05314F1486AAC415A7255EB709A95DB80
                                          Function 017109F0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2648098387.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_1710000_MzXmoBVXtU.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f61c8b50b38bf03cebc414ae31f3f72c820ec846d54eddb906857488d7af09b
                                          • Instruction ID: c6fc607c1be0b65efe44c41351a841d308eba8a5015691aa3ecf6ac62b17ea71
                                          • Opcode Fuzzy Hash: 9f61c8b50b38bf03cebc414ae31f3f72c820ec846d54eddb906857488d7af09b
                                          • Instruction Fuzzy Hash: DEF0B270D0121EDFCB45EFB8D9556AEBBB5FB04300F1046AAD415A7294EB709A50DB80